Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Extension Developers Under a Barrage of Phishing Attacks (bleepingcomputer.com)

Posted by EditorDavid on from the hijacks-are-happening dept.

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

40 comments

  1. well tickle my pickle by Anonymous Coward · · Score: 0

    i'll let you stick it in my bum for a dollar.

  2. Will they fail like John Podesta? by Anonymous Coward · · Score: 0

    Then start squawking OMFG RUSSIANS!!!

  3. This is why I only rely on IE for my first posts by Anonymous Coward · · Score: 0

    french toast and g'day, m'ladies

  4. Isn't the link always bogus? by evanh · · Score: 1

    Are they saying that even developers just click without looking?

    1. Re:Isn't the link always bogus? by Anubis+IV · · Score: 2

      When I was a kid, I was taught to distrust phone calls from anyone I didn't recognize, even if they claimed they were from a business with which we had a relationship. After all, how do we know it's actually them, and not someone else posing as them to steal credit card info, account codes, or other private information? We'd listen to what they had to say, but unless they verified their identity in some way, we wouldn't give them any information. If we wanted to follow up or act on anything they said, we would hang up and then call the phone number we had on file, that way we could be assured we were talking to the right people.

      E-mails are not really that much different. I'll read through a message that looks like it may be phishy, but I won't click any of the links, even if they look legit (spoofing with Unicode characters is too hard to detect). If there's something the e-mail said that I want to follow up on, I'll go to my browser and go to the site myself to check on what they said. For anything that's truly pressing (e.g. breach of terms), you can be fairly certain that they'll make that info easy to find by simply logging in and checking for new messages/notifications/warnings/etc..

    2. Re:Isn't the link always bogus? by Solandri · · Score: 4, Interesting

      The problem is the phishers only have to succeed once. I've been using email since 1987. In that time I've identified and deleted hundreds if not thousands of phishing emails. But I fell for one - it was a phishing email claiming to be from eBay about a problem with my recent winning bid. It just so happened that I had won a bid earlier in the day. So I clicked on it and logged into my eBay account.

      I realized what I'd done within 30 seconds. Logged out, logged into eBay in another browser, and immediately changed my password. But it made me realize that even if you're 99.9% successful at avoiding phishing emails, that still means you'll slip up every now and then.

      I understand now why those phishing emails claiming that there's a problem with your FedEx package aren't as stupid as I always thought ("How dumb are these guys - I'm not even expecting a package via FedEx"). They're just spamming it to tens of millions of people. A few hundred thousand of them are expecting a FedEx package, and the phishers are gambling that a few hundred or a few thousand of them will click-through on the phishing email. It's a one-shot variant of the perfect prediction scam, leveraging the huge scalability of spamming to eliminate the multiple iterations normally needed to run the con. If it's "obvious" the email is a phishing email, it just means you fell into the 99% or so of people who by random chance didn't fall within the parameters to successfully pull off the con.

    3. Re:Isn't the link always bogus? by Anonymous Coward · · Score: 0

      do you need the services of a professional hacker to catch a cheating partner? change school grade, facebook hack, whatsapp and other social media hack, phone cloning,credit repair, website/servers hack and lots more, contact me us on : hackitexture @ gmail . com
      or reach us on LINE APP and SKYPE :username > hackitexture.
      and for the english speakers, call us on + 12092603116

    4. Re:Isn't the link always bogus? by Neuronwelder · · Score: 1

      Well done post!

    5. Re:Isn't the link always bogus? by Anonymous Coward · · Score: 0

      Generally speaking, developers know fuck-all about security. The ones who do are the exception rather than the rule.

  5. Re:This is why I only rely on IE for my first post by Anonymous Coward · · Score: 0

    dear god, you're making my butthole wet.

  6. And Firefox wants to copy this extension model?! by Anonymous Coward · · Score: 1

    So lately Firefox has been adding support for WebExtensions extensions, which is basically Chrome's extension model but for Firefox. As that page says, "Much of the specifics of the new API are similar to the Blink extension API". It's yet another case of Firefox's developers essentially cloning what Chrome did, even if Firefox's users don't want that at all.

    Now we're hearing that Firefox 57 will only support support WebExtensions extensions. That will likely mean that a lot of extensions will break for a lot of Firefox users come this November.

