You have been warned — check Chrome now.
Jaap Arriens/NurPhoto
A serious new warning for Google Chrome users this week, with the release of a list of websites you must never use. There’s a twist though. These websites hide behind major brands and trick you into installing dangerous malware. The tell is simple though — so while the list of websites is linked below, there’s an easier way to stay safe.
With Chrome users already facing a critical update warning, DomainTools found more than 100 websites [listed here on Github] “masquerading as legitimate services, productivity tools, ad and media creation or analysis assistants, VPNs, Crypto, banking and more.” Each website includes a Get Chrome Extension or Add to Chrome button.
DomainTools warns that while the extensions correspond to ones on Google’s Chrome Web Store (CWS), these “typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.”
DomainTools has examples of fake DeepSeek, YouTube, Flight Radar, Calendly and VPN websites and extensions as lures. Extensions partially work, but are “configured with excessive permissions to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor controlled domains.”
Dangerous extensions
DomainTools
Unsurprisingly, the hosting infrastructure is common across the campaign. While mimicking DeepSeek and YouTube is simple brand hijacking, fake VPN extensions as a means to attack Chrome users ie beyond ironic. These VPN extensions connect to a malicious backend client [to]
listen for commands.” When instructed, the extension “uses chrome.cookies.getAll({}) to retrieve all browser cookies.” it can even inject scripts into open Chrome tabs to run its own malicious code.
Website lure and malicious extension
DomainTools
DomainTools says these attacks have been more than a year in the making. “This malicious actor has deployed over 100 fake websites and malicious Chrome extensions with dual functionalities. Analysis revealed these extensions can execute arbitrary code from attacker-controlled servers on all visited websites, enabling credential theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Some extensions were also observed attempting to steal all browser cookies, which may lead to account compromises.”
While the Chrome Web Store “has removed multiple of the actor’s malicious extensions after malware identification,” DomainTools warns “the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements.”
To stay safe, check carefully before installing extensions. While that means using official stores, it also means checking names and reviews carefully and ensuring developers behind those extensions have been verified. Such add-on software is a well-proven vulnerability with Chrome, and “vigilance is key to avoiding these threats.”
Most of the API domains identified by DomainTools as being part of this attack have a .TOP top level domain. Yet another warning to see .TOP as high risk at all times.
