Cybersecurity researchers have uncovered a sophisticated campaign involving over 40 malicious Chrome browser extensions that impersonate trusted brands to steal sensitive user data. These extensions, still active on the Google Chrome Store, represent a significant escalation in browser-based attacks targeting both individual users and corporate environments.
Deceptive Tactics and Brand Impersonation
The campaign employs advanced deception techniques, with threat actors carefully crafting extensions to mimic well-known platforms, including Fortinet/FortiVPN, DeepSeek AI, Calendly, YouTube helper tools, and various cryptocurrency utilities. By leveraging the established trust associated with these popular brands, the malicious extensions bypass user suspicion and evade detection during installation processes.
Discovery and Technical Analysis
Analysts at LayerX identified this extensive network of malicious extensions, building upon initial research conducted by the DomainTools Intelligence team. While DTI had flagged suspicious domains communicating with browser extensions, LayerX researchers expanded the investigation to uncover the complete scope of individual malicious extensions, their metadata, and operational characteristics.
The investigation revealed critical technical details, including extension IDs, publisher information, and behavioral patterns that indicate coordinated threat actor activities. For instance, threat actors have registered domain names closely resembling legitimate services, such as `calendlydaily[.]world` and `calendly-director[.]com` to impersonate Calendly, and `deepseek-ai[.]link` to mimic the popular AI platform. Each malicious extension maintains a professional appearance through standardized contact email formats following the pattern `support@domain-name`, lending credibility to their fraudulent operations.
AI-Generated Content and Persistence Mechanisms
The technical analysis reveals that these malicious extensions utilize AI-generated content for their Chrome Store pages, exhibiting highly similar structure, formatting, and language patterns that enable rapid scaling across dozens of fake tools. This automated approach allows threat actors to maintain operational efficiency while deploying extensions with names such as `ccollcihnnpcbjcgcjfmabegkpbehnip` (FortiVPN) and `jmpcodajbcpgkebjipbmjdoboehfiddd` (DeepSeek AI Chat).
The extensions establish persistent access to user sessions through elevated browser permissions, enabling comprehensive data theft capabilities, including cookie harvesting, script injection, and session impersonation. Even after removal from the Chrome Store, these extensions remain active on infected systems until manually uninstalled, creating sustained security risks for organizations and individual users who may be unaware of the ongoing compromise.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who exploit the trust users place in reputable brands. By masquerading as legitimate tools, these malicious extensions can infiltrate systems undetected, leading to significant data breaches and financial losses.
To mitigate the risks associated with such threats, users and organizations are advised to:
– Exercise Caution During Installation: Carefully review the permissions requested by browser extensions and verify the authenticity of the publisher before installation.
– Regularly Audit Installed Extensions: Periodically review and remove unnecessary or suspicious extensions from browsers to minimize potential attack vectors.
– Implement Security Solutions: Utilize endpoint protection tools that can detect and block malicious extensions, even those that have been installed.
– Stay Informed: Keep abreast of the latest cybersecurity threats and share information within the community to enhance collective defense mechanisms.
By adopting these proactive measures, users can better protect themselves against the deceptive tactics employed by cybercriminals through malicious browser extensions.
