Malicious Chrome Extensions Threaten Millions

Bard AI Chat, ChatGPT, Cyber Attack, Facebook Ads, Google Chrome, Google Meet, malware, Ophtek, Phishing, , , , , , ,
04
Feb 2025

A recent cyberattack has compromised several popular Google Chrome extensions, infecting millions of users with data-stealing malware.

In early January 2025, cybersecurity researchers at Extension Total discovered a malicious campaign targeting Chrome extensions which offer AI services. The threat actors hijacked at least 36 extensions – including Bard AI Chat, ChatGPT for Google Meet, and ChatGPT App – with approximately 2.6 million users affected. This widespread attack has raised the alarm among users and software developers as, previously, these extensions were highly trusted.

With 3.45 billion people using Chrome as their browser, it’s no surprise that threat actors would target it. This attack is especially ingenious, so we’re going to take a deep dive into it.

How Were the Chrome Extensions Compromised?

The affected extensions may be named after popular AI tools like Bard and ChatGPT, but they are third-party applications with no development from Google or OpenAI. Third-party extensions can, of course, be legitimate, but these compromised extensions were far from helpful. Instead, they were used to deliver fake updates containing malware.

The malware was designed to steal sensitive user information, specifically targeting data related to Facebook Ads accounts. Therefore, this posed a significant threat to businesses which rely on Facebook for marketing and sales. With this stolen data, the threat actors could use it for unauthorized access, financial and identity theft, or to fuel phishing attacks.

In response to the attack, many of the affected extensions have been removed from the Chrome Store to limit further infections. However, others remain available, exposing users to the malware. Chrome, as we’ve already mentioned, is hugely popular with around 130,000 extensions are available to install. The risk of a security incident, as you would imagine, is high; this recent attack underscores the importance of practicing vigilance when installing extensions.

Staying Safe from Rogue Chrome Extensions

Browser extensions are designed to help users by enhancing functionality and making everyday browsing easier. However, this recent attack has also demonstrated that they’re a security risk. Ophtek wants to keep you safe from similar attacks, so we’ve put together our top tips for protecting your PC from rogue extensions:

  • Install Extensions from Trusted Sources: you should only ever download extensions from reputable developers and official web stores. Before hitting that install button, always carry out some research on the developer, read user reviews, and check ratings to assess how legitimate it is.
  • Limit Extension Permissions: extensions often require permissions to function correctly on your PC but be very careful of any extension which requests a long list of permissions e.g. access to browsing data, microphone control, and cookies. You should only ever grant permissions to what is necessary for the extension to operate. If in doubt of a permission request, seek help from an IT professional.
  • Update Extensions: always ensure your extensions are kept up to date, as developers often release patches to fix security vulnerabilities. Regularly check for updates and keep an eye out for any unusual browser behavior such as strange pop-ups, redirects to other sites, or performance issues. Additionally, if you have extensions you no longer use, remove these to reduce your exposure to risk

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Fake Google Meet Pages Used to Spread Malware

Chrome, ClickFix, DarkGate, Facebook, Google, Google Meet, Lumma Stealer, malware, Ophtek, Phishing Email, , , , , , , , ,
12
Nov 2024

Hackers have designed fake Google Meet error pages to distribute info-stealing malware which can compromise all the data on a network.

It feels as though malicious websites are springing up on a daily basis, and with 12.8 million websites infected with malware, this is a fair assumption to make. The latest attack under the Ophtek spotlight centers around Google Meet, a videoconferencing service hosted online by Google. The threat uses fake connectivity errors to lure victims into inadvertently launching the malware on their own system. And with Google Meet having over 300 million active users every month, the chance of this campaign tripping people up is exceptionally high.

The Danger of Fake Google Meet Pages

Google Meet attack appears to be part of a wider hacking campaign known as ClickFix, which has also been identified using similar fake websites impersonating Google Chrome and Facebook. In all these cases, the objective of the campaign is to install info stealers onto infected PCs. Malware used in these attacks include DarkGate and Lumma Stealer.

Fake error messages are displayed in the web browsers of victims to indicate a connectivity issue with a Google Meet call. However, there is no Google Meet call taking place, it’s simply a ruse to deceive victims into following through on a malicious call-to-action. These ‘errors’ recommend copying a ‘fix’ and then running it in Windows PowerShell, an app commonly used to automate processes on a Microsoft system.

Unfortunately, rather than fixing the ‘error’ with Google Meet, the execution of this code within PowerShell simply downloads and installs the malware. Once installed, malware such as DarkGate and Lumma Stealer has the potential to search out sensitive data on your network, establish remote network connections, and transmit stolen data out of your network.

Victims are redirected to these malicious websites via phishing emails, which claim to contain instructions for joining important virtual meetings and webinars. The URLs used within the emails appear like genuine Google Meet links but take advantage of slight differences in the address to deceive recipients.

Protecting Yourself from Fake Google Meet Malware

The best way to stay safe in the face of the fake Google Meet pages (and similar attacks) is by being proactive and educating your staff on the threats of malicious websites. Accordingly, following these best practices gives you the best chance of securing your IT infrastructure:

  • Double Check URLs: malicious websites often mimic genuine ones to catch people off guard. Therefore, always verify any URL for anything unusual such as misspelled words or lengthened and unusual domain endings, before clicking them. This will minimize your risk of falling victim to phishing and malware attacks.
  • Use Browser Security Features: many browsers, such as Google Chrome, come with built-in security features which can block sites known to be harmful or detect suspicious downloads. If you have these protections enabled, and this is easily done through your browser settings, you can rest assured you’re putting a strong security measure in place.
  • Install Antivirus and Firewall Software: one of the simplest way to protect yourself is by installing antivirus and firewall software, which is often available for free in the form of AVG and Kaspersky. This software can not only detect malware, but also block it before it reaches your system, so it can be considered a very strong form of defense.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More