Security News > 2021 > February > Fake Forcepoint Google Chrome Extension Hacks Windows Users
Cybercriminals have been using a novel approach to exfiltrate data that involves directly injecting malicious Google Chrome extensions onto victims' Windows machines via the abuse of Google's cloud synching function.
The malicious add-on is disguised as a "Forcepoint Endpoint Chrome Extension for Windows," with the attackers using the security company's logo to enhance an air of legitimacy.
The threat actors "Dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation," explained Zdrnja, in an analysis late last week.
Next, a permissions parameter specified that the extension can use the storage API. And finally, the background parameter specifies JavaScript files that will run when extension is loaded.
The authors of the malicious Forcepoint add-on were able to steal information from users' internal extensions thanks to setting up a behind-the-scenes "Chat" between the malicious extension and other web apps.
The extension also uses the "Chrome.storage.sync.get" and "Chrome.storage.sync.save" methods, so that all these values will be automatically synced to Google's cloud by Chrome, under the context of the user being logged in in Chrome.
News URL
https://threatpost.com/fake-forcepoint-google-chrome-extension-hacks/163728/
Related news
- Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking (source)
- Google Chrome's AI-powered security feature rolls out to everyone (source)
- ⚡ THN Weekly Recap: Google Secrets Stolen, Windows Hack, New Crypto Scams and More (source)
- Google Chrome disables uBlock Origin for some in Manifest v3 rollout (source)
- Google to kill Chrome Sync on older Chrome browser versions (source)
- Google Cuts Off uBlock Origin on Chrome as Firefox Stands Firm on Ad Blockers (source)