Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chrome Extensions. Show all posts
malicious extensions
Chrome Extensions Cookies Cyber Security cybersecurity risks Google Chrome security malicious extensions

Malicious Chrome Extensions Target Enterprise HR and ERP Platforms to Steal Credentials

 

One after another, suspicious Chrome add-ons began appearing under false pretenses - each masquerading as helpful utilities. These were pulled from public view only after Socket, a cybersecurity group, traced them back to a single pattern of abuse. Instead of boosting efficiency, they harvested data from corporate systems like Workday, NetSuite, and SAP SuccessFactors. Installation counts climbed past 2,300 across five distinct apps before takedown. Behind the scenes, threat actors leveraged legitimate-looking interfaces to gain access where it mattered most. 

One investigation found that certain browser add-ons aimed to breach corporate systems, either by capturing login details or disrupting protective measures. Though appearing under distinct titles and author profiles, these tools carried matching coding patterns, operational frameworks, and selection methods - pointing to coordination behind their release. A person using the handle databycloud1104 was linked to four of them; another version emerged through a separate label called Software Access. 

Appearing alongside standard business applications, these extensions asked for permissions typical of corporate tools. One moment they promised better control over company accounts, the next they emphasized locking down admin functions. Positioned as productivity aids, several highlighted dashboard interfaces meant to streamline operations across teams. Instead of standing out, their behavior mirrored genuine enterprise solutions. Claiming to boost efficiency or tighten security, each framed its purpose around workplace demands. Not every feature list matched actual functionality, yet on the surface everything seemed aligned with professional needs. 

Yet the investigation revealed every extension hid its actual operations. Although privacy notices were present, they omitted details about gathering user data, retrieving login information, or tracking admin actions. Without visibility, these tools carried out harmful behaviors - such as stealing authentication cookies, altering webpage elements, or taking over active sessions - all while appearing legitimate. What seemed harmless operated differently beneath the surface. 

Repeated extraction of authentication cookies called "__session" occurred across multiple extensions. Despite user logout actions, those credentials kept reaching external servers controlled by attackers. Access to corporate systems remained uninterrupted due to timed transmissions. Traditional sign-in protections failed because live session data was continuously harvested elsewhere. 

Notably, two add-ons - Tool Access 11 and Data By Cloud 2 - took more aggressive steps. Instead of merely monitoring, they interfered directly with key security areas in Workday. Through recognition of page titles, these tools erased information or rerouted admins before reaching control panels. Pages related to login rules appeared blank or led elsewhere. Controls involving active sessions faced similar disruptions. Even IP-based safeguards vanished unexpectedly. Managing passwords became problematic under their influence. Deactivating compromised accounts grew harder. Audit trails for suspicious activity disappeared without notice. As a result, teams lost vital ground when trying to spot intrusions or contain damage. 

What stood out was the Software Access extension’s ability to handle cookies in both directions. Not only did it take cookies from users, but also inserted ones provided by attackers straight into browsers. Because of this, unauthorized individuals gained access to active sessions - no login details or extra verification steps required. The outcome? Full control over corporate accounts within moments. 

Even with few users impacted, Socket highlighted how compromised business logins might enable wider intrusions - such as spreading ransomware or extracting major datasets. After the discovery, the company alerted Google; soon after, the malicious add-ons vanished from the Chrome Web Store. Those who downloaded them should inform internal security staff while resetting access codes across exposed systems to reduce exposure. Though limited in reach, the breach carries serious downstream implications if left unchecked.
Read more »
Urban VPN Proxy
Chatbot Surveillance Chrome Extensions Cyber Security Data Harvesting Urban VPN Proxy

Chrome ‘Featured’ Urban VPN Extension Caught Harvesting Millions of AI Chats

 

A popular browser extension called Urban VPN Proxy, available for users of Google’s Chrome browser, has been discovered secretly sniffing out and harvesting confidential AI conversation data of millions of users across sites such as ChatGPT, Claude, Copilot, Gemini, Grok, Meta AI, and Perplexity. 

The browser extension, known for providing users with a safe and private manner of accessing any blocked website through a virtual private network, was recently upgraded in July of 2025 and has an added function enabling it to fish out all conversation data between users and AI chat bot systems by injecting specific JavaScript code into these sites.

By overriding browser network APIs, the extension is able to collect prompts, responses, conversation IDs, timestamps, session metadata, and the particular AI model in use. The extension's developer, Urban Cyber Security Inc., which also owns BiScience, a company well-known for gathering and profiting from user browsing data, then sends the collected data to remote servers under their control. 

