Social Fixer Chrome extension shipped malware

Social Fixer was one of the legitimate Chrome extensions affected by the 2017 developer-account phishing spree. Attackers used stolen Chrome Web Store credentials to publish a malicious update through the official extension channel.

The affected release was Social Fixer 20.1.1. The extension already ran in the browser against social-network pages, so a malicious update could exploit permissions and user trust that had been granted long before the account takeover.

Proofpoint tied Social Fixer to the same extension-hijacking campaign as Copyfish, Web Developer, Chrometana, Infinity New Tab, and Web Paint. The shared pattern was stolen Chrome Web Store publisher access followed by ad injection, redirects, and credential-theft-capable script loading.

This leaf record preserves the Social Fixer version and store distribution boundary. The campaign record carries the shared phishing domains, redirect infrastructure, and cross-extension behavior.

Motive

Financial Gain

Attribution

Group

Cause

Phishing

Transitive

No

Actor

Cybercriminal

User Impact

1500000

• domainclick.rdr11.top
• domainchromedevelopment.site
• domainlogin.chromeextensions.info
• domainchromeextensions.info
• domainwd7bdb20e4d622f6569f3e8503138c859d.win
• domainsearchtab.win
• domainredirect2.top
• domainbrowser-updates.info
• domainpartner-net.men
• urlhttp://partner-net[.]men/code/pid/973820_BNX.js?rev=133

• Chrome extension developers under a barrage of phishing attacksbleepingcomputer.com
• Chrome extension developers under attacka9t9.com
• Threat actor goes on a Chrome extension hijacking spreeproofpoint.com
• Keeping our users safeblog.cloudflare.com
• Eight Chrome Extensions Hijacked to Deliver Malicious Code to 4.8 Million Usersbleepingcomputer.com