Chrome Extension Developers Under a Barrage of Phishing Attacks

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

Isn't the link always bogus?

[evanh]

Are they saying that even developers just click without looking?

Security confidence

[DrYak]

And maybe someone clueless enough to fall for this kind of tricks (bogus phishing links) wouldn't be the best person to trust with your web security (the web extensions they write are probably full of exploitable bugs and flaws).

Re:

[Anubis IV]

When I was a kid, I was taught to distrust phone calls from anyone I didn't recognize, even if they claimed they were from a business with which we had a relationship. After all, how do we know it's actually them, and not someone else posing as them to steal credit card info, account codes, or other private information? We'd listen to what they had to say, but unless they verified their identity in some way, we wouldn't give them any information. If we wanted to follow up or act on anything they said, we wo

Re:Isn't the link always bogus?

[Solandri]

The problem is the phishers only have to succeed once. I've been using email since 1987. In that time I've identified and deleted hundreds if not thousands of phishing emails. But I fell for one - it was a phishing email claiming to be from eBay about a problem with my recent winning bid. It just so happened that I had won a bid earlier in the day. So I clicked on it and logged into my eBay account.

I realized what I'd done within 30 seconds. Logged out, logged into eBay in another browser, and immediately changed my password. But it made me realize that even if you're 99.9% successful at avoiding phishing emails, that still means you'll slip up every now and then.

I understand now why those phishing emails claiming that there's a problem with your FedEx package aren't as stupid as I always thought ("How dumb are these guys - I'm not even expecting a package via FedEx"). They're just spamming it to tens of millions of people. A few hundred thousand of them are expecting a FedEx package, and the phishers are gambling that a few hundred or a few thousand of them will click-through on the phishing email. It's a one-shot variant of the perfect prediction scam [investorhome.com], leveraging the huge scalability of spamming to eliminate the multiple iterations normally needed to run the con. If it's "obvious" the email is a phishing email, it just means you fell into the 99% or so of people who by random chance didn't fall within the parameters to successfully pull off the con.

Re:

[Neuronwelder]

Well done post!

And Firefox wants to copy this extension model?!

[Anonymous Coward]

So lately Firefox has been adding support for WebExtensions [mozilla.org] extensions, which is basically Chrome's extension model but for Firefox. As that page says, "Much of the specifics of the new API are similar to the Blink extension API". It's yet another case of Firefox's developers essentially cloning what Chrome did, even if Firefox's users don't want that at all.

Now we're hearing that Firefox 57 will only support support WebExtensions extensions [mozilla.org]. That will likely mean that a lot of extensions will break for a l

Re:

[acroyear]

Agreed - it would be just as likely as an app store like Apple or Google Play, or Microsoft's Windows 10 store, or Amazon apps (but keep reading). The *account* was what was compromised, not the app. When the account was compromised, the app could be modified.

At the heart of it is that Chrome's web store doesn't do safety-checking on extensions and apps for malicious content. You want to publish, it publishes. Instant. Done. Everybody gets the hacked version and everybody is at risk.

Chrome needs to do wha

Re:

[Neuronwelder]

We dooomed!! Invader Zim's robot Gir https://www.youtube.com/watch?... [youtube.com]

Re:

[theweatherelectric]

which is basically Chrome's extension model but for Firefox.

Maybe you should read what the uBlock Origin maintainer thinks [mozilla.org] of the difference between the Chrome and Firefox implementations of WebExtensions. To quote him: "It baffles me that some people think Firefox is becoming a 'Chrome clone', it’s just not the case, it’s just plain silly to make such statement."

So who am I going to believe? An actual extension developer or some anonymous coward on Slashdot? I think I'll go with the developer.

Re:

[fyrewulff]

Firefox is updating to an add-on model that's more stable, more secure, and not based off a giant hack from the early 90s.

Reason #2,923 to disable autoupdates on everything

[Anonymous Coward]

(Though after W10 it's not like we need any extra reasons)

Plain text

[simplypeachy]

I have yet to see a single phishing email that, when viewed in plain text mode, is remotely convincing. I still don't understand why people compromise so heavily for prettiness instead of privacy and security.

Re:Plain text

[fermion]

A big problem is that some mobile platforms do not display in plain text, some won't even give the email address used.

A bigger problem is that due to the need to commercialize the web, it has become standard to push HTML emails, and standard for most email clients to automatically render the HTML. Before this, creating an effective phasing email was harder. It was harder to hide URLs. This is like banks adding interstitials to their log in process. It is good to advertise to a captive audience, it is beyond stupid to add a security vulnerability to what is suppose to be a secure process. At the least all secure emails should be plain text.

I agree developers should not be so dumb as to click phishing emails. That some would really does speak to the incompetence of the people writing these plugins. On the other hand most people are not as paranoid as those of us who have been doing this for years and have taken our jobs seriously.

I do think that all the fault lies with the developers. I have had the one time pad turned on for my forward facing google account. I never click trust this computer. I have it set up to receive emails, but not to send emails. It could be that Google should force third factor sign ins, but as they clearly care more about ease of use than even the basic level of modernsecurity, that will not happen.

Re:

[simplypeachy]

Switching one's software to using secure settings shouldn't be outside the realm of possibility for anyone talented enough to write and publish their own software. If I was using a system which didn't offer an email client that could read in plain text, I would find another email client. It's an important security choice and not one I'd be without.

I'd be careful calling anyone "dumb" and "incompetent". You'll find that after first time you get phished (or very nearly), you realise just how easy it is, with

Re:

[fermion]

Many years ago, when I was first programming on an Windows NT environment, not realizing how the incompetent developers of Windows were, I infected the entire office by opening an email. I also, many years ago, destroyed a window installation by downloading a media player. Fortunately it was on a machine that was easily reformatted and restored.

Phishing is not new. I get several emails, for Fedex, for my employer, for various social networks, trying to get me to click and give passwords. For young peo

Too late for Slashdot...

[__aaclcg7560]

[...] push out a malicious update that overlaid ads on top of web pages users were navigating.

That would explain why the ads on Slashdot are overlaying the content.

Always call back a known number.

[Anonymous Coward]

Always use your own bookmarks. Banks and everybody else need to stop sending links in emails.

Email address

[Barefoot Monkey]

How do they know what email address to send the phishing messages to? Is there a way to determine the author's email address from the Chrome store, or are they using information shared by the authors elsewhere?

2FA

[denbesten]

Google's 2-Step Verification [google.com] should be mandatory for developer accounts. End of discussion.