Key Takeaways
- A DomainTools report found that a single hacker has launched more than 100 fake websites disguised as real apps, causing people to unknowingly install infected Chrome extensions that quietly steal data.
- Some of the malicious sites were hosted on major platforms, including AWS and Cloudflare, proving that even the biggest providers can fall victim to these kinds of attacks.
Security experts know cybercriminals are using AI to launch more sophisticated attacks. Now, they’re creating fake websites that trick users into downloading infected extensions.
A new study by DomainTools found that since February 2024, more than 100 of these fake sites and malicious extensions have surfaced.
“While AI can help with business efficiencies, it can also be used maliciously,” Andy Syrewicze, Security Evangelist at Hornetsecurity, said to HostingAdvice in a previous interview.
Syrewicze added: “This is most notably seen in the uptick of AI-generated sophisticated phishing attacks that can bypass traditional security measures.”
![Example of a lure site: A DeepSeek Chrome Extension themed lure website âdeepseek-ai[.]link.' Credit: DomainTools](https://www.hostingadvice.com/images/uploads/2025/05/image-31-1.jpg?width=368&height=274 "Example of a lure site: A DeepSeek Chrome Extension themed lure website âdeepseek-ai[.]link.' Credit: DomainTools")
The most common methods used in the year-plus-long attacks include:
- The malware creates a hidden form element in the webpage (JavaScript
onresetevent), which allows it to bypass Chrome security checks. - The extensions will hide the address of their command server inside the code. When installed, the bots within the extensions wait to receive more instructions or code before action.
- Some extensions keep an open line of communication, like via WebSocket, with the attacker’s server, which gives the attacker the ability to continue sending commands and control the extension as the attack is happening.
These subtle movements let attackers disclose private information, hijack sessions/account takeovers, modify traffic, and, of course, run the most classic phishing scams.
The worst part is that many users may not even realize what’s happening: Apparently, many of these lure websites do appear to work as advertised, so the person downloading it may be none the wiser.
Hosting Providers Are in the Crosshairs
These types of attacks are a big problem — and responsibility — for hosting providers. Even the hyperscalers aren’t immune.
Several lure sites have been hosted on their platforms: Manus AI on AWS, and both SiteStats and FortiVPN (which has since disappeared) on Cloudflare, according to Hosting Checker.
Providers need to be diligent about conducting security audits and checks, especially on their own clients.
Bad actors only work because enough people trust them. That makes it easy to exploit them when the average user doesn’t fully understand the risks.
And as providers continue adding APIs and third-party integrations, they’re also widening the attack surface.
Strong encryption requirements and implementing zero-trust and MFA are just the beginning.
GoDaddy, for example, offers security checks for its customers to perform automatically, allowing them to run security scans to detect malware and other vulnerabilities.
Whatever the method, with injectable attacks like these, it’s up to web hosting providers to vet, audit, and secure every single site they service.
