Hackers Hijack Chrome Extension to Push Malware

Recently an extension for Google Chrome has been hacked, after compromising the Chrome Web Store account of a German developer team from a9t9 GmbH, and abused it to distribute spam messages to unsuspecting users.

Named Copyfish, the extension allows users to extract text from images, PDF documents and video, and has more than 37,500 users.

Unfortunately, the Chrome extension of Copyfish has been hijacked and compromised by some unknown attacker, who equipped the extension with advertisement injection capabilities. However, its Firefox counterpart was not affected by the attack.

The attackers even moved the extension to their developer account, preventing its developers from removing the infected extension from the store, even after being spotted that the extension has been compromised.

“So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time… until we get it back,” the developers warned. “We can not even disable it—as it is no longer in our developer account.”
Copyfish developers traced the hack back to a phishing attack that occurred on 28 July.

One of a9t9 team members received a phishing email impersonating the Chrome Web Store team that said to update their Copyfish Chrome extension, otherwise, Google would remove it from the web store.

The phishing email instructed the member to click on “Click here to read more details,” which supposedly opened the “Google” password dialogue box.

The provided link was a bit.ly link, but since the team member was viewing the link in HTML form, he did not find it suspicious and entered the password for their developer account.

The developers said the password screen looked exactly like the one used by Google. Although the team did not have any screenshot of the password page as it appeared only once, it did take a screenshot of the initial phishing email and its reply.
“This looked legit to the team member, so we did not notice the [phishing] attack as such at this point. [Phishing] for Chrome extensions was simply not on our radar screen,” the developers said.
Once the developer entered the credentials for a9t9 software’s developer account, the hackers behind the attack updated the Copyfish extension on 29 July to Version 2.8.5, which is pushing out spams and advertisements to its users.

The Copyfish makers noticed the issue very quickly, but they could not do anything because the hackers moved the extension to a different developer account.

The software company contacted Google developer support, which is currently working to provide the company access to their software.

The a9t9 software team, is warning users that the Chrome extension for Copyfish is currently not under its control. Users are advised not to install the malicious Chrome extension and remove, if they have already installed.

Recent Posts