The privacy policy of Urban VPN, which was last updated in June 2025, confesses to collecting AI queries and responses for the purposes of "Safe Browsing" and marketing analysis, asserting that any personal data is anonymized and pooled. However, BiScience shares raw, non-anonymized browsing data with business partners, using it for commercial insights and advertising. 

Despite the extension offering an “AI protection” feature that warns users about sharing personal information, the data harvesting occurs regardless of whether this feature is enabled, raising concerns about transparency and user consent.The extension and three other similar ones—1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker—all published by Urban Cyber Security Inc., collectively have over eight million installations. 

Notably, these extensions bear the “Featured” badge on Chrome and Edge marketplaces, which is intended to signal high quality and adherence to best practices. This badge may mislead users into trusting the extensions, underlining the risk of data misuse through seemingly legitimate channels. 

Koi Security’s research highlights how extension marketplaces’ trust signals can be abused to collect sensitive data at scale, particularly as users increasingly share personal details and emotions with AI chatbots. The researcher calls attention to the vulnerability of user data, even with privacy-focused tools, and underscores the need for vigilance and stricter oversight on data collection practices by browser extensions.
Read more »
protect user privacy
Chrome Extensions customer data privacy data security Data Theft Free VPN free VPN risks online privacy concerns Privacy protect user privacy

FreeVPN.One Chrome Extension Caught Secretly Spying on Users With Unauthorized Screenshots

 

Security researchers are warning users against relying on free VPN services after uncovering alarming surveillance practices linked to a popular Chrome extension. The extension in question, FreeVPN.One, has been downloaded over 100,000 times from the Chrome Web Store and even carried a “featured” badge, which typically indicates compliance with recommended standards. Despite this appearance of legitimacy, the tool was found to be secretly spying on its users.  

FreeVPN.One was taking screenshots just over a second after a webpage loaded and sending them to a remote server. These screenshots also included the page URL, tab ID, and a unique identifier for each user, effectively allowing the developers to monitor browsing activity in detail. While the extension’s privacy policy referenced an AI threat detection feature that could upload specific data, Koi’s analysis revealed that the extension was capturing screenshots indiscriminately, regardless of user activity or security scanning. 

The situation became even more concerning when the researchers found that FreeVPN.One was also collecting geolocation and device information along with the screenshots. Recent updates to the extension introduced AES-256-GCM encryption with RSA key wrapping, making the transmission of this data significantly more difficult to detect. Koi’s findings suggest that this surveillance behavior began in April following an update that allowed the extension to access every website a user visited. By July 17, the silent screenshot feature and location tracking had become fully operational. 

When contacted, the developer initially denied the allegations, claiming the screenshots were part of a background feature intended to scan suspicious domains. However, Koi researchers reported that screenshots were taken even on trusted sites such as Google Sheets and Google Photos. Requests for additional proof of legitimacy, such as company credentials or developer profiles, went unanswered. The only trace left behind was a basic Wix website, raising further questions about the extension’s credibility. 

Despite the evidence, FreeVPN.One remains available on the Chrome Web Store with an average rating of 3.7 stars, though its reviews are now filled with complaints from users who learned of the findings. The fact that the extension continues to carry a “featured” label is troubling, as it may mislead more users into installing it.  

The case serves as a stark reminder that free VPN tools often come with hidden risks, particularly when offered through browser extensions. While some may be tempted by the promise of free online protection, the reality is that such tools can expose sensitive data and compromise user privacy. As the FreeVPN.One controversy shows, paying for a reputable VPN service remains the safer choice.
Read more »
Manifest V3
Browser Security Chrome Extensions cookie theft Cyber Security EditThisCookie Malicious Extension Manifest V3

Malicious Chrome Extension Mimics Popular Tool, Poses Threat to Users’ Data

 

Cybersecurity concerns are growing as malicious browser extensions target unsuspecting users. One such case involves the removal of the popular EditThisCookie extension, which had over 3 million downloads, from the Chrome Web Store due to its reliance on the outdated Manifest v2 framework.

In its place, a new extension named EditThisCookie® has emerged. Built using the updated Manifest v3 framework, this replacement mimics the original's name and design but contains harmful code. The malicious version is designed to steal user cookies and potentially post phishing content on users' social media accounts.

Before its removal by Google, the fraudulent extension was installed approximately 30,000 times. User complaints and reviews flagged suspicious behavior, prompting Google to take action. 

