On August 4, Google sent out the following message to Chrome web store developers, warning them about the growing danger of phishing attacks acting as official Chrome Web Store communications.
“Dear Chrome Web Store Developer,
Our records indicate that you have at least one extension published in the Chrome Web Store.
We’re writing to let you know that a number of developers have recently reported receiving phishing emails from email addresses that impersonate the Chrome Web Store policy team.
If you recieve any emails that appear to be from the Chrome Web Store but do not belong to the google.com domain (for example, firstname.lastname@example.org), please use your gmail controls to mark the email as spam, and send the original email headers to email@example.com.
We also encourage you to increase your account security by enabling 2-step verification. You can also consider adding the Password Alert Chrome Extension, which can help identify phishing attacks.”
Attackers managed to hack the developer accounts for two very common Chrome extensions (Copyfish and Web Developer). The hack was very simple, when the developer entered the link, he was redirected to a fake copy of the Google account login page, where the developer entered the login details of the developer account.
The attackers used the stolen accounts to inject adware code inside the extensions and forced a malicious update that loaded ads on top of web pages.