Cyber Incident Victim: Google
Date:
Jul 2017
Location:
United States of America
Summary
A popular Chrome extension developed by a German team was compromised through a phishing attack impersonating the Chrome Web Store, leading to unauthorized account access. Attackers updated the extension to inject advertisements and spam into users' browsers before transferring control to their own developer account, preventing the original creators from disabling or removing the malicious version. The hijacked software, which provided text extraction capabilities, impacted thousands of users while remaining available on Google's platform despite immediate developer notifications. The incident resulted in both unwanted content delivery and complete loss of extension management by the legitimate developers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 28, 2017, a member of the German development team a9t9 software received a phishing email impersonating the Chrome Web Store team, falsely claiming their Copyfish extension required updates to avoid removal from Google's platform. The email contained a bit.ly link disguised as a "Click here to read more details" button, which redirected to a counterfeit Google password prompt when viewed in HTML format. Unaware of the deception, the developer entered valid credentials for their Chrome Web Store account, enabling attackers to compromise the account. The following day (July 29), attackers updated the Copyfish Chrome extension to version 2.8.5, embedding advertisement injection capabilities into the software, which had over 37,500 active users. The malicious update enabled spam distribution to affected users while leaving the Firefox version of Copyfish unaffected. After detecting the compromise, a9t9 software discovered attackers had transferred extension ownership to a separate developer account, preventing them from disabling or removing the malicious version from the Chrome Web Store despite immediate awareness of the issue.
The hijacking disrupted Copyfish's operations and exposed users to unwanted advertising content through the compromised extension. a9t9 software documented the phishing email's structure and reply mechanism but lacked visual evidence of the fraudulent password interface due to its single-appearance design. The developers publicly warned users against installing or retaining the Chrome extension while confirming ongoing coordination with Google's developer support team to regain control of their software asset. No remediation timeline or technical details regarding Google's recovery process were disclosed in available records. The incident highlighted operational vulnerabilities in third-party extension management, as attackers exploited legitimate update mechanisms to distribute malware after obtaining credentials through social engineering tactics targeting developer accounts.