Google sent an extension developer alert to Chrome after a wave of fake emails was sent to developers. The aim of criminals is to take control of extensions that already have a large user base and inject into them unwanted codes, taking advantage of the automatic update feature to distribute the new code to all users. It is not entirely clear what the invaders want. But extensions can change the browsing experience and allow the theft of various data, including passwords used on the web. At least one extension has been tampered with to display commercials. Among the compromised extensions are Infinity New Tab, which has 450,000 users, Copyfish with 35,000, Web Developer with one million, and Live HTTP Readers, which has been blocked by Google and has not yet returned to Chrome Web Store.
Invaders send a fake emails to extension developers. The message tries to pass an official Google communiqué and has links that, if clicked, lead to fake login pages. If the developer provides their password on the fake page, it is sent to the attackers, who can then access the Google account. Google’s email alert sent to developers, released on Bleeping Computer, suggests that developers activate 2-step authentication for their Google accounts and caution in opening the links. Fraudulent messages can also be forwarded to a special support email from Google itself. Before resorting to fake e-mails to attack developers, scam artists made commercial offers and purchased extensions directly from their creators.
Attacks on programmers
Virtual criminals are finding themselves forced to deal with a rather difficult reality when they try to attack users. Several advances in software and system security have prevented some old tricks from working. In the mid-2000s, when Microsoft’s most commonly used web browser was Microsoft’s Internet Explorer, the most common tactic was to install malicious code from malicious pages using browser crashes. With the adoption of Firefox and Chrome, which are safer, scammers have come to depend on installing extensions in browsers to reach Internet users. But Google and Mozilla have reacted by blocking the installation of extensions from unofficial sources. Interestingly, one of the major advances in security has been precisely the adoption of agile automatic update mechanisms. But in these attacks on the developers, the automatic update starts to contribute to the attacks, at least in the sense of victimizing more people in less time.
The automatic update feature was also central in the case of the NotPetya virus, which attacked Ukraine through the automatic updating of the ME Doc software. A law firm in Ukraine is calling on victims of the virus to file a lawsuit against the company that develops the Software. A major risk is that such attacks can target mobile applications. Chinese iPhone software developers have already suffered from this problem in, the case of “Xcode Ghost”. At the time, an alternate source for downloading Xcode, an official Apple program, had contaminated the software to inject unwanted code into mobile apps. The attacks against the developers and automatic update mechanisms, however, are much more direct than the case of Xcode. In any case, programmers and software companies should or should be far more prepared to deal with attacks than others. The tendency, however, is for future attacks to reveal more unpreparedness among those who should have more knowledge.