According to a joint cybersecurity advisory from teams in Germany and South Korea, a new phishing attack threatens to steal users' Gmail emails without any chance of them realizing it happened.
Bleeping Computer first reported on the phishing threat, which serves as the delivery vehicle for a malicious Chrome extension that once active will redirect the user's Gmail emails to the hacker's servers (via TechRadar).
How to find out if you are a victim of this attack
While the attack vector is a Chrome extension, it's important to remember that Chrome isn't the only Chromium-based browser. Other popular browsers like Microsoft Edge and Brave also support Chrome extensions and would be similarly vulnerable to this attack.
The attack is utilizing Chrome extension APIs aimed at developers to bypass account security and route the emails directly to the hacker.
With that out of the way, here's how to check whether you have been impacted.
1. Open your browser
2. Enter "(chrome|edge|brave)://extensions" in your address bar.
3. Look for an extension simply named "AF" in your list of extensions.
4. If present, delete this extension and review your Gmail account to determine what valuable information could have been stolen.
The North Korean group responsible for this threat is known as Kimsuky and it's just the latest in a long line of attacks perpetrated by them. Typically they focus their efforts on high-value targets such as those in politics, professors, journalists, and diplomats, so if you fall into any of those categories you need to be particularly wary.
The best way to stay safe is to never install Chrome extensions, or any software for that matter, from an unknown source.