Recent security research revealed a major spyware campaign that compromised about 4.3 million users of Google Chrome and Microsoft Edge through a set of browser extensions that once appeared harmless. Malwarebytes+1 Starting around 2018, a group now known as ShadyPanda published browser add-ons offering simple functions — things like wallpaper themes, new-tab customizations, or basic productivity tools. Over several years these extensions gained large user bases, positive reviews, and “Featured” or “Verified” status within the Chrome and Edge extension stores. In mid-2024, those trusted add-ons quietly received updates that secretly transformed them into spyware and remote-code-execution tools. Those updates gave the extensions the power to run arbitrary JavaScript within the browser and monitor everything users did online — everything from browsing history, search terms, mouse clicks, and URLs visited. All of that data was sent back to servers believed to be operated by actors in China. One of the most widespread culprits was an extension called WeTab, with roughly three million installs on Edge. Even though some of the malicious extensions have since been removed from Chrome, copies remain available in the Edge store at the time of reporting. Security experts warn this incident illustrates a significant flaw: extension stores may vet a plugin when it’s first submitted — but rarely re-check updates. That lapse allowed these “sleeper” extensions to lie undetected for years before turning malicious. For everyday users, the risk is clear: even long-trusted browser extensions can turn dangerous. It’s wise to review installed extensions, remove those you don’t trust, and stay alert to sudden behavior changes in your browser. 🚩 Known Malicious Extensions - Clean Master: the best Chrome Cache Cleaner The Hacker News - Speedtest Pro-Free Online Internet Speed Test The Hacker News - BlockSite The Hacker News - Address bar search engine switcher The Hacker News - SafeSwift New Tab The Hacker News - Infinity V+ New Tab The Hacker News - OneTab Plus: Tab Manage & Productivity The Hacker News - WeTab 新标签页 (WeTab New Tab) The Hacker News - Infinity New Tab for Mobile / Infinity New Tab / Infinity New Tab (Pro) The Hacker News - Dream Afar New Tab The Hacker News - Download Manager Pro The Hacker News - Galaxy Theme Wallpaper HD 4k HomePage The Hacker News - Halo 4K Wallpaper HD HomePage The Hacker New

Account piggybacking happens when someone gains access to an employee’s account—not through hacking a password, but by quietly staying logged in after borrowing a device, sharing a workstation, or using someone else’s phone or browser. It also happens when employees forget to sign out of shared PCs, kiosks, or web portals. The “piggybacker” can read email, download files, impersonate staff, or change settings without needing credentials. Small businesses often overlook this because it feels like a convenience issue, not a security risk. In reality, it’s one of the easiest ways unauthorized people move through company systems unnoticed. What to Do ~ Enforce automatic sign-out timers on Microsoft 365, Google Workspace, and financial portals. Require MFA so even if someone tries to re-enter, they can’t proceed without the second factor. Disable browser “remember me” settings on company devices. Set policies that block employees from sharing accounts entirely. Add workstation lock policies so computers auto-lock after a few minutes of inactivity. On shared PCs, use separate user profiles with sign-out reminders. For field staff, enable remote-wipe and login-session controls on mobile devices. Review login logs weekly to catch unusual access patterns from unknown locations or unexpected times.

Wi-Fi shoulder surfing is when someone nearby—at a café, airport, hotel, or conference—monitors what a person does on their device by exploiting unsecured Wi-Fi or simply watching traffic on the same network. Attackers use cheap tools to capture unencrypted data, intercept logins, or mimic the same network name (“Evil Twin Wi-Fi”). Even when a person thinks they’re on the correct network, an attacker may control it, capturing everything that passes through. This threat is common because it targets normal work habits: checking email during travel, sending documents from a hotel room, or logging into cloud apps on guest networks. What to Do ~ Avoid logging into business systems on public Wi-Fi unless using a trusted VPN. Use a mobile hotspot when traveling; it’s far safer than hotel or café networks. Disable automatic Wi-Fi connections on all devices. Verify network names before connecting—attackers often use similar names like “CoffeeShop_Guest1.” Require MFA so stolen credentials can’t be reused. Encrypt devices so captured sessions are harder to exploit. For teams that travel frequently, provide a company VPN and enforce it through device policies. Review device settings monthly to ensure “Secure DNS” or “HTTPS-Only Mode” is enabled in all modern browsers.

Payroll diversion happens when criminals gain access to an employee’s email account and request that HR or payroll “update” the employee’s direct deposit information. Because the message comes from the actual email account, it often looks legitimate. Attackers then redirect the paycheck to a prepaid card, digital wallet, or disposable bank account, withdrawing the funds before the fraud is detected. This attack is common because small businesses often handle payroll via email instructions, and attackers know pay cycles and patterns. It’s essentially stealing salaries in transit—affecting employees directly and creating urgent financial recovery issues for employers. What to Do ~ Implement a strict policy: payroll changes are never processed via email alone. Require employees to update direct deposit details through a secure HR portal or in person. Enforce MFA on all email accounts, which blocks most unauthorized access. Set up mailbox rules alerts to detect forwarding or auto-delete rules—common signs of payroll fraud. Educate staff to report unexpected login notifications immediately. Review HR/payroll logs every pay cycle for unusual changes. If email must be used, require a second verification method (phone call to a known number). Use conditional access policies to block login attempts from high-risk countries.

Invoice spoofing occurs when attackers impersonate a vendor, contractor, or partner by sending a fake invoice that looks nearly identical to the real thing. They use stolen logos, cloned email signatures, and look-alike email domains (like “payrolI-services.com” where the “L” is actually a capital “i”). The goal is to trick a business into paying the wrong bank account. Attackers often study email conversations, timing, vendor relationships, and payment cycles so the invoice arrives exactly when expected. Small businesses fall victim because the message appears routine—just another bill in the inbox—making these attacks blend into daily operations. What to Do: ~ Require a verbal or out-of-band confirmation for any invoice with updated banking details. Train staff to hover over the sender’s address and check for tiny spelling changes. Use dedicated accounts payable email addresses with strict filtering. Enable DMARC, DKIM, and SPF to reduce spoofed emails. In Microsoft 365 or Google Workspace, turn on “external sender” banners. Maintain a vendor verification list with known, confirmed bank details and never rely solely on email instructions to change payment info. Review payment logs weekly for unusual amounts or new payees. Consider workflow approvals in accounting software to prevent single-person payment authorization.