searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
July 31, 2017
Share

Phishers steal Chrome extension from developer

An attacker has compromised the Chrome Web Store account of German developer team a9t9 software, and has equipped their Copyfish Chrome extension with ad/spam injection capabilities.

Unfortunately, even after the developers spotted the compromise, they were unable to remove the offending extension from the store, as it has been already moved to the attacker’s own developer account.

“So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time… until we get it back. We can not even disable it – as it is no longer in our developer account,” the duo warned.

They are currently still trying to reach Chrome Store administrators in an effort to force the removal of the extension.

Account hijacking through phishing

How did the attacker gain access to a9t9’s Chrome Web Store account? A phishing email impersonating the Chrome Web Store team was all it took:

Chrome extension hijack

The developer didn’t notice that the provided link was a bit.ly link because he was viewing it in HTML form, and did not find it immediately suspicious that Google apparently uses Freshdesk for its customer support system.

“The password screen itself was an exact (or at least good enough) copy of the one used by Google,” the developers noted, and so they entered the login information without thinking twice about it.

A not that rare and unusual occurrence

Spammers and data collectors sometimes buy out the owners of relatively popular add-ons and extensions, and make surreptitious changes to them, counting on users not to notice that something is amiss.

Still, there are those who prefer hijacking developer accounts and swapping legitimate offerings (standalone software or add-ons) with malicious ones. We’ve seen it many times already, and we will likely continue seeing it for the foreseeable future.

In a discussion that arose on Hacker News following this particular incident, a commenter pointed out that a similar attack, possibly by the same attacker, happened on the Social Fixer Chrome extension last month. Other commenters also pointed out many other instances of “extensions gone bad” in the last year or so.

“I guess this is as good a place as any to post that I noticed something similar had happened to [User-Agent Switcher for Google Chrome] and [Block Site],” one of them noted.




More about
  • account hijacking
  • Chrome
  • extension
  • phishing
Share this

Featured news

  • iPaaS: The latest enterprise cybersecurity risk?
  • Conti effectively created an extortion-oriented IT company, says Group-IB
  • Inside a large-scale phishing campaign targeting millions of Facebook users
Webinar: What’s trending in email security?

What's new

New infosec products of the week: June 24, 2022

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns

How companies are prioritizing infosec and compliance

iPaaS: The latest enterprise cybersecurity risk?

Don't miss

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns

iPaaS: The latest enterprise cybersecurity risk?

Conti effectively created an extortion-oriented IT company, says Group-IB

Automotive hose manufacturer hit by ransomware, shuts down production control system

Inside a large-scale phishing campaign targeting millions of Facebook users

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • How to keep your NFTs safe from scammers
  • Is your organization ready for Internet Explorer retirement?
  • Attackers aren’t slowing down, here’s what researchers are seeing
  • Why you should worry about medical ID theft

(IN)SECURE Magazine ISSUE 71.5 (June 2022)

Several of the most pressing topics discussed during this year’s Conference included issues surrounding privacy and surveillance, the positive and negative impacts of machine learning and artificial intelligence, the nuances of risk and policy, and more.

Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise