Slashdot Mirror
Chrome Extension Developers Under a Barrage of Phishing Attacks (bleepingcomputer.com)
An anonymous reader quotes Bleeping Computer:
Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.
According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.
According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.
The problem is the phishers only have to succeed once. I've been using email since 1987. In that time I've identified and deleted hundreds if not thousands of phishing emails. But I fell for one - it was a phishing email claiming to be from eBay about a problem with my recent winning bid. It just so happened that I had won a bid earlier in the day. So I clicked on it and logged into my eBay account.
I realized what I'd done within 30 seconds. Logged out, logged into eBay in another browser, and immediately changed my password. But it made me realize that even if you're 99.9% successful at avoiding phishing emails, that still means you'll slip up every now and then.
I understand now why those phishing emails claiming that there's a problem with your FedEx package aren't as stupid as I always thought ("How dumb are these guys - I'm not even expecting a package via FedEx"). They're just spamming it to tens of millions of people. A few hundred thousand of them are expecting a FedEx package, and the phishers are gambling that a few hundred or a few thousand of them will click-through on the phishing email. It's a one-shot variant of the perfect prediction scam, leveraging the huge scalability of spamming to eliminate the multiple iterations normally needed to run the con. If it's "obvious" the email is a phishing email, it just means you fell into the 99% or so of people who by random chance didn't fall within the parameters to successfully pull off the con.