Malicious OneClass Chrome Extension May Send Email on Students' Behalf and also Attempts to Collect User Credentials


Vulnerability Overview
The OneClass Chrome extension is not available directly via search in the Chrome Extensions Store, and students are being phished to install it. During installation, the extension requests permissions to "Read and change all your data on the websites you visit," and adds a button inside the Learn pages to "Invite Your Classmates to OneClass."

The plug-in, which will email all the students in a students' class to promote the OneClass plugin/product, also contains code that attempts to collect and send the users' credentials, including both username and password.

The content of the email message reads as follows:

"Hey guys, I just found some really helpful notes for the upcoming exams for <University Name> courses at {link}. I highly recommend signing up for an account now that way your first download is free!"

All users are urged to please NOT install this extension. If you do see the install button in your Chrome browser, navigate to the Chrome browser settings and remove the plugin.

In addition, any users who receive an email like the one above are asked to please NOT click on any link within the message, and to just delete it.

How to remove the extension:

  1. Open up your Chrome Browser
  2. Select the 3 vertical dots in the top right-hand corner
  3. Select Settings
  4. Select Extensions in the top left-hand corner
  5. Click the Trashcan beside the “OneClass Easy Invite” extension
  6. Select Remove on the Confirm Removal Popup
  7. Close all Chrome windows and go back to the Extensions page to verify the extension has been removed (Steps 1-4)
  8. Once you have removed this extension, please reset your passwords for any sites that you visited while using Chrome with the OneClass Extension installed.