Security News > 2021 > February > Chinese Threat Actor Uses Browser Extension to Hack Gmail Accounts
In early 2021, a Chinese threat actor tracked as TA413 attempted to hack into the Gmail accounts of Tibetan organizations using a malicious browser extension, researchers with cybersecurity firm Proofpoint have discovered.
In January and February 2021, the group was observed delivering the FriarFox extension, customized to specifically target the Firefox browser and provide attackers with access to and control of victims' Gmail accounts.
Once the extension was installed, the attackers gained full access to the victim's Gmail account, being able to search emails, archive messages, read emails, receive notifications, label emails, mark messages as spam, delete emails, refresh the inbox, forward emails, modify alerts in the browser, delete emails from the Trash folder, and send emails.
FriarFox, which appears to be a heavily altered version of the open source browser extension Gmail Notifier, also allows the adversary to access user data for all websites, read and change privacy settings, display notifications, and access the tabs opened in the browser.
As part of the attack, the Scanbox reconnaissance framework - which is known to have been used by other Chinese threat actors and even the Vietnam-linked OceanLotus - was also leveraged.
"The introduction of the FriarFox browser extension in TA413's arsenal further diversifies a varied, albeit technically limited repertoire of tooling. The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities," Proofpoint concludes.