top of page
Buscar

The HR Booby Trap Inside the Browser

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 3 horas
  • 3 Min. de lectura

Like a carefully concealed booby trap inside a trusted corridor, this campaign abuses the credibility of enterprise HR and ERP platforms to infiltrate organizations without triggering alarms. Malicious Google Chrome extensions masquerading as Workday, NetSuite, and SuccessFactors tools silently embed themselves in users’ browsers, harvesting authentication sessions, blocking defensive controls, and enabling full account takeovers. Once the trap is sprung, security teams can see the breach—but are deliberately prevented from stopping it.


Phase 1 — Setting the bait 


The attackers begin by publishing Chrome extensions that present themselves as productivity or access-enhancement tools for widely used enterprise platforms. The extensions are branded to appear legitimate and professional, some having been available since as early as August 2021, and were distributed through the official Chrome Web Store before removal, as well as through third-party download portals.

These add-ons promise premium access or workflow improvements for HR and ERP systems, lowering suspicion among corporate users who routinely rely on browser extensions to interact with internal tools.


Phase 2 — The trap closes 


Once installed, the extensions request broad and highly sensitive permissions, including access to cookies, scripting, storage, extension management, and network request control across Workday, NetSuite, and SuccessFactors domains.

At this stage, the booby trap snaps shut. The extensions begin continuously harvesting authentication cookies from the victim’s browser and exfiltrating them to attacker-controlled APIs at fixed intervals. In parallel, the malicious logic manipulates the browser’s Document Object Model (DOM) to selectively disable security-critical administrative pages.

This prevents defenders from accessing functions such as password resets, account deactivation, MFA device management, IP allow-listing, security proxy configuration, audit logs, and session termination—creating a scenario where compromise is visible but remediation is blocked.


Phase 3 — Session hijacking and persistence 


The most advanced extension in the set goes beyond passive theft. It actively injects stolen cookies received from attacker infrastructure into the browser, reconstructing authenticated sessions directly within the attacker’s environment.

This enables seamless session hijacking without requiring passwords, bypassing MFA entirely and granting immediate access to enterprise applications. Command-and-control communications are encrypted, and anti-analysis measures prevent inspection via browser developer tools or common cookie-editing extensions.

The coordinated nature of the extensions, shared infrastructure, identical security-extension detection lists, and overlapping behaviors strongly indicate a single threat actor or a shared malicious toolkit operating under multiple publisher identities.


Phase 4 — Defense evasion by design 


A defining feature of this campaign is its deliberate suppression of incident response. By blocking administrative interfaces while maintaining persistent cookie exfiltration, the attackers create a deadlock: defenders can detect anomalous activity but are technically prevented from intervening through standard controls.

This transforms the browser itself into a locked control room—fully visible, yet inaccessible.


Measures to Defend Against the Trap 


  • Enforce strict browser extension allow-lists and block installation from third-party download sites

  • Immediately remove any identified malicious extensions from affected endpoints

  • Force password resets and revoke all active sessions for impacted users

  • Audit authentication logs for anomalous access from unfamiliar IPs, devices, or geographies

  • Rotate credentials for privileged and administrative accounts

  • Restrict cookie access permissions for browser extensions wherever possible

  • Monitor for DOM manipulation targeting security and administrative pages

  • Educate users on the risks of enterprise-branded browser extensions claiming “enhanced access”


This campaign demonstrates how browser extensions have evolved into high-impact attack vectors capable of undermining identity security at scale. By combining continuous cookie theft, session injection, and intentional blocking of defensive controls, the attackers transform a simple productivity lure into a fully operational account takeover framework.

The booby trap metaphor is not just stylistic—it is architectural. Once triggered, the victim is caught in a system designed to prevent escape. As enterprise identity increasingly lives inside the browser, defending that last mile has become just as critical as securing endpoints, networks, and cloud infrastructure.



The Hacker News


 
 
 

Comentarios

bottom of page