 |
| Source: The Hacker News |
A new wave of malicious Chrome extensions is putting millions of users at risk by masquerading as trusted tools like Fortinet VPN, YouTube utilities, and productivity boosters. Despite their appearance, these add-ons are anything but helpful. Once installed, they silently exfiltrate browser cookies, act as proxies for remote servers, and give attackers direct control over a user’s online traffic.
Researchers at DomainTools uncovered that many of these extensions—some of which remained available on the Chrome Web Store until recently—were built to appear benign while executing advanced data theft operations behind the scenes. The fake “fortivpn” extension, for example, compressed and encrypted all browser session cookies and transmitted them to a command-and-control server, a tactic more commonly associated with advanced persistent threat actors [1].
The distribution campaign is unusually sophisticated. Threat actors have registered more than 100 convincing domains like forti-vpn[.]com and youtube-premium[.]net, each designed to mimic legitimate brands and push these extensions via direct Chrome Web Store links. Once installed, these extensions open WebSocket connections, effectively turning a user’s machine into a traffic relay for malicious actors [2].
While Google has taken action to remove many of the flagged extensions, the discovery highlights a broader issue: the growing difficulty of discerning legitimate browser tools from weaponized ones. As threat actors evolve, users must adopt a more skeptical approach to installing extensions, even from official platforms.
In an era where browser-based attacks are growing in sophistication, this is a stark reminder that trust must be earned—not assumed.
References
[1] B. Toulas, “Data-stealing Chrome extensions impersonate Fortinet, YouTube, VPNs,” BleepingComputer, May 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/data-stealing-chrome-extensions-impersonate-fortinet-youtube-vpns/
[2] R. Lakshmanan, “Over 100 Malicious Chrome Extensions Used in Cookie Theft Campaign,” The Hacker News, May 2025. [Online]. Available: https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html