Cyberhaven’s preliminary analysis of the recent malicious Chrome extension

Description

A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads accounts. The attack involved a phishing email and a malicious OAUTH Google application. The malicious extension collected user data from Facebook.com, including access tokens, user IDs, account information, and ad account details. The data was then exfiltrated to a command and control server. The attack appears to be non-targeted and part of a wider campaign affecting multiple companies.