Security News > 2021 > February > Fake Forcepoint Google Chrome Extension Hacks Windows Users
Cybercriminals have been using a novel approach to exfiltrate data that involves directly injecting malicious Google Chrome extensions onto victims' Windows machines via the abuse of Google's cloud synching function.
The malicious add-on is disguised as a "Forcepoint Endpoint Chrome Extension for Windows," with the attackers using the security company's logo to enhance an air of legitimacy.
The threat actors "Dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation," explained Zdrnja, in an analysis late last week.
Next, a permissions parameter specified that the extension can use the storage API. And finally, the background parameter specifies JavaScript files that will run when extension is loaded.
The authors of the malicious Forcepoint add-on were able to steal information from users' internal extensions thanks to setting up a behind-the-scenes "Chat" between the malicious extension and other web apps.
The extension also uses the "Chrome.storage.sync.get" and "Chrome.storage.sync.save" methods, so that all these values will be automatically synced to Google's cloud by Chrome, under the context of the user being logged in in Chrome.
News URL
https://threatpost.com/fake-forcepoint-google-chrome-extension-hacks/163728/
Related news
- Google Chrome’s AI feature lets you quickly check website trustworthiness (source)
- Google Chrome uses AI to analyze pages in new scam detection feature (source)
- New details reveal how hackers hijacked 35 Google Chrome extensions (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)
- Outdated Google Workspace Sync blocks Windows 11 24H2 upgrades (source)
- Google says new scam protection feature in Chrome uses AI (source)