What to look out for today
1) Malicious “AI” browser extensions appearing in official stores and mimicking well-known tools (e.g., search/answer engines or note-taking add-ons), then tracking searches and browsing.
2) Event-themed fraud linked to FIFA 2026: ticketing, hospitality, travel, streaming, merch and “last-minute deals” scams aimed at staff and customers.
3) Legitimate cloud services being abused by attackers to blend in with normal business traffic, making some compromises harder to spot.
Why this matters to smaller businesses
- Extensions sit inside the browser where finance, HR, email and customer data is accessed. A bad extension can see (and sometimes change) what staff do online.
- Charities, schools and local businesses are often targeted with “cheap tickets”, “sponsorship opportunities”, “prize draws” and “urgent admin requests” that lead to credential theft or card fraud.
- Cloud/SaaS abuse means “it looks like Google/Microsoft/Zoho/etc.” is no longer a reliable safety signal on its own.
Warning signs
- A new browser extension appears that nobody remembers approving, especially with permissions like “read and change all data on websites”.
- Staff report odd browser behaviour: search results changing, extra pop-ups, new toolbars, or being logged out of services repeatedly.
- Unusual sign-in prompts for email/Teams/Google Workspace after clicking “AI tool” links.
- FIFA-related emails/DMs with urgency: “limited availability”, “final invoice”, “account verification”, “refund due”, “streaming access”, “press/media passes”.
- Payments being requested to new beneficiaries for “tickets/travel/marketing packages” with short deadlines.
How attackers may exploit the situation
- Lookalike extensions can harvest browsing data, intercept searches, or capture login sessions—turning one user’s browser into a foothold for wider access.
- Crypto/finance fraud add-ons can silently alter payment details in certain contexts (even if your business isn’t “into crypto”, the tactic shows how browser manipulation works).
- Event scams are used to drive clicks to fake login pages, collect card details, or trick teams into authorising payments.
- Cloud service abuse can hide command-and-control or data movement inside normal-looking traffic to legitimate platforms.
What to do today
- Run a quick extension audit on company browsers: remove anything not required for work, and block staff from installing unapproved extensions where possible.
- Send a 2-minute staff note: “No ticket/hospitality/streaming purchases without approval; verify suppliers independently; don’t install ‘AI’ extensions/tools for work without IT sign-off.”
- Turn on (or confirm) MFA for email, payroll, finance and admin accounts, and ensure it’s enforced for all users.
- Review payment controls: any new payee or change to bank details requires out-of-band verification (phone using a known number, not the email signature).
- Check browser management: if you use Microsoft 365/Google Workspace, ensure your IT policy can restrict extensions and enforce safe browsing settings on managed devices.
Ask your IT provider
- Can you block unapproved browser extensions on our managed devices (Chrome/Edge) and provide a list of what’s currently installed?
- Do we have alerting for unusual sign-ins (new countries, impossible travel, repeated failures) for Microsoft 365/Google Workspace?
- What’s our process for rapidly isolating a device if a browser extension or “AI tool” is suspected of data capture?
- Are we monitoring for mass OAuth/app consent events (users granting access to suspicious apps), and can we restrict who can consent?
Patch watch - only one short paragraph, and only if relevant
If you run healthcare/medical imaging systems (or support a clinic) using DCMTK components, ask your supplier/IT support whether they have a plan to address newly reported issues—this is mainly a supplier-led fix and a reminder to keep an inventory of specialist software and who is responsible for updates.
One action today
Audit and remove any non-essential browser extensions today, then block installation of unapproved extensions on company-managed browsers.
Related Actions On Cyber resource
Actions On Cyber: “Payment change & invoice fraud verification checklist”
Sources
- Fake Perplexity extension on Chrome Web Store tracked searches (BleepingComputer)
- Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses (The Hacker News)
- What the Numbers Say About FIFA 2026 Cyber Risk (The Hacker News)
- Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks (The Hacker News)
- Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse (The Hacker News)
- 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study (The Hacker News)
- OFFIS DCMTK Toolkit (CISA Cybersecurity Advisories)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.