Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Extension Developers Under a Barrage of Phishing Attacks (bleepingcomputer.com)

Posted by EditorDavid on from the hijacks-are-happening dept.

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

7 of 40 comments (clear)

  1. Security confidence by DrYak · · Score: 3, Insightful

    And maybe someone clueless enough to fall for this kind of tricks (bogus phishing links) wouldn't be the best person to trust with your web security (the web extensions they write are probably full of exploitable bugs and flaws).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  2. Re:Isn't the link always bogus? by Anubis+IV · · Score: 2

    When I was a kid, I was taught to distrust phone calls from anyone I didn't recognize, even if they claimed they were from a business with which we had a relationship. After all, how do we know it's actually them, and not someone else posing as them to steal credit card info, account codes, or other private information? We'd listen to what they had to say, but unless they verified their identity in some way, we wouldn't give them any information. If we wanted to follow up or act on anything they said, we would hang up and then call the phone number we had on file, that way we could be assured we were talking to the right people.

    E-mails are not really that much different. I'll read through a message that looks like it may be phishy, but I won't click any of the links, even if they look legit (spoofing with Unicode characters is too hard to detect). If there's something the e-mail said that I want to follow up on, I'll go to my browser and go to the site myself to check on what they said. For anything that's truly pressing (e.g. breach of terms), you can be fairly certain that they'll make that info easy to find by simply logging in and checking for new messages/notifications/warnings/etc..

  3. Plain text by simplypeachy · · Score: 2

    I have yet to see a single phishing email that, when viewed in plain text mode, is remotely convincing. I still don't understand why people compromise so heavily for prettiness instead of privacy and security.

    1. Re:Plain text by fermion · · Score: 3, Interesting
      A big problem is that some mobile platforms do not display in plain text, some won't even give the email address used.

      A bigger problem is that due to the need to commercialize the web, it has become standard to push HTML emails, and standard for most email clients to automatically render the HTML. Before this, creating an effective phasing email was harder. It was harder to hide URLs. This is like banks adding interstitials to their log in process. It is good to advertise to a captive audience, it is beyond stupid to add a security vulnerability to what is suppose to be a secure process. At the least all secure emails should be plain text.

      I agree developers should not be so dumb as to click phishing emails. That some would really does speak to the incompetence of the people writing these plugins. On the other hand most people are not as paranoid as those of us who have been doing this for years and have taken our jobs seriously.

      I do think that all the fault lies with the developers. I have had the one time pad turned on for my forward facing google account. I never click trust this computer. I have it set up to receive emails, but not to send emails. It could be that Google should force third factor sign ins, but as they clearly care more about ease of use than even the basic level of modernsecurity, that will not happen.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  4. Re:Isn't the link always bogus? by Solandri · · Score: 4, Interesting

    The problem is the phishers only have to succeed once. I've been using email since 1987. In that time I've identified and deleted hundreds if not thousands of phishing emails. But I fell for one - it was a phishing email claiming to be from eBay about a problem with my recent winning bid. It just so happened that I had won a bid earlier in the day. So I clicked on it and logged into my eBay account.

    I realized what I'd done within 30 seconds. Logged out, logged into eBay in another browser, and immediately changed my password. But it made me realize that even if you're 99.9% successful at avoiding phishing emails, that still means you'll slip up every now and then.

    I understand now why those phishing emails claiming that there's a problem with your FedEx package aren't as stupid as I always thought ("How dumb are these guys - I'm not even expecting a package via FedEx"). They're just spamming it to tens of millions of people. A few hundred thousand of them are expecting a FedEx package, and the phishers are gambling that a few hundred or a few thousand of them will click-through on the phishing email. It's a one-shot variant of the perfect prediction scam, leveraging the huge scalability of spamming to eliminate the multiple iterations normally needed to run the con. If it's "obvious" the email is a phishing email, it just means you fell into the 99% or so of people who by random chance didn't fall within the parameters to successfully pull off the con.

  5. Re:And Firefox wants to copy this extension model? by acroyear · · Score: 2

    Agreed - it would be just as likely as an app store like Apple or Google Play, or Microsoft's Windows 10 store, or Amazon apps (but keep reading). The *account* was what was compromised, not the app. When the account was compromised, the app could be modified.

    At the heart of it is that Chrome's web store doesn't do safety-checking on extensions and apps for malicious content. You want to publish, it publishes. Instant. Done. Everybody gets the hacked version and everybody is at risk.

    Chrome needs to do what Amazon does and at least have automatic reviews on things. Amazon in particular for their app store runs visual checks for some level of usability compliance, and programs automated tests. It takes me 6 hours between submission and publication for my app, but the security of my users is more assured.

    --
    "But remember, most lynch mobs aren't this nice." (H.Simpson)
    -- Joe
  6. 2FA by denbesten · · Score: 3, Insightful

    Google's 2-Step Verification should be mandatory for developer accounts. End of discussion.