Cybersecurity researchers have identified five malicious Google Chrome extensions designed to mimic HR and ERP platforms such as Workday, NetSuite, and SuccessFactors, enabling attackers to hijack victim accounts.
“These extensions operate together to steal authentication tokens, disable incident response features, and enable full account takeover via session hijacking,” said Socket researcher Kush Pandya in a Thursday report.
The malicious extensions are listed below:
- DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph, Publisher: databycloud1104) – 251 installs
- Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf, Publisher: databycloud1104) – 101 installs
- DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam, Publisher: databycloud1104) – 1,000 installs
- DataByCloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg, Publisher: databycloud1104) – 1,000 installs
- Software Access (ID: bmodapcihjhklpogdpblefpepjolaoij, Publisher: Software Access) – 27 installs
Except for Software Access, all extensions have been removed from the Chrome Web Store, but remain available on third-party sites like Softonic. They are promoted as productivity tools offering access to premium services across multiple platforms. Notably, DataByCloud 1 and DataByCloud 2 were initially published on August 18, 2021.
Despite having different publishers, the campaign is believed to be a coordinated operation, using identical functionality and infrastructure. The extensions steal cookies to remote servers, manipulate the Document Object Model (DOM) to block security pages, and hijack sessions via cookie injection.
Once installed, DataByCloud Access requests permissions for cookies, scripting, storage, and declarativeNetRequest across Workday, NetSuite, and SuccessFactors domains, transmitting authentication cookies to api.databycloud[.]com every 60 seconds.
“Tool Access 11 (v1.4) blocks access to 44 administrative pages in Workday by removing page content and redirecting users to malformed URLs,” Pandya explained. This prevents access to authentication management, IP range control, session management, and security proxy settings. DataByCloud 2 extends this to 56 pages, adding critical features like password changes, 2FA device management, account deactivation, and security log access, targeting both production and sandbox environments.
DataByCloud 1 replicates cookie-stealing from DataByCloud Access while also preventing code inspection via the DisableDevtool library. Both extensions encrypt C2 traffic for added security.
The most advanced, Software Access, not only steals cookies but can receive stolen cookies from api.software-access[.]com and inject them into the victim’s browser session for direct hijacking. It also protects password input fields to prevent credential inspection.
“The function parses cookies from server payloads, removes existing cookies for the domain, and injects each cookie using chrome.cookies.set(), effectively installing the victim’s authentication state in the attacker’s session,” Socket noted.
All five extensions monitor 23 security-related Chrome extensions like EditThisCookie, Cookie-Editor, ModHeader, Redux DevTools, and SessionBox to detect any tools that might interfere with their cookie theft. This may indicate the same threat actor or a shared toolkit across publishers.
Chrome users are advised to remove these extensions, reset passwords, and check for unauthorized access from unknown devices or IP addresses.
“The combination of continuous credential theft, administrative blocking, and session hijacking creates a situation where security teams can detect attacks but cannot fully remediate through standard channels,” Socket concluded.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
