- Socket discovered five malicious Chrome extensions mimicking HR/ERP platforms
- These extensions facilitated credential theft, session hijacking, and obstructed incident response
- Though removed from the Chrome Store, they remain on third-party sites
If you utilize Workday, NetSuite, or SuccessFactors at your workplace, it's crucial to review the browser extensions you have installed, as you may have unknowingly added malware.
Security researchers from Socket have reported the identification of five Chrome extensions that impersonate popular human resource (HR) software and enterprise resource planning (ERP) platforms.
These plugins are engineered to steal authentication tokens, hinder incident response capabilities, or enable complete account takeover through session hijacking, according to the researchers.
Thousands of Victims
Below is the complete list of the malicious extensions:
DataByCloud Access
Tool Access 11
DataByCloud 1
DataByCloud 2
Software Access
By the time this news surfaced, all five extensions had already been removed from the Google Chrome Web Store. However, users who had installed them previously may not be entirely safe until they uninstall the plugins and conduct a thorough scan to ensure any infections have been eradicated.
Moreover, The Hacker News indicates that these plugins are still accessible on third-party software download sites like Softonic, although we could not independently verify this information as Softonic's site appeared to be offline at the time of writing.
In total, these five add-ons were downloaded 2,739 times, suggesting that the campaign was not particularly widespread.
Nonetheless, Workday, NetSuite, and SuccessFactors are typically employed by medium to large organizations, including enterprises and multinational corporations, for HR, finance, payroll, and operations teams. A complete account takeover in just one of these organizations could lead to a large-scale cyberattack, resulting in millions of dollars in damages and affecting thousands of individuals.
To complicate matters further, some of the extensions that were removed had been published over four years ago.
"The combination of ongoing credential theft, administrative interface blocking, and session hijacking creates a situation where security teams can detect unauthorized access but cannot remediate through standard channels," Socket stated.