The Google security team sent warnings to Chrome extension developers after a number of them were attacked by phishing attacks. In some cases, attacks were successful and attackers managed to gain control over some popular extensions, in particular Copyfish and Web Developer. Having access to the developer account, phishers modified extensions, adding malicious code to display ads on Internet pages viewed by users.

According to the BleepingComputer resource, the phishing campaign started more than two months ago. Attackers distribute emails allegedly from the Google security team with a request to update the extension, because the program violates the rules of the Chrome Web Store. All emails contain a link to a site that mimics the current Google authorization page, where developers need to enter their credentials in order to find out what the problem is. Thus, criminals managed to compromise the accounts of the creators of the Copyfish and Web Developer extensions. A similar letter was also received by the developer, known on the Web as OinkAndStuff - the author of two popular add-ons Blue Messenger (about 80 thousand. Users) Websta for Instagram (about 100 thousand. Users).

According to OinkAndStuff, the first phishing email was received on June 21 this year. The message contained a link to the page on the Freshdesk domain (as well as in the case of attacks on the developers of Copyfish and Web Developer).

Apparently, all three attacks are the work of one and the same attacker or group of intruders.

After OinkAndStuff informed the Google security team about the attacks, he received two more phishing emails, but already with links to other phishing domains.

Currently, the phishing campaign continues. The Google security team recommends that developers use two-factor authentication and do not log in to Chrome developer accounts on authorization pages hosted on non-company domains.