Cyber Incident Victim: Copyfish

The Copyfish Chrome extension hijacking incident began on July 28, 2017, when a team member of German developer a9t9 software received a phishing email impersonating the Chrome Web Store team. The fraudulent email demanded an extension update under threat of removal from the store and included a bit.ly link labeled "Click here to read more details." When accessed, this link displayed a counterfeit Google password dialogue box that closely resembled legitimate authentication interfaces. The developer, unaware of the phishing attempt due to the page's convincing appearance and lack of prior awareness about extension-targeted attacks, entered credentials for their Chrome Web Store developer account. This compromise enabled attackers to gain control of the account housing Copyfish—a text extraction tool with over 37,500 users—on July 29.

Attackers updated Copyfish to version 2.8.5, modifying it to inject advertisements and spam while transferring the extension to their own developer account, effectively severing a9t9 software's administrative control. The developers detected the compromise rapidly but could not disable or remove the malicious version from the Chrome Web Store due to the account transfer. They immediately notified Google developer support to regain control and issued public warnings advising users against installing or continuing to use the Chrome extension. The Firefox version remained unaffected. The altered extension's confirmed malicious functionality was limited to adware-like behavior at the time of reporting, though developers cautioned that attackers retained the ability to push additional harmful updates until ownership was restored. Google's support team was actively engaged in resolving the account access issue as of the last reported update.