Hacked Chrome web dev plugin maker: How those phishers tricked me

The chap behind Chrome Web Developer, a popular third-party extension that was briefly hijacked to inject ads into browsers, today confirmed he was the victim of a phishing attack.

Chris Pederick, a Brit living abroad in San Francisco, California, said he received an email on Tuesday claiming to be from Google warning that his Chrome tool needed to be updated to comply with new store policies.

Occupied with work, Pederick says, he followed the link in the message to a webpage and typed in his developer account login details to continue. That page handed over his credentials to miscreants.

Pederick said he didn't realize what had happened until about 6:30am the next day, when he was informed that a new version of the extension – which has over one million users – had apparently been uploaded earlier that morning and contained code that injected ads in users' Chrome browser windows.

"I wake up to a number of tweets and emails from users reporting unusual logging and adware coming from Web Developer," Pederick said.

"I realize that this is tied to the email from the day before and immediately change my developer account password. I log in to the developer dashboard and see that a version 0.4.9 has been uploaded by someone other than myself and immediately unpublish the extension from the Chrome store."

Two hours later, Pederick was able to get an updated release of the plugin, version 0.5, uploaded. He has also since enabled two-factor authentication to prevent any further incidents.

"I could make excuses about how I am extremely busy at work or I seem to constantly be logged out of my Google account, so having to log in is not unusual, but the reality is that I am a bloody idiot and blindly logged into my developer account after clicking on a link in the email," Pederick's mea culpa reads.

"To add to my stupidity, the developer account did not have two-factor authentication turned on."

Lest he feel too bad, it should be pointed out that Pederick wasn't even the first Chrome plugin developer to fall for the scheme that week. A second Chrome plugin, Copyfish, was also compromised and started kicking out ads after one of its developers fell for the same phishing email.

Like Web Developer, the Copyfish attack only impacted the Chrome version of the plugin, not the Firefox build.

What's worse, Copyfish said its developer account was briefly suspended by Google, even after it took down the ad-injecting version of its plugin. The extension's team said it believes the attack originated from a machine in Russia. ®