If you currently use EditThisCookie, it is crucial to check your browser’s extensions management page. If EditThisCookie® is found, delete it immediately as it is a counterfeit version.

The original EditThisCookie extension is still available for download on GitHub. Users can manually install it by unpacking the file through Chrome’s extension management page. While Chrome may issue a warning about its Manifest v2 framework, the extension remains safe to use as long as the deletion button is avoided.
Read more »
Google Updates
Ad Blockers API Chrome Extensions Cyber Security Google Google Chrome Google Chrome security Google Updates

The Impact of Google’s Manifest V3 on Chrome Extensions

 

Google’s Manifest V3 rules have generated a lot of discussion, primarily because users fear it will make ad blockers, such as Ublock Origin, obsolete. This concern stems from the fact that Ublock Origin is heavily used and has been affected by these changes. However, it’s crucial to understand that these new rules don’t outright disable ad blockers, though they may impact some functionality. The purpose of Manifest V3 is to enhance the security and privacy of Chrome extensions. A significant part of this is limiting remote code execution within extensions, a measure meant to prevent malicious activities that could lead to data breaches. 

This stems from incidents like DataSpii, where extensions harvested sensitive user data including tax returns and financial information. Google’s Manifest V3 aims to prevent such vulnerabilities by introducing stricter regulations on the code that can be used within extensions. For developers, this means adapting to new APIs, notably the WebRequest API, which has been altered to restrict certain network activities that extensions used to perform. While these changes are designed to increase user security, they require extension developers to modify how their tools work. Ad blockers like Ublock Origin can still function, but some users may need to manually enable or adjust settings to get them working effectively under Manifest V3. 

Although many users believe that the update is intended to undermine ad blockers—especially since Google’s main revenue comes from ads—the truth is more nuanced. Google maintains that the changes are intended to bolster security, though skepticism remains high. Users are still able to use ad blockers such as Ublock Origin or switch to alternatives like Ublock Lite, which complies with the new regulations. Additionally, users can choose other browsers like Firefox that do not have the same restrictions and can still run extensions under their older, more flexible frameworks. While Manifest V3 introduces hurdles, it doesn’t spell the end for ad blockers. The changes force developers to ensure that their tools follow stricter security protocols, but this could ultimately lead to safer browsing experiences. 

If some extensions stop working, alternatives or updates are available to address the gaps. For now, users can continue to enjoy ad-free browsing with the right tools and settings, though they should remain vigilant in managing and updating their extensions. To further protect themselves, users are advised to explore additional options such as using privacy-focused extensions like Privacy Badger or Ghostery. For more tech-savvy individuals, setting up hardware-based ad-blocking solutions like Pi-Hole can offer more comprehensive protection. A virtual private network (VPN) with built-in ad-blocking capabilities is another effective solution. Ultimately, while Manifest V3 may introduce limitations, it’s far from the end of ad-blocking extensions. 

Developers are adapting, and users still have a variety of tools to block intrusive ads and enhance their browsing experience. Keeping ad blockers up to date and understanding how to manage extensions is key to ensuring a smooth transition into Google’s new extension framework.
Read more »
Phishing Attacks
Banking Trojans Chrome Extensions CyberCartel malware Phishing Attacks

CyberCartel: Latest Banking Trojan Threat in Chrome Extensions


In recent years, Latin America (LATAM) has become a favourite target for threat actors, especially those attacking financial organizations. The recent report by Security Intelligence titled "Unveiling the Latest Banking Threats in LATAM," explains the changing scenario of banking Trojans in the region. This blog covers important findings and results of the report, showing the sophisticated techniques used by threat actors and the immediate need for advanced cybersecurity measures.

Malicious Chrome Extension Rising

The top trend concerning the report is the rise in campaigns that involve Chrome extensions. The extensions, often masked as genuine tools, are made to hack into users' browsers and do various activities. After installing, threat actors can hack login credentials, take screenshots, and deploy malicious scripts into web pages. The report stresses that these extensions are specifically dangerous as they can evade traditional security checks and stay hidden for longer periods.

CyberCartel and its Role

The report also sheds light on the notorious activities of the cybercriminal group known as CyberCartel. The group has been associated with various high-profile attacks on financial organizations and government officials in LATAM. CyberCartel works via the Malware-as-a-Service (MaaS) model, offering other threat actors the tools and infrastructure needed to launch sophisticated attacks. This has allowed amateur cybercriminals to give access and contribute to the frequency and severity of attacks.