    It's bad enough that when these existing extensions break, many Firefox users will probably just move to Chrome instead. After all, if they need to start using Chrome-compatible browser extensions, why not just use Chrome directly? It's faster than Firefox. It uses less memory than Firefox. Its UI is a lot like Firefox's, due to Firefox's devs changing Firefox's UI to be similar to Chrome's. Firefox's privacy isn't even really better, since its privacy policy states that Firefox's geolocation support can use a Google service, thus sending some information to Google even if the user is using Firefox. So as of Firefox 57, Firefox users might as well just use Chrome (or one of the other browsers using the Blink engine) directly, instead of using Firefox.

    If Chrome's extensions can be compromised in this way, then are Firefox's new WebExtensions extensions also susceptible? Is Mozilla doing anything to protect Firefox users from such a threat?

  7. Reason #2,923 to disable autoupdates on everything by Anonymous Coward · · Score: 1

    (Though after W10 it's not like we need any extra reasons)

  8. What do you expect! by Anonymous Coward · · Score: 0

    cite

    The fans are gonna do what they are gonna do.

  9. Browser choice is not a zero sum, either or game by Anonymous Coward · · Score: 0

    Why would someone need to move to using Chrome *instead of* Firefox?

    I'm sure I'm not the only one who uses multiple browsers, each with different settings, for varied purposes, and will continue to do so.

  10. Security confidence by DrYak · · Score: 3, Insightful

    And maybe someone clueless enough to fall for this kind of tricks (bogus phishing links) wouldn't be the best person to trust with your web security (the web extensions they write are probably full of exploitable bugs and flaws).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  11. Re:racist by Anonymous Coward · · Score: 0

    i'm such a goddamn faggot

  12. Re:And Firefox wants to copy this extension model? by Anonymous Coward · · Score: 0

    Firefox's CURRENT extensions are susceptible. The threat is that someone takes over a developer account and then uploads a malicious version of the current extension to the extension update service. There's no reason to believe that such a thing wouldn't be possible with Firefox. Just like Chrome, you need an account with Firefox for them to host your extension in their addon store ... repository ... thing.

    The only thing that makes it unlikely that anyone would bother attacking Firefox extension developers is who cares about infecting all five people that still use Firefox?

  13. Re:racist by Anonymous Coward · · Score: 0

    do you enjoy sticking things in your bunghole? i sure do

  14. Plain text by simplypeachy · · Score: 2

    I have yet to see a single phishing email that, when viewed in plain text mode, is remotely convincing. I still don't understand why people compromise so heavily for prettiness instead of privacy and security.

    1. Re:Plain text by fermion · · Score: 3, Interesting
      A big problem is that some mobile platforms do not display in plain text, some won't even give the email address used.

      A bigger problem is that due to the need to commercialize the web, it has become standard to push HTML emails, and standard for most email clients to automatically render the HTML. Before this, creating an effective phasing email was harder. It was harder to hide URLs. This is like banks adding interstitials to their log in process. It is good to advertise to a captive audience, it is beyond stupid to add a security vulnerability to what is suppose to be a secure process. At the least all secure emails should be plain text.

      I agree developers should not be so dumb as to click phishing emails. That some would really does speak to the incompetence of the people writing these plugins. On the other hand most people are not as paranoid as those of us who have been doing this for years and have taken our jobs seriously.

      I do think that all the fault lies with the developers. I have had the one time pad turned on for my forward facing google account. I never click trust this computer. I have it set up to receive emails, but not to send emails. It could be that Google should force third factor sign ins, but as they clearly care more about ease of use than even the basic level of modernsecurity, that will not happen.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    2. Re:Plain text by simplypeachy · · Score: 1

      Switching one's software to using secure settings shouldn't be outside the realm of possibility for anyone talented enough to write and publish their own software. If I was using a system which didn't offer an email client that could read in plain text, I would find another email client. It's an important security choice and not one I'd be without.

      I'd be careful calling anyone "dumb" and "incompetent". You'll find that after first time you get phished (or very nearly), you realise just how easy it is, with a moment's inattention to be lumped in with those two words.

      I do agree that not electing to use 2FA et al, when a service provider offers them, is a very foolish mistake to make.

