These Chrome extensions spoof Workday, NetSuite, and others to trick victims - here's what to look for

News
By published

Five extensions were found targeting enterprises and multinational organizations

Google Chrome
(Image credit: Google)
  • Socket found five malicious Chrome extensions spoofing HR/ERP platforms
  • Extensions enabled credential theft, session hijacking, and blocked incident response
  • Removed from Chrome Store, but still on third-party sites

If you are using Workday, NetSuite, or SuccessFactors at work, you might want to pay attention to the browser extensions or add-ons you have installed, because you may have inadvertently installed malware.

Security researchers Socket have warned of discovering five Chrome extensions, spoofing popular human resource (HR) software and enterprise resource planning (ERP) platforms.

The plugins are designed to steal authentication tokens, block incident response capabilities, or grant full account takeover via session hijacking, the researchers explained.

Thousands of victims

Here is the full list of malicious extensions:

DataByCloud Access
Tool Access 11
DataByCloud 1
DataByCloud 2
Software Access

By the time the news hit the web, all five were already removed from the Google Chrome Web Store. Still, users who installed them before won’t be entirely secure until they uninstall the plugins and run a thorough scan to see if the infection had been cleaned.

Furthermore, The Hacker News reports that the plugins are still available on third-party software download sites such as Softonic, but we couldn’t independently verify these claims since Softonic’s site seemed to be offline at press time.

Cumulatively, these five add-ons were downloaded 2,739 times, which suggests the campaign was not particularly effective.

Still, Workday, NetSuite, and SuccessFactors are usually used by medium to large organizations, including enterprises and multinational firms, for HR, finance, payroll, and operations teams. A full account takeover in just one such organization can turn into a large-scale cyberattack with millions of dollars of damages and thousands of affected individuals.

To make matters even worse, some of the extensions taken down were first published more than four years ago.

"The combination of continuous credential theft, administrative interface blocking, and session hijacking creates a scenario where security teams can detect unauthorized access but cannot remediate through normal channels," Socket said.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.