What kind of malicious activity did the fake Chrome extensions perform on Workday and SuccessFactors?

The extensions stole authentication tokens, hijacked sessions, and blocked incident response.

Where were the malicious HR software extensions found?

They were found on the Google Chrome Web Store and potentially third-party download sites.

How many people downloaded the malicious extensions mimicking HR software?

Cumulatively, the five malicious extensions were downloaded 2,739 times.

Home / Technology / Fake HR Plugins Steal Secrets, Block Security Teams

Fake HR Plugins Steal Secrets, Block Security Teams

20 Jan

•

Summary

Five malicious Chrome extensions mimicked popular HR and ERP software.
These plugins stole authentication tokens and blocked incident response.
Malware was distributed via the Chrome Web Store and third-party sites.

Fake HR Plugins Steal Secrets, Block Security Teams

Malicious browser extensions disguised as popular HR and ERP software have been identified by security researchers, posing a significant threat to corporate security. Five such Chrome extensions, designed to mimic legitimate platforms like Workday, NetSuite, and SuccessFactors, were found to steal authentication tokens and facilitate session hijacking. These add-ons also critically hampered incident response capabilities, creating a scenario where unauthorized access could be detected but not remediated through normal channels.

These five extensions, which collectively accumulated 2,739 downloads, were removed from the Google Chrome Web Store. However, the threat persists for users who installed them prior to their removal, necessitating uninstallation and thorough system scans. Reports suggest these plugins may still be available on third-party download sites, amplifying the risk for unsuspecting users. The existence of some plugins for over four years points to a long-standing, stealthy threat campaign.