While these extensions may offer limited legitimate functionality, they also connect to servers controlled by threat actors to exfiltrate user data or receive commands. They are capable of modifying network traffic to inject ads, perform redirections, or proxy traffic through malicious servers.

Figure 1. Stealing User Data in chrome.

The campaign was uncovered by cybersecurity experts at DomainTools, who identified more than 100 fraudulent domains promoting these extensions—likely via malvertising tactics. Many of these sites impersonate trusted brands such as Fortinet, YouTube, DeepSeek AI, and Calendly, as well as fake VPN providers. Although Google has removed several of the malicious extensions flagged by DomainTools, “While the Chrome Web Store has removed several of the malicious extensions after they were flagged, the attackers’ persistence and the delay in detection continue to pose a threat to users searching for productivity tools and browser enhancements,” the researchers said.

These extensions request excessive permissions, allowing them to steal cookies and session tokens, carry out DOM-based phishing, and inject dynamic scripts into web pages. Figure 1 shows Stealing User Data in chrome.

For instance, the fake “fortivpn” extension is capable of harvesting cookies, functioning as a proxy, modifying traffic, and executing arbitrary JavaScript from a remote server [1]. When instructed, it collects all cookies using chrome.cookies.getAll({}), compresses them with Pako, encodes them in Base64, and sends the data to the backend server infograph[.]top. It can also initiate a WebSocket connection to act as a network proxy, directing traffic through attacker-controlled servers and handling proxy authentication.

These capabilities enable attackers to hijack accounts, steal personal information, and monitor browsing activity. In some cases, stolen session cookies could be used to access corporate networks by bypassing VPN authentication, potentially resulting in severe data breaches.

To reduce the risk of installing harmful extensions, users are advised to only download from trusted developers with a strong reputation and to carefully examine user reviews for suspicious patterns or complaints. BleepingComputer reached out to Google for comment regarding its response to this campaign but did not receive a response before publication.

These sites often feature "Add to Chrome" buttons that link directly to the malicious extensions on the Chrome Web Store, giving a false impression of legitimacy.

Reference

1. https://blog.tecnetone.com/en-us/malicious-chrome-extensions-imitate-fortinet-youtube-and-vpns

Cite this article:

Keerthana S (2025), Chrome Extensions Posing as Fortinet, YouTube, and VPN Services are Stealing User Data, AnaTechMaz, pp.135.