Hackers Use "Lure" Sites to Secretly Spread Infected Chrome Extensions

Posted:
Cybercriminals Are Using Fake Sites To Spread Infected Extensions
Jordan Sprogis

Writer: Jordan Sprogis

Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 200 articles geared toward industry pros and newcomers alike.

See Full Bio »
Close
Lillian Castro

Editor: Lillian Castro

Lillian Castro

Lillian Castro, Senior Editor

Lillian brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

See Full Bio »
Close
Cristian Lopez

Reviewer: Cristian Lopez

Cristian Lopez

Cristian Lopez, Contributing Expert

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

See Full Bio »
Close
Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.

Key Takeaways

Security experts know cybercriminals are using AI to launch more sophisticated attacks. Now, they’re creating fake websites that trick users into downloading infected extensions.

A new study by DomainTools found that since February 2024, more than 100 of these fake sites and malicious extensions have surfaced.

“While AI can help with business efficiencies, it can also be used maliciously,” Andy Syrewicze, Security Evangelist at Hornetsecurity, said to HostingAdvice in a previous interview.

Syrewicze added: “This is most notably seen in the uptick of AI-generated sophisticated phishing attacks that can bypass traditional security measures.”

Example of a lure site: A DeepSeek Chrome Extension themed lure website ‘deepseek-ai[.]link.' Credit: DomainTools
Example of a lure site: A DeepSeek Chrome Extension themed lure website ‘deepseek-ai.link, which 404s at the time of publication. Credit: DomainTools

The most common methods used in the year-plus-long attacks include:

  • The malware creates a hidden form element in the webpage (JavaScript onreset event), which allows it to bypass Chrome security checks.
  • The extensions will hide the address of their command server inside the code. When installed, the bots within the extensions wait to receive more instructions or code before action.
  • Some extensions keep an open line of communication, like via WebSocket, with the attacker’s server, which gives the attacker the ability to continue sending commands and control the extension as the attack is happening.

These subtle movements let attackers disclose private information, hijack sessions/account takeovers, modify traffic, and, of course, run the most classic phishing scams.

The worst part is that many users may not even realize what’s happening: Apparently, many of these lure websites do appear to work as advertised, so the person downloading it may be none the wiser.

Hosting Providers Are in the Crosshairs

These types of attacks are a big problem — and responsibility — for hosting providers. Even the hyperscalers aren’t immune.

Several lure sites have been hosted on their platforms: Manus AI on AWS, and both SiteStats and FortiVPN (which has since disappeared) on Cloudflare, according to Hosting Checker.

Providers need to be diligent about conducting security audits and checks, especially on their own clients.

Bad actors only work because enough people trust them. That makes it easy to exploit them when the average user doesn’t fully understand the risks.

And as providers continue adding APIs and third-party integrations, they’re also widening the attack surface.

GoDaddy also recommends the Sucuri SiteCheck scanner, where you can pop in a URL and check for malware.

Strong encryption requirements and implementing zero-trust and MFA are just the beginning.

GoDaddy, for example, offers security checks for its customers to perform automatically, allowing them to run security scans to detect malware and other vulnerabilities.

Whatever the method, with injectable attacks like these, it’s up to web hosting providers to vet, audit, and secure every single site they service.

About the Author

Jordan Sprogis
Jordan Sprogis
Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 200 articles geared toward industry pros and newcomers alike.

View Jordan Sprogis's Full Profile »