In both cases, the attackers used the unauthorized access to publish fraudulent updates that by default are automatically pushed to all Chrome users who have the extensions installed. The tainted extensions were also available for download in Google’s official Chrome Web Store. Mark James, Security Specialist at ESET commented below.
Mark James, Security Specialist at ESET:
“Phishing attack these days are the number one method for compromising or stealing peoples accounts. With most protection methods you are at the mercy of these types of attacks because, in theory, they are logging in as you.
If my details get stolen and they use them, then in essence it’s me logging in. As far as the system is concerned its authenticated and good to go- that is of course except for Two-Factor authentication (2FA).
This was designed for this type of scenario; if the username and password is compromised, then the only methods stopping the account being used are changing the password or using 2FA. Once attached to the account, a separate 3rd form of authentication is required before access is gained. In this case it would have stopped these “attacks” being successful. Any account that has the potential of reaching or affecting others should be protected with 2FA; even the most hardened technical specialist could momentarily be affected by a phishing attack- the bad guys only need to be successful once! For us to stay safe however, we need to be 100% successful- not great odds for us!”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.