Chrome Extension Scam Exposed: Hackers Stealing Meta Accounts

A sophisticated campaign targeting Meta advertisers through fake AI-powered ad optimization tools has been uncovered, with cybercriminals deploying malicious Chrome extensions to steal credentials and hijack business accounts.

Cybereason Security Services has identified an evolving malicious Chrome extension campaign that specifically targets Meta (Facebook/Instagram) advertisers through a deceptive platform called “Madgicx Plus.”

This fake AI-driven ad optimization tool represents the latest iteration of a broader campaign previously documented by DomainTools, demonstrating how threat actors adapt their social engineering tactics while recycling existing infrastructure.

The campaign leverages the legitimate reputation of Madgicx, a well-known advertising technology company, by creating convincing impersonation websites that promote fake browser extensions.

These malicious tools are marketed as productivity enhancers and ad performance optimizers, but actually function as sophisticated credential harvesting and session hijacking malware.

Security researchers discovered an extensive network of professionally crafted domains used to distribute the malicious extensions.

Despite protection by Cloudflare services, investigators successfully identified the real hosting infrastructure by analyzing favicon hashes and leveraging open-source intelligence tools like Shodan.

This difference is not caused by DNS redirection but by server-side logic that adjusts responses based on the Host header.

The investigation revealed over 20 domains associated with the campaign, including privacy-shield[.]world, madgicxads[.]world, and madgicx-plus[.]com.

Analysis showed that these domains employ sophisticated server-side logic that delivers different content based on whether users access the www or non-www variants, allowing operators to run multiple themed campaigns from the same infrastructure while reducing hosting costs.

Researchers traced the hosting back to IP address 185.245.104[.]195, operated by VDSina, a service provider previously associated with malicious activities.

This discovery confirmed the reuse of infrastructure across different phases of the campaign, indicating coordinated threat actor operations rather than isolated copycat attacks.

Dangerous Capabilities

Static analysis of the malicious Chrome extensions revealed alarming permissions that enable comprehensive user surveillance and account compromise.

The extensions request “host_permissions” for all websites, granting them ability to inject content scripts and read sensitive data across any domain the user visits.

Particularly concerning are the “declarativeNetRequest” permissions, which allow the extensions to intercept and modify network traffic without user knowledge.

Combined with content script capabilities, this creates powerful man-in-the-browser functionality that can bypass security controls on platforms like Facebook and Gmail.

The extensions also implement techniques to evade Cross-Origin Resource Sharing (CORS) policies by removing Origin headers from specific requests.

This mechanism enables unauthorized API access using victims’ existing session tokens, allowing attackers to impersonate users without requiring their passwords.

Dynamic analysis revealed a sophisticated two-stage approach designed to maximize data collection.

Initially, the extensions prompt users to link their Google accounts, quietly storing these credentials in local storage for persistence.

The attack then escalates by requesting Facebook account connections, creating multiple avenues for account compromise.

The extension uses a Declarative Net Request rule to strip the Origin header from outbound requests containing the parameter ‘caller=ext’.

The extensions maintain communication with command-and-control infrastructure at madgicx-plus[.]com, enabling real-time data exfiltration and potentially remote command execution.

This persistent connection allows threat actors to continuously monitor victim activities and expand their access over time.

Evolution Signals Persistent Threat

The campaign’s infrastructure reuse across multiple phases indicates sophisticated threat actors who continuously adapt their tactics.

Domains previously associated with entirely different extension campaigns have been repurposed to promote the fake Madgicx platform, suggesting coordinated operations rather than independent attacks.

This persistence, combined with the technical sophistication of the extensions and their broad permission requests, indicates the campaign represents part of a larger effort to compromise advertiser accounts and harvest valuable business data.

The rapid adaptation of lures and continuous infrastructure evolution points to an active threat that will likely expand further.

Security experts recommend that digital marketers exercise extreme caution when installing browser extensions, particularly those claiming to optimize advertising performance.

Organizations should implement strict extension approval processes and regularly audit installed browser add-ons to prevent credential theft and account compromise.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.