How the Scam Operates
A sophisticated phishing campaign is targeting Chrome extension developers with fraudulent copyright removal notices that mimic official communications from the Chrome Web Store. The attack begins when developers receive an urgent message stating their extension will be removed for copyright infringement within 48 hours unless they file an appeal. The message includes a realistic complaint number and a live countdown clock, creating pressure to act quickly.
The scam page, hosted on a deceptive domain completely unrelated to Google, is designed to look nearly identical to a genuine Google developer support portal. It even displays the developer’s actual extension name and icon, which the attackers fetch in real time using the extension’s public ID. Researchers at Malwarebytes documented the campaign and warned that its level of personalization makes it dangerously convincing, even for technically experienced developers.
Impact and Scope
When developers enter their Google credentials on the counterfeit sign-in page, attackers gain full access to their Chrome Web Store developer accounts. This access allows malicious actors to push tainted updates to extensions already installed by thousands of users. A single compromised developer account could silently distribute malware to a large base of unsuspecting users who trusted the extension.
The campaign exploits trust in a particularly effective way by incorporating real, publicly available details about the victim’s own extension. Rather than relying on generic threats, the attackers use the extension’s listing information alongside a fabricated complaint to make the fake notice feel entirely legitimate. This targeted approach represents an escalation in credential theft tactics aimed at the browser extension ecosystem.
Source: Cyber Security News
