Cyberhaven’s preliminary analysis of the recent malicious Chrome extension
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads accounts. The attack involved a phishing email and a malicious OAUTH Google application. The malicious extension collected user data from Facebook.com, including access tokens, user IDs, account information, and ad account details. The data was then exfiltrated to a command and control server. The attack appears to be non-targeted and part of a wider campaign affecting multiple companies.
OPENCTI LABELS :
phishing,facebook ads,data exfiltration,command and control,chrome extension,oauth
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Cyberhaven’s preliminary analysis of the recent malicious Chrome extension