Security News > 2021 > February > Fake Forcepoint Google Chrome Extension Hacks Windows Users
Cybercriminals have been using a novel approach to exfiltrate data that involves directly injecting malicious Google Chrome extensions onto victims' Windows machines via the abuse of Google's cloud synching function.
The malicious add-on is disguised as a "Forcepoint Endpoint Chrome Extension for Windows," with the attackers using the security company's logo to enhance an air of legitimacy.
The threat actors "Dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation," explained Zdrnja, in an analysis late last week.
Next, a permissions parameter specified that the extension can use the storage API. And finally, the background parameter specifies JavaScript files that will run when extension is loaded.
The authors of the malicious Forcepoint add-on were able to steal information from users' internal extensions thanks to setting up a behind-the-scenes "Chat" between the malicious extension and other web apps.
The extension also uses the "Chrome.storage.sync.get" and "Chrome.storage.sync.save" methods, so that all these values will be automatically synced to Google's cloud by Chrome, under the context of the user being logged in in Chrome.
News URL
https://threatpost.com/fake-forcepoint-google-chrome-extension-hacks/163728/
Related news
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)