Illicit Chrome extensions facilitate widespread credential exfiltration

Traffic and user credentials from more than 170 websites, including Microsoft Azure, Amazon Web Services, GitHub, IBM, VMware, and Facebook, could be compromised by a pair of Google Chrome extensions named Phantom Shuttle, which pose as legitimate VPN plug-ins, The Hacker News reports. Authentication credential injections and man-in-the-middle proxies have been performed by the malicious subscription-based extensions to intercept traffic from the targeted domains to the attacker's command-and-control server, a report from Socket showed. Despite enabling latency tests, both plugins, which were from the same developer, feature an asyncBlocking mode that guarantees synchronous credential injection, as well as allows the exfiltration of credit card numbers, browsing data, API keys, and access tokens, among others. "The combination of heartbeat exfiltration (credentials and metadata) plus proxy MitM (real-time traffic capture) provides comprehensive data theft capabilities operating continuously while the extension remains active," said Socket, which has linked that illicit activity to a China-based operation.