Phishing Scam Targets Chrome Extension Developers with Fake Copyright Notices

A new phishing scam is targeting developers who publish extensions on the Chrome Web Store, employing convincing fake copyright infringement notices to steal their Google login credentials. The fraudulent emails, designed to appear official, warn developers that their extensions are slated for removal from the store due to copyright issues and provide a strict 48-hour window to appeal the decision.

The scam begins with an email that pressures developers into clicking a link. This link leads to a meticulously crafted fake website that mimics the appearance of official Google branding and the Chrome Web Store's developer portal. To further enhance its legitimacy, the site prompts users to enter their extension's ID. Upon receiving this information, the fake website dynamically pulls in the extension's actual name and icon from the Chrome Web Store, making the threat seem highly personalized and credible.

Once the developer's extension details are displayed, the scam page presents a fabricated complaint number, a countdown timer, and a timeline of events, all designed to create a sense of urgency. The primary goal is to push the developer to click a button labeled "Sign in with Google" to "verify their identity" and file an appeal before the fabricated deadline expires. This action triggers a fake Google sign-in window, which, despite its authentic appearance including a padlock icon and a accounts.google.com address in its title bar, is merely a graphic element of the scam page.

If a developer falls victim and enters their Google username and password into this fake window, their credentials are sent directly to the scammers. The attackers' ultimate objective is to gain control of developer accounts. With such access, they could potentially hijack extensions, access sensitive developer resources, or, most alarmingly, push malicious updates to unsuspecting users who have already installed the compromised extensions.

Security experts emphasize that genuine warnings and notifications regarding Chrome extensions are exclusively posted within the Chrome Web Store developer dashboard. Legitimate processes do not rely on external links, countdown timers, or third-party websites for critical actions. The deceptive nature of this scam lies in its ability to leverage publicly available information about an extension to build a convincing, albeit false, narrative.

To protect themselves, developers are advised to be highly suspicious of any unsolicited warnings about their extensions, especially those demanding immediate action via external links. Always verify such claims by navigating directly to the official Chrome Web Store developer dashboard. Furthermore, scrutinizing the browser's actual address bar for the correct URL and being wary of sign-in windows that cannot be manipulated like native OS windows are crucial steps in identifying phishing attempts.

Malwarebytes notes that the fake sign-in window is a key indicator of a phishing attempt. Unlike real browser pop-ups, these fake windows cannot be dragged outside the browser window or minimized independently. If the sign-in prompt disappears when the browser is minimized, it is a strong sign that it is not a genuine Google interface. The presence of the scam site's URL in the browser's main address bar, even when the fake sign-in window appears, is another critical giveaway.

In the event a developer has already submitted their credentials, immediate action is required. This includes changing their Google password from a trusted device, signing out of all active sessions associated with their Google account, and reviewing connected applications and devices for any unauthorized access. Utilizing security features like passkeys and hardware security keys, along with robust security software that includes phishing protection, can further mitigate the risk of falling prey to such sophisticated attacks.