Attacking High-Profile Entities

CyberCartel's main targets are high-profile entities like government offices and financial institutions. These forms are lucrative targets because of the sensitive info they manage and the possible financial gain for threat actors. The report mentions various incidents where CyberCartel successfully hacked these organizations, causing reputational and financial damage. The group's potential to adjust and develop its techniques makes it a dangerous adversary for cybersecurity experts.

Advanced Tactics and Techniques

One sophisticated technique is using social engineering to fool users into installing malicious software. Cybercriminals make believable phishing emails and fake websites that impersonate genuine institutions. Hackers access their accounts and launch fraudulent transactions once users are tricked into giving their credentials.

Another sophisticated technique is using polymorphic malware, infamous for changing its code to escape detection by antivirus software. This kind of malware is difficult to address as it requires consistent updates to security systems to keep up with changing threat scenarios. 

Read more »
Software
Chrome Extensions Cloud9 Cyber Crime Keystrokes Software

Chrome Extensions That Record Keystrokes and Steal Personal Data Should be Avoided

 


Using their Zimperium zLabs research department, Zimperium researchers have discovered a malicious browser extension, dubbed Cloud9. This extension is designed to steal private and sensitive user information and to completely take over the victim's computer. 

Cloud9 is very unnerving because it steals data directly from your computer by monitoring your keystrokes (i.e. keylogging). Cybercriminals would delight in spying on victims' web browser activity since spying can be done through web browsers. After all, it is while you are browsing the web that you are more likely to input highly sought-after credentials, including your bank passwords and other sensitive information. 

Even though you are browsing the web during the time that you are more likely to input highly sought-after credentials, such as your bank passwords or other sensitive information, it is very easy to enter these credentials while you are online. 

In terms of Cloud9, what information do we have? 

As its name suggests, Cloud9 is a botnet that operates as a remote access trojan (RAT) because of the operation method employed. It was found that there were two different versions of Cloud9 that were encountered by researchers: the original and an improved version. The investigators focused their attention in the report, however, on the latter because it "contains all of the functionalities of both variants" according to the report. 

• This type of software runs on a computer to track your keystrokes to steal your credit card information, bank passwords, and more. 

• Using the clipboard, steal your data that was copied and pasted (e.g., you copied it and pasted it). 

• To compromise the user's session, steal your cookies and use them to do so. 

• Cryptocurrencies can be mined using the resources of your browser and computer.

• By inserting malicious code into your device, you will be able to take full control of it.

• From your PC, you can perform DDoS attacks against other websites. 

• A pop-up or an advertisement can be injected into the page. 

The Zimperium zLabs team claims that although Cloud9 is a malicious browser plugin, it cannot be found in any official repository for browser extensions (e.g. Chrome Web Store), despite it being a known malware on the internet. Researchers have found that Cloud9 has been masquerading as an Adobe Flash Player update on malicious websites more frequently than not, according to the research. 

What is the history of Cloud9 and where did it come from? 

A malware group called Keksec was connected to Cloud9 by the investigators to trace its origin. There have been many attacks targeted by this group that has been associated with mining-related malware, said Zimperium zLabs researchers. 

It seems as though the Cloud9 botnet is currently being sold for a few hundred dollars or for free on several hacker forums throughout the world. A report from the company warned that this malware was not targeting a specific type of group. To exploit as much valuable information as possible from all users, cyber criminals target all users to maximize their profits from their exploits. 

In a report released by Zimperium, it was said that because traditional endpoint security solutions do not monitor this vector of attack, browsers are susceptible. However, Cloud9 should remain a distant threat as long as you do not side-load extensions from malicious websites into your browser or use fraudulent executables that originate from malicious websites.
Read more »
virus
Chrome Extensions Cyber Attacks cybercriminals Cybersecurity Google Chrome Malicious Extension Malicious Threats Ransomware virus

Remove These Malicious Chrome Extensions With 1 Million Downloads

 


An extension for your browser can enhance your online experience in several ways. Translations, conversions, spellchecking, shopping, and blocking popup ads are some of the services they can assist you with. You can customize your browsing experience using these extensions, and you may even be able to alter the way websites are displayed. There are several popular extensions available for Chrome, but the dark mode is an example.

It is imperative to remember that not all extensions are safe. By giving them access to such information, such as your personal information, you are giving them a lot of power. 

Although some extensions store this data for convenience, others use it to track you or launch a cyberattack against your computer. A malicious Chrome extension was recently reported to have been downloaded 1.4 million times since it first appeared on our site.

