What’s it about?
Security experts have documented an extensive attack campaign targeting Chrome users: around 30 browser extensions posing as useful AI assistants were collecting sensitive user data in the background. The operation, known as the AiFrame campaign, reached more than 260,000 installations and managed to pass the security checks of the official Chrome Web Store despite its malicious function.
The affected add-ons presented themselves as handy helpers for translation, word processing, or email management. In reality, all of them shared an identical code base and infrastructure designed for data theft. Particularly problematic: several of the extensions even received a recommendation badge in the official store at times, which further strengthened potential victims’ trust.
Background & Context
The attackers employed a sophisticated technique: the extensions injected full-screen iframes controlled by externally operated servers. These invisible frames allowed the operators to monitor browser activity and intercept sensitive information, including login credentials and banking information. The add-ons requested extensive permissions, in particular access to all open browser tabs.
To appear credible, the operators used manipulated user reviews and professionally designed descriptions. After individual extensions were removed, new variants with changed names and identification numbers immediately appeared — a tactic known in expert circles as “Extension Spraying.” Users of email services such as Gmail were particularly at risk, as several of the malicious tools were specifically tailored to these platforms.
The campaign illustrates a growing threat in the browser extension space. While AI functionality served as bait, personal data was transmitted directly to the attackers’ servers without those affected noticing. Server-side control also made it possible to adapt the malware after the fact and evade detection mechanisms.
What does this mean?
- Companies should establish clear policies for installing browser extensions and manage them centrally to prevent uncontrolled add-on installations.
- Regular security audits of installed extensions are necessary, especially for tools that request extensive permissions for tab access or data processing.
- Awareness measures for employees should be intensified to sharpen awareness of the risks posed by seemingly harmless AI tools and fake reviews.
- The use of endpoint security solutions that can detect suspicious browser activity provides an additional layer of protection against such attack campaigns.
- When using web-based corporate services such as email or cloud applications, access by browser extensions should be handled with particular restriction.
Sources
30 dangerous browser extensions exposed: These Chrome add-ons steal your data (PC Welt)
Chrome AI Extensions Attacking Users (Cybersecurity News)
AiFrame: Fake AI Assistant Extensions Targeting 260,000 Chrome Users via Injected iFrames (LayerX Security)
900,000 users in the crosshairs: These Chrome extensions must be deleted (Netzwelt)
260K Users Exposed in AI Extension Scam (eSecurity Planet)
This article was created with AI and is based on the cited sources and the language model’s training data.