    3. Re:Plain text by Anonymous Coward · · Score: 0

      I have heard it said, "make it pretty and the press will give you a free pass"

    4. Re:Plain text by fermion · · Score: 1
      Many years ago, when I was first programming on an Windows NT environment, not realizing how the incompetent developers of Windows were, I infected the entire office by opening an email. I also, many years ago, destroyed a window installation by downloading a media player. Fortunately it was on a machine that was easily reformatted and restored.

      Phishing is not new. I get several emails, for Fedex, for my employer, for various social networks, trying to get me to click and give passwords. For young people, the mistake should have made before they entered the work force. For older people the mistake should have already been made.

      When someone sends thousands of dollars to a Nigerian prince, we no longer blame the prince, anymore than we blame the con artists that gets a man to send $500 for a plane ticket.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    5. Re:Plain text by Anonymous Coward · · Score: 0

      It really depends on the receiving party, you know.

  15. Re:racist by Anonymous Coward · · Score: 0

    its too late do do anything they just have to be contained

  16. Too late for Slashdot... by __aaclcg7560 · · Score: 1

    [...] push out a malicious update that overlaid ads on top of web pages users were navigating.

    That would explain why the ads on Slashdot are overlaying the content.

    1. Re:Too late for Slashdot... by Anonymous Coward · · Score: 0

      [...] push out a malicious update that overlaid ads on top of web pages users were navigating.

      That would explain why the ads on Slashdot are overlaying the content.

      surfing the web without an ad blocker is pretty goddamn stupid

  17. Always call back a known number. by Anonymous Coward · · Score: 1

    Always use your own bookmarks. Banks and everybody else need to stop sending links in emails.

  18. Email address by Barefoot+Monkey · · Score: 1

    How do they know what email address to send the phishing messages to? Is there a way to determine the author's email address from the Chrome store, or are they using information shared by the authors elsewhere?

  19. Not a good week for Google by Anonymous Coward · · Score: 0

    Seems they are having some trouble. Well what do you expect when you hire 60,000 employees and don't bother to really check if they're good at their jobs.

    But you check all those boxes on the diversity form. That clearly matters more.

  20. Re:And Firefox wants to copy this extension model? by acroyear · · Score: 2

    Agreed - it would be just as likely as an app store like Apple or Google Play, or Microsoft's Windows 10 store, or Amazon apps (but keep reading). The *account* was what was compromised, not the app. When the account was compromised, the app could be modified.

    At the heart of it is that Chrome's web store doesn't do safety-checking on extensions and apps for malicious content. You want to publish, it publishes. Instant. Done. Everybody gets the hacked version and everybody is at risk.

    Chrome needs to do what Amazon does and at least have automatic reviews on things. Amazon in particular for their app store runs visual checks for some level of usability compliance, and programs automated tests. It takes me 6 hours between submission and publication for my app, but the security of my users is more assured.

    --
    "But remember, most lynch mobs aren't this nice." (H.Simpson)
    -- Joe
  21. 2FA by denbesten · · Score: 3, Insightful

    Google's 2-Step Verification should be mandatory for developer accounts. End of discussion.

  22. Re:racist by Anonymous Coward · · Score: 0

    Send them all over to the middle east where they can fight with the sand nogs.

  23. Re:And Firefox wants to copy this extension model? by Neuronwelder · · Score: 1

    We dooomed!! Invader Zim's robot Gir https://www.youtube.com/watch?...

  24. even more funny by Anonymous Coward · · Score: 0

    they asked me forever to update and i refused gee wonder why.....

    they should have heeded my warnings and firefox is next....

  25. Re:racist by Anonymous Coward · · Score: 0

    use them to fertilize the cave bitches' empty wombs, left barren by the failing pink peenies of the melanin-deficient, sun-fearing pasty krakkkers.

  26. Re:And Firefox wants to copy this extension model? by theweatherelectric · · Score: 1

    which is basically Chrome's extension model but for Firefox.

    Maybe you should read what the uBlock Origin maintainer thinks of the difference between the Chrome and Firefox implementations of WebExtensions. To quote him: "It baffles me that some people think Firefox is becoming a 'Chrome clone', it’s just not the case, it’s just plain silly to make such statement."

    So who am I going to believe? An actual extension developer or some anonymous coward on Slashdot? I think I'll go with the developer.

  27. Re:And Firefox wants to copy this extension model? by fyrewulff · · Score: 1

    Firefox is updating to an add-on model that's more stable, more secure, and not based off a giant hack from the early 90s.

    --
    "We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997