EXCLUSIVE — Google’s security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions.

These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions — Copyfish and Web Developer.

The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

Phishing attacks have been going on since mid-June

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing.

All phishing emails contained the same lure — someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated.

The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

The login page was identical to the real Google account login page, and this is how the owners of the Copyfish and Web Developer extensions compromised their accounts.

Bleeping Computer obtained one of the phishing emails that extension developers received in the past months. This email was sent to OinkAndStuff, the developer of two very popular Chrome extensions named Blue Messenger (~80K users) and Websta for Instagram (~100K users).

In a private conversation with Bleeping Computer, OinkAndStuff said he received this email on June 21, 2017, almost seven weeks ago.

Evidence points to common actor behind all phishing attacks

The domain used in the phishing email came from a Freshdesk domain. The Copyfish extension dev was also phished via a Freshdesk domain. The lure (email message) was almost identical in all three incidents (Copyfish, Web Developer, and OinkAndStuff).

All evidence points to the fact that there’s a common actor behind all these phishing attacks that have targeted Chrome extension developers.

“It is really well written and with links very much similar to Google,” sad OinkAndStuff. “I immediately detected that it was a scan and my investigation led to a P.O. box in Panama. In that same day, I sent an email to Google reporting this case.”

OinkAndStuff says that days later Google started blocking the site via its Safe Browsing API.

Phishing attacks continued through month of July

“But this wasn’t the end. After this incident I received two more tentatives on 7-7-2017 and 21-7-2017 with the same tactics,” the developer says. “I reported them to Google and Google once again blocked and flagged the websites as a scam website.”

“The second and third attacks were through a bit.ly link which is a bit lame but the first attack was very very hard to detect,” the developer also noted.

“I even analyzed the HTML and JavaScript of the scam website and compared to the official Google login page and believe me this attack was surgical-made because it was really well done by some very clever organization,” OinkAndStuff told Bleeping Computer. “They changed domains on each attack because as I was reporting them, Google also blocked the website so they were forced to move to a new domain name on every new round of attacks.”

Following these repeated waves of phishing emails in June, July, and August, Google’s staff was eventually forced to recognize that something was amiss.

On August 4, two days after the hijacking of the Web Developer Chrome extension, Google sent out the following email, warning all extension developers about the rising danger of phishing attacks posing as official Chrome Web Store communications.

Google email warning

As the above email advises, extension developers should not log in with their Chrome developer accounts on Google login pages hosted on non-Google domains.

For the time being, the threat remains active for all owners of popular extensions, which are a prime target for any crook that wants to make a few bucks by ad affiliate programs.