2 min

Developers of extensions for Google Chrome are the newest target of hackers. It seems that hackers are trying to get developers to surf to a phishing site, where they can then steal their login details.

The ZDNet site reports this today on the basis of its own research. The hackers want the login credentials so they can login to Chrome Web Store Dashboards and then hide malware in legitimate Google extensions. It is probably a reaction to stricter controls, which makes it more difficult to upload malware into the Chrome Extensives Store at all.

Similar campaign

Last year, a similar malware campaign took place in the summer. At that time, several Chrome developers were already victims of these attacks and their extensions were taken over by attackers. These extensions were then provided with advertisements that were added to normal internet traffic.

Extensions such as Chrometana, Copyfish, Infinity New Tab, Social Fixer, TouchVPN and Web Paint were modified after their developers accidentally clicked on phishing emails. So now a new campaign is again aimed at developers of Chrome extensions. This was confirmed to ZDNet by various developers.

Valid postal address

In the latest round of phishing spam, attackers sent out mails signed by a Kevin Murphy, who was supposed to be an employee of the Chome Web Store Team. In the mail the developers are asked to fill in a valid postal address. If they don’t, there’s a threat to close their accounts.

The mail contains a link to a Google Form, but clicking on it leads the user to a completely different domain. There the user will be asked if he or she can log in with his or her Google Account. As a result, it seems that the user will end up on a real Google page. An inattentive developer would then be able to fill in his login details, after which the hackers would have gotten the hang of it.

Google never uses Google Forms to manage account settings. Developers of extensions who may have filled out the form are requested to change their password and scan their extension for unknown or suspicious code.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.