Google Chrome is the most popular browser on desktop, which is why it’s also one of the most popular targets for hackers. This makes perfect sense given how much personal and sensitive info we store in our browsers, and now, hackers have come up with a clever new way to steal all that data and even take over our computers.
As reported by BleepingComputer, a new attack called ‘Browser Syncjacking’ was recently spotted online by security researchers at the cybersecurity firm SquareX. The attack involves several steps, but what makes it particularly dangerous is that it’s sneaky and requires minimal permissions. There’s very little a Chrome user has to do to fall victim to it.
Here’s everything you need to know about this new attack, along with some tips and tricks to help keep you, your data and your devices safe.
From browser extension to device take over
Before targeting Chrome users, the hackers behind this new attack first set up a malicious Google Workspace domain with multiple user profiles where security features such as multi-factor authentication are intentionally disabled. Later on, this domain is used in the background to create managed profiles on the victim’s devices.
From there, the hackers then create and launch a malicious Chrome extension on the Chrome Web Store. To entice potential victims, they make this extension appear as a useful tool they might want to add to Chrome.
Then, through social engineering, the attackers trick potential victims into installing this new extension. Once installed, it uses a hidden browser window running in the background to log a victim into one of the managed Workspace profiles the hackers previously created.
To trick victims into enabling Chrome sync on this new hacker-controlled profile, the extension opens an actual Google support page that has been tampered with, which explains how to turn on sync. If a victim goes through this whole process, all of their stored Chrome data, including passwords and browsing history, ends up in the hands of the hackers, who can then use their now compromised Chrome profile on their own device.
Now that the hackers have control over a victim’s Chrome profile, they then try to take over their browser completely. In a blog post detailing this new attack, SquareX explains that this is often done using a fake Zoom update. For instance, the victim might receive a legitimate Zoom invite. Still, when they click on it, the extension from earlier injects malicious content into the invitation, explaining that Zoom needs to be updated. However, instead of a real update, the download that appears is actually an executable file that contains an enrollment token. If a victim runs this file thinking it’s an ordinary update, they give the hackers behind this campaign complete control over their browser.
From here, the attackers can silently access all of a victim’s web apps, install additional malicious extensions, redirect them to phishing sites, monitor/ modify files and a whole lot more, according to SquareX’s researchers. To make matters worse, by using Chrome’s Native Messaging API, the attackers can establish a direct communication channel between their malicious extension and a victim’s operating system, which lets them install malware, capture keystrokes, extract sensitive data and even activate a device’s webcam and microphone.
How to stay safe from malicious browser extensions
We’ve seen similar extension attacks in the past that also involve elaborate social engineering. Still, this one is a bit different since an attacker only requires minimal permissions, a bit of social engineering and almost no user interaction to pull it off. Likewise, unless a victim continually checks for managed browser labels deep within Chrome’s settings, there’s no visual indication that their browser has been hijacked.
To stay safe from this attack and others like it, the first thing you want to do is to avoid installing new Chrome extensions as well as limit the ones you do have installed. Before installing any new extension, you want to carefully look into the extension itself as well as its developers for signs of anything suspicious. However, you should also ask yourself if you really need this extension or if you can use another program or app to do the exact same thing.
As for staying safe from malware, you want to ensure you’re using the best antivirus software on your Windows PC and the best Mac antivirus software on your Apple computer. Likewise, it’s better to store your passwords and other credentials in one of the best password managers as opposed to in your browser since hackers love targeting them.
Hackers will keep coming up with clever new attacks. Still, by being extra cautious online, not installing unnecessary extensions, software or apps and improving your own cyber hygiene, you should be able to avoid falling victim to them.
More from Tom's Guide
