Phishing campaign targets developers of Chrome extensions

If the campaign was successful, we should expect new cases of hacked extensions used to infect users.
Written by Catalin Cimpanu, Contributor

Developers of Google Chrome extensions have been targeted by a massive phishing campaign last week, ZDNet has learned.

The campaign attempted to trick developers into accessing a phishing site where crooks tried to obtain the login credentials for developers' Google accounts.

The reason for obtaining these credentials was that malicious actors could log into Chrome Web Store dashboards and push malicious versions of legitimate Chrome extensions.

Also: Telegram fixes IP address leak in desktop client

A large-scale phishing campaign like this has happened before, in the summer of 2017.

Last year, several Chrome extension developers fell victim and had their extensions taken over by crooks. Those extensions were modified to insert ads into legitimate traffic.

Extensions like Web Developer, Chrometana, Infinity New Tab, CopyFish, Web Paint, Social Fixer, TouchVPN, and Betternet VPN were found to be modified using a similar modus operandi, all after their developers fell victim to phishing emails.

Also: You can buy Google's $50 set of Titan security keys now CNET

Now, a new phishing campaign, just like the one last year, is taking place again, as several Chrome extension developers have confirmed to ZDNet.

For this latest round of spam, crooks have sent emails using the identity of Kevin Murphy (dev-support@webstoredevsupport[.]com), a supposed Google employee part of the Chrome Web Store Team.

A copy of the email extension developers received, provided to ZDNet by Andrey Meshkov of AdGuard and Harry Denley of EtherSecurityLookup, is embedded below.


Crooks tried to scare extension devs into completing a Google Form with a valid postal address or have their accounts suspended, citing a new Google policy.

Just like most phishing emails, this was a lackadaisical effort. The Google Form link didn't even go to a Google Form, but redirected through the domain usgbc.org, meaning attentive extension developers could have picked up on the email's authenticity just by hovering the link. The format of this link was:


For last week's campaign, Chrome extension developers landed on a page on profile.chromewebstoresupport[.]com that asked them to log into their Google account...


... and then redirected users to a pixel-perfect clone of the actual Google account login page, located at https://login.chromewebstoresupport[.]com


This is a very poor attempt of a phishing email, but it doesn't really matter, as there would always be people who do not pay enough attention and would fall for these emails.

Several extension developers publicly admitted during last year's campaign, on Twitter and in incident post-mortem blog posts, of getting fooled by simple emails like these, which resulted in millions of users receiving adware-infested extensions.

Also: How to install and use the PassFF Firefox password manager TechRepublic

It is very likely that crooks have obtained new credentials for other Chrome extensions via last week's phishing campaign, and we should expect to see a few cases of compromised Chrome extensions in the weeks to come.

Prior to this campaign, a phishing email was also most likely at the source of an incident involving the official MEGA Chrome extension last month, when someone accessed MEGA's Chrome Web Store account and pushed a malicious version of the extension that could steal usernames and passwords for various online accounts, and private keys from some cryptocurrency sites.

Also: Worries arise about security of new WebAuthn protocol

For its part, Google has already taken action since last year. The company has been showing a notification on the Chrome Web Store dashboard for extension developers since the summer of 2017.

An image of that phishing alert is available below, but as some extensions developers have told ZDNet, the message has been shown so many times in the past year that it lost some of its impact due to an alert fatigue.


It should go without saying in 2018 that Google does not use Google Forms to manage account settings. Extension developers who believe to have filled in such a form last week or before should change their account password as soon as possible and audit their extensions for any unknown or suspicious code.

Google Chrome tip: Use the built-in Task Manager to find out which tabs are eating your RAM

Related coverage:

Editorial standards