Socket Threat Research discovered a malicious Chrome extension named CL Suite by @CLMasters that advertises Meta Business Suite scraping and 2FA generation while exfiltrating TOTP seeds, current 2FA codes, Business Manager contact CSVs, and analytics to threat actor infrastructure. The extension reports data to getauth[.]pro (and optionally forwards payloads to a Telegram channel), undermining 2FA and enabling account takeover and long-term business asset hijacking. #CLSuite #MetaBusinessSuite
Keypoints
- The Chrome extension “CL Suite by @CLMasters” (extension ID jkphinfhmfkckkcnifhjiplhfoiefffl) is listed in the Chrome Web Store and requests broad access to meta.com and facebook.com while advertising people extraction and 2FA generation.
- Despite a privacy policy claiming local-only storage, the extension exfiltrates full TOTP seeds, current 2FA codes, Facebook usernames/emails, exported Business Manager “People” CSVs, and analytics to getauth[.]pro and optionally to Telegram.
- Exfiltration uses a hardcoded API key (w7ZxKp3F8RtJmN5qL2yAcD9v) and shared telemetry endpoints (e.g., /api/telemetry.php, /api/validate.php, /api/telegram_notify.php), meaning all installs report to the same backend.
- Stealing TOTP seeds and current codes effectively neutralizes MFA for affected Meta accounts, enabling full account takeover when combined with passwords or credential dumps and persisting after extension removal.
- Harvested Business Manager data (names, emails, roles, ad accounts, billing info) gives attackers a map of organizational control for ad fraud, targeted employee compromise, and long-term asset hijacking.
- Socket recommended restricting extensions on systems that access Meta Business Suite/Business Manager, allow-listing vetted extensions, monitoring for unusual network activity/domains, and using extension inventory/protection solutions.
MITRE Techniques
- [T1195.002 ] Supply Chain Compromise – Malicious code delivered via a Chrome Web Store extension that acts as a tooling supply for Meta Business Suite (‘CL Suite by @CLMasters is published in the Chrome Web Store under the developer alias CLMasters’)
- [T1176.001 ] Software Extensions: Browser Extensions – Use of a browser extension to gain privileged access to Meta/Facebook pages and scrape data (‘the extension requests broad access to meta.com and facebook.com’)
- [T1204 ] User Execution – Reliance on users installing the extension to enable scraping and exfiltration (‘marketed in the Chrome Web Store as a way to “extract people data, analyze Business Managers, remove verification popups, and generate 2FA codes”’)
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – Malicious logic implemented in extension JavaScript to parse DOM, compute TOTP, and send telemetry (‘background script collects Facebook account identifiers, 2FA seeds and codes, CSV exports, tab URL, public IP, and user agent’)
- [T1005 ] Data from Local System – Local collection of exported CSVs and page content (Business Manager “People” lists and analytics) before exfiltration (‘walks the DOM, extracts table rows, and builds a CSV… the same CSV is sent to the threat actor’)
- [T1119 ] Automated Collection – Systematic scraping and automated CSV generation of Business Manager users and analytics (‘people extractor … builds a CSV with: Names and email addresses, Roles and permissions, and Status and access details’)
- [T1590.005 ] Gather Victim Network Information: IP Addresses – Client public IP fingerprinting added to telemetry payloads for victim correlation (‘the background script also fingerprints the client’s public IP: … Public IP, used for victim fingerprinting’)
- [T1589.002 ] Gather Victim Identity Information: Email Addresses – Extraction of account emails and usernames tied to stolen TOTP seeds (‘facebook_user and facebook_email: identifiers tying the seed to a specific Meta business account’)
- [T1591.002 ] Gather Victim Org Information: Business Relationships – Collection of Business Manager memberships, roles, and linked ad accounts to map organizational assets (‘exfiltrated Business Manager data includes names, emails, access levels, and associated ad accounts’)
- [T1556.006 ] Modify Authentication Process: Multi-Factor Authentication – Harvesting TOTP seeds and current codes to bypass or neutralize MFA protections (‘seed: the TOTP secret … code: the current six-digit TOTP value… the stolen seed lets the threat actor derive valid current and future codes’)
- [T1071.001 ] Application Layer Protocol: Web Protocols – Exfiltration over HTTPS POSTs to getauth[.]pro telemetry/validation endpoints (‘the background script … POSTs the result to API_ENDPOINT with an Authorization: Bearer header’)
- [T1567 ] Exfiltration Over Web Service – Use of a web telemetry API and Telegram forwarding to transmit stolen data to the attacker (‘sends it to a telemetry API at getauth[.]pro, with an option to forward the same payloads to a Telegram channel’)
Indicators of Compromise
- [Chrome extension ID ] Malicious extension identifier in Chrome Web Store – jkphinfhmfkckkcnifhjiplhfoiefffl
- [Extension name / developer ] Publisher and contact context – “CL Suite by @CLMasters” (developer alias CLMasters), registration email info@clmasters[.]pro
- [Domains ] C2 and developer sites used for exfiltration and policy hosting – getauth[.]pro (telemetry/validation/telegram endpoints), clmasters[.]pro
- [API endpoints ] Telemetry and notification endpoints used for data exfiltration – https://getauth[.]pro/api/telemetry.php, https://getauth[.]pro/api/telegram_notify.php
- [API key / bearer token ] Shared hardcoded credential used by all installs – w7ZxKp3F8RtJmN5qL2yAcD9v
- [Email addresses ] Contact and store listing emails tied to the actor – info@clmasters[.]pro, privacy@clmasters[.]pro
- [Exported artifacts ] Examples of stolen data types sent to C2 – Business Manager “People” CSV exports (names, emails, roles), TOTP seeds and current 2FA codes