On Friday, an unknown hacker hijacked the Copyfish Chrome extension from its original authors and pushed an update that inserted ads in people’s web pages.
The hack took place because one of the Copyfish developers fell for a simple phishing trick and accessed a link in an email he thought he received from the Chrome team.
In reality, the email came from the phisher and urged the Copyfish developer to update his extension, or it would be removed from the Chrome Web Store.
Developer fell for simple phishing trick
When the developer accessed the link, he was redirected to a copy of the Google account login page, where the Copyfish dev entered the credentials of the Copyfish developer account.
The login page was hosted on chromedev.freshdesk.com, and surprisingly the extension’s developer didn’t think it was strange, even if Google has hosted its support desks on its own domains for more than a decade.
On Saturday, a day later, the hacker had pushed a malicious update (v2.8.5) for the Chrome Copyfish extension, which a pretty powerful tool for extracting text from images and PDF files.
Malicious update inserted ads in people’s browsers
Unfortunately, by that point, the hacker had transferred the extension to his own developer account, out of the reach of the original authors, who were desperately trying to reach a Google staffer to have the extension pulled down.
At the time of writing, the extension is still under the hijacker’s control. Users are advised to remove it from their browsers. The Copyfish team says its Firefox add-on is safe and under their control.