The cybersecurity firm Guardio Labs reports that a newly discovered malicious advertising campaign has been discovered in which Chrome extensions are used to hijack web searches and embed affiliate links into any other websites you visit.

The company's security researchers have dubbed this advertising campaign "Dormant Colors" since all of the malicious extensions in question offer color customization options for Chrome, which makes them the right candidate for being dubbed a malicious advertising campaign. However, the extensions themselves do not include malicious code when installed. This is how they were able to bypass Google’s security checks and end up on the Chrome Web Store in the first place. 

Extensions for Google Chrome - Dormant Colors

Following a thorough investigation into this matter by Guardiothis campaign use ad, it was found that there were thirty different versions of these malicious browser extensions available on both the Chrome and Edge web stores with more than a million installations altogether. They have been removed from both web stores, as we mentioned before, but just in case, here is a complete list of all the products that have been removed:

• Action Colors 
• Power Colors 
• Nino Colors 
• More Styles 
• Super Colors 
• Mix Colors 
• Mega Colors 
• Get colors 
• What color 
• Single Color 
• Colors scale 
• Style flex 
• Background Colors 
• More styles 
• Change Color 
• Dood Colors 
• Refresh color 
• Imginfo 
• WebPage Colors 
• Hex colors 
• Soft view 
• Border colors 
• Colors mode 
• Xer Colors 

 Explanation of how to remove Chrome extensions manually 

There are several malicious extensions listed below that have since been removed, but you may need to manually remove them by clicking on the three dots menu at the top right-hand corner of your Chrome browser to remove them permanently. Upon clicking 'More', you will be taken to the More tools section where you will be able to access Extensions.

Making money by hijacking your browser to make money from clicks on the ads 

The cybercriminals behind this campaign use ads and redirects to trick unsuspecting users into installing their malicious extensions. This is done when they visit sites that offer the opportunity to play videos or download files. This is done so that they can then go one step further and download malicious extensions. 

There are two sites where you can watch videos or download programs. However, when you click the videos or download programs link, you are redirected to another site that requires you to add an extension before you can continue. It is quite likely that you will be prompted to install a color-changing extension when you click either the 'OK' button or the 'Continue' button. This extension initially seems harmless on the surface. 

The problem with these extensions is that once installed, their purpose is to redirect users to pages that redirect them to malicious scripts that side-load malicious scripts that show how to perform search hijacking for the extensions, but also that tell the extensions what sites affiliate links can be inserted on to generate affiliate revenue. The creator of these malicious extensions earns a lot of money from these advertisements, which are sold to third parties for profit, which is known as search data. 

It is also possible to use these Dormant Colors extensions for automatic redirects to the same page with affiliate links added to the URL of each page instead of redirecting users to an entirely different page. Whenever anyone purchases an extension on any of these sites, the developers of such an extension will receive a commission for their work. 

Guardia, in a blog post, tells that the malicious extension campaign may have the potential to spread further over the coming weeks. "As this campaign continues to run, it is shifting domains, generating a wide assortment of extensions, and re-inventing several color-and-style-changing functions you are sure to be able to do without."

It is also worth mentioning that the code injection technique analyzed here provides the mitigation and evasion measures necessary to contribute to further malicious activities in the future, especially since it is a huge infrastructure for mitigation and evasion. 

The most effective way to keep your browser from getting infected by malicious extensions 

The most appropriate time to make sure you have an effective antivirus solution installed on your laptop or PC is before you add any additions to your browser, especially if you plan on adding any new extensions to it. In this way, you will be able to protect yourself against malware infection or having your personal information stolen and misused. 

Additionally, when you install any extensions, be sure to only use trusted sources, such as the Chrome Web Store or the Microsoft Edge Add-ons store, as these are both reliable sources. The fact that malicious extensions do slip through the cracks from time to time does not change the fact that you are still safer when you install browser extensions from an official store rather than from the web.

Additionally, you should always ask yourself whether or not you need an extension before downloading it. Do you need it, or do you just want to use it? When you come across an extension that seems too good to be true, then you can be certain that it is and is not worth downloading. In addition to checking the extensions in your browser regularly, you might also want to consider adding new ones. 

You need to regularly take a look at the extensions you have installed in your browser and make sure they are still relevant. Delete any of these that you no longer need. Also, keep an eye out for any new ones you may not have noticed you have added without your knowledge. Using browser extensions, you can add all kinds of new features and options to your browser that are not available in its built-in functionality. 
Read more »
Subscribe to: Comments (Atom)