Security analysts have uncovered a suite of malicious Chrome extensions that target popular enterprise human resources and enterprise resource planning (ERP) platforms.
According to supply chain security firm Socket, the extensions – DataByCloud 2, Tool Access 11, DataByCloud Access, Data By Cloud 1, and Software Access – work together to steal authentication tokens and block incident response if detected.
Alarmingly, the full attack chain could lead to complete account takeover via session hijacking.
“The campaign deploys three distinct attack types: cookie exfiltration to remote servers, DOM manipulation to block security administration pages, and bidirectional cookie injection for direct session hijacking,” Socket’s threat research team said in a 16 January blog post.
“The extensions target the same enterprise platforms and share identical security tool detection lists, API endpoint patterns, and code structures, indicating a coordinated operation despite appearing as separate publishers.”
What businesses need to know
The malicious extensions all offer increased productivity and faster workflows across suites such as Workday, NetSuite, and SuccessFactors.
Four of the extensions are published under the name “databycloud1104”; the fifth is published under a different brand – “softwareaccess”. However, it shares identical infrastructure. Each extension’s Chrome Web Store listing includes complete dashboard mock-ups, slick branding, and claims of being “premium” or “special” tools.
The extensions have already been installed by more than 2,300 users, but despite the claims, none live up to their actual promises.
DataByCloud Access, Data By Cloud 1, and Software Access all take advantage of similar claims of providing access to third-party tools and services. They request the usual wallet-adapter-style permissions to connect to enterprise platforms, and allege to offer bulk management and streamlined authentication.
“DataByCloud 2 presents itself as a bulk tool manager, displaying a polished dashboard that promises ‘premium tools’ for Workday, NetSuite, and other platforms,” Socket’s team said.
“The Chrome Web Store listing shows account cards with dollar amounts and ‘ACCESS TOOL’ buttons, suggesting legitimate business functionality for managing multiple enterprise accounts.”
Tool Access 11, however, positions itself as a “security feature” by offering to limit user interactions and restrict access to certain tools to protect users from account compromise. While it may seem like an excellent tool for admins who want to limit what their users can access, it’s actually a threat in its own right.
All the extensions feature privacy policies that lie about their data collection practices, and make no mention of cookie extraction, credential exfiltration, or blocking of security features as part of their service offerings.
The listed version progressions of each extension reflect ongoing development and refinement of these malicious tools.
“The coordinated deployment of cookie theft, administrative blocking, and session hijacking across five extensions represents a sophisticated attack on enterprise HR and ERP platforms,” Socket said.
“The threat actor maintains complementary capabilities across multiple publisher identities while operating disposable infrastructure. Similar patterns targeting other enterprise platforms should be anticipated.”
You can read the full blog post here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.