The article reports on a new malware-as-a-service (MaaS) offering called “Stanley,” sold under the seller alias “Stanley,” which claims it can produce malicious Chrome extensions that still pass Google’s Chrome Web Store review and be published there. The core capability is website spoofing without changing the address bar: the extension can hijack navigation and overlay a full-screen iframe so the victim sees attacker-controlled phishing content while the browser continues to display the legitimate domain (making the scam far more convincing). Operators can turn specific hijacking rules on/off as needed and can also push browser notifications to lure victims onto targeted pages.

Technically, Varonis says the toolkit’s “cover” extension (e.g., a notes/bookmarks app) requests powerful permissions such as access to all URLs plus scripting and web-navigation controls, enabling it to manipulate essentially any site the user visits. It also uses the victim’s IP address as an identifier (supporting geo targeting and correlation) and maintains frequent command-and-control polling (every ~10 seconds) with backup domain rotation for resilience. The key risk message is that even if the code isn’t “advanced,” the distribution promise—getting phishing extensions into a trusted store—can scale impact quickly. The practical takeaway: keep extensions to a minimum, scrutinize publishers/permissions, and in organizations use allowlisting and monitoring for extensions that have broad site access or notification abuse patterns.

Source: https://www.bleepingcomputer.com/news/security/new-malware-service-guarantees-phishing-extensions-on-chrome-web-store/