top of page
Search

Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

  • Jan 16
  • 2 min read

Key Findings


  • Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that impersonate HR and ERP platforms like Workday, NetSuite, and SuccessFactors.

  • The extensions work together to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking.

  • All five extensions have been removed from the Chrome Web Store, but are still available on third-party software download sites.

  • The extensions are advertised as productivity tools that offer access to premium tools for different platforms.


Background


  • Two of the extensions, DataByCloud 1 and DataByCloud 2, were first published on August 18, 2021.

  • The campaign, despite using two different publishers, is assessed to be a coordinated operation based on identical functionality and infrastructure patterns.


Cookie Theft and DOM Manipulation


  • DataByCloud Access requests permissions for cookies, management, scripting, storage, and declarativeNetRequest across Workday, NetSuite, and SuccessFactors domains, and collects authentication cookies for a specified domain.

  • Tool Access 11 (v1.4) prevents access to 44 administrative pages within Workday by erasing page content and redirecting to malformed URLs.

  • DataByCloud 2 expands the blocking feature to 56 pages, targeting both production environments and Workday's sandbox testing environment.


Session Hijacking


  • DataByCloud 1 replicates the cookie-stealing functionality from DataByCloud Access, while incorporating features to prevent code inspection using web browser developer tools.

  • Software Access combines cookie theft with the ability to receive stolen cookies and inject them into the browser to facilitate direct session hijacking.

  • It also comes fitted with password input field protection to prevent users from inspecting credential inputs.


Indicators of Compromise


  • All five extensions feature an identical list of 23 security-related Chrome extensions that are designed to monitor and flag their presence to the threat actor.

  • This is likely an attempt to assess whether the web browser has any tool that can possibly interfere with their cookie harvesting objectives or reveal the extension's behavior.


Sources


  • https://thehackernews.com/2026/01/five-malicious-chrome-extensions.html

  • https://www.hendryadrian.com/5-malicious-chrome-extensions-enable-session-hijacking-in-en/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page