AI-powered browser extensions proceed to be a preferred vector for risk actors seeking to harvest person info. Researchers at safety agency LayerX have analyzed a number of campaigns in current months involving malicious browser extensions, together with the widespread GhostPoster scheme concentrating on Chrome, Firefox, and Edge. Within the newest one—dubbed AiFrame—risk actors have pushed roughly 30 Chrome add-ons that impersonate well-known AI assistants, together with Claude, ChatGPT, Gemini, Grok, and “AI Gmail.” Collectively, these fakes have greater than 300,000 installs.
Pretend Chrome extensions appear like widespread AI assistants
The Chrome extensions recognized as a part of AiFrame appear like official AI instruments generally used for summarizing, chat, writing, and Gmail help. However as soon as put in, they grant attackers wide-ranging distant entry to the person’s browser. A few of the capabilities noticed embody voice recognition, pixel monitoring, and e mail content material readability. Researchers be aware that extensions are broadly able to harvesting information and monitoring person habits.
Although the extensions analyzed by LayerX used a wide range of names and branding, all 30 had been discovered to have the identical inside construction, logic, permissions, and backend infrastructure. As an alternative of implementing performance regionally on the person’s machine, they render a full-screen iframe that masses distant content material because the extension’s interface. This enables attackers to push modifications silently at any time and not using a requiring Chrome Internet Retailer replace.
LayerX has a whole record of the names and extension IDs to discuss with. As a result of risk actors use acquainted and/or generic branding, comparable to “Gemini AI Sidebar” and “ChatGPT Translate,” you might not be capable to determine fakes at first look. If in case you have an AI assistant put in in Chrome, go to chrome://extensions, toggle on Developer mode within the top-right nook, and seek for the ID beneath the extension identify. Take away any malicious add-ons and reset passwords.
What do you suppose up to now?
As BleepingComputer studies, among the malicious extensions have already been faraway from the Chrome Internet Retailer, however others stay. A number of have acquired the “Featured” badge, including to their legitimacy. Risk actors have additionally been capable of shortly republish add-ons beneath new names utilizing the prevailing infrastructure, so this marketing campaign and others like it might persist. All the time vet extensions fastidiously—do not simply depend on a well-known identify like ChatGPT—and be aware that even AI-powered add-ons from trusted sources might be extremely invasive.
