Developers of extensions for Googles Chrome browser report that they are targeting a phishing campaign, which attempts attackers to find credentials to potentially publish malicious versions of extensions. This happened before at various extensions.
Several developers say to ZDNet that they have received phishing emails, just like with a previous campaign in the summer of last year. Among other things, the developers of AdGuard and EtherSecurityLookup say they have received emails that seem to come from Kevin Murphy, an employee of Google’s Chrome Web Store team. They are asked to provide a ‘valid mailing address’ and to fill in contact information on a Google Form page.
However, the link to the form led to another domain. To fill in the fake form, the recipients of the phishing email must first log in to Google. In addition, however, they end up on a reconstructed but convincing looking login page. If they fill in their log-in details, they will reach the attackers.
They can then log in to the developer account. If the method has not changed since last year, the attackers can adjust extensions associated with the account. For example, they can inject advertisements into web traffic or capture sensitive data such as passwords. According to ZDNet, Google has been alerting developers since last year that phishing emails are circulating. The developers say to the site that this warning is shown so often that it has lost its effectiveness.
In the past, various extensions were modified by malicious parties after they gained access to the connected developer account. Recently, similar incidents occurred in the extensions of Mega and Hola VPN.