Phishers steal Chrome extension from developer

An attacker has compromised the Chrome Web Store account of German developer team a9t9 software, and has equipped their Copyfish Chrome extension with ad/spam injection capabilities.

Unfortunately, even after the developers spotted the compromise, they were unable to remove the offending extension from the store, as it has been already moved to the attacker’s own developer account.

“So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time… until we get it back. We can not even disable it – as it is no longer in our developer account,” the duo warned.

They are currently still trying to reach Chrome Store administrators in an effort to force the removal of the extension.

Account hijacking through phishing

How did the attacker gain access to a9t9’s Chrome Web Store account? A phishing email impersonating the Chrome Web Store team was all it took:

Chrome extension hijack

The developer didn’t notice that the provided link was a bit.ly link because he was viewing it in HTML form, and did not find it immediately suspicious that Google apparently uses Freshdesk for its customer support system.

“The password screen itself was an exact (or at least good enough) copy of the one used by Google,” the developers noted, and so they entered the login information without thinking twice about it.

A not that rare and unusual occurrence

Spammers and data collectors sometimes buy out the owners of relatively popular add-ons and extensions, and make surreptitious changes to them, counting on users not to notice that something is amiss.

Still, there are those who prefer hijacking developer accounts and swapping legitimate offerings (standalone software or add-ons) with malicious ones. We’ve seen it many times already, and we will likely continue seeing it for the foreseeable future.

In a discussion that arose on Hacker News following this particular incident, a commenter pointed out that a similar attack, possibly by the same attacker, happened on the Social Fixer Chrome extension last month. Other commenters also pointed out many other instances of “extensions gone bad” in the last year or so.

“I guess this is as good a place as any to post that I noticed something similar had happened to [User-Agent Switcher for Google Chrome] and [Block Site],” one of them noted.

Don't miss