You may have read that recently some Google Chrome Developers got their accounts hijacked from hackers to inject ads into their Apps/Extensions:
Arstechnica, Ghacks, Forbes, Theregister, Meetchrome, Itpro, Helpnetsecurity, Bleepingcomputer, scmagazine, theinquirer
We are writing this post to clearly state that OinkAndStuff was not affected at all. In fact we where the first to be attacked by this group of hackers and we where the first to detect and alert Google about that attack.
We also tried and somehow had success to take down those hackers who where trying to hijack other Developers accounts. Here is our side of the story:
I’m a Google Chrome WebStore Developer (OinkAndStuff) with some popular extensions like Blue Messenger or Websta for Instagram and I have been targeted by this phishing attack on 21-06-2007.
I immediately detected that it was a scan and my investigation lead to a P.O. box in Panama.
They send an email stating that an extension will be removed unless you take some steps to fix it. It is really well written and with links very much similar to Google.
In that same day I sent an email to Google reporting this case.
Here is the email I had sent:
Hi I’m the OinkAndStuff developer of the Google Chrome Webstore.
I received an email supposedly from Google Chrome Webstore support team stating that an extension of mine will gonna be removed and have I to login on an website for details.
The issue is that I don’t recognize the email and the website.
The email comes from:
Chrome Developer Support
and the link sends to: https://login.webstoresupport.top
The login page is very similar to the Google Login but something doesn’t look quite right. I also made a whois to the domain webstoresupport.top and it is registered on a Panama P.O. Box.
This is serious or is an attack to the Webstore Developers?
Please take this email very seriously.
Please give me some feedback on this. I have cooperated with Chrome Webstore Dev Team and the support Team for over 3 years and I must know if this is legit or hackers are trying to steal the work from us.
After my email and some days later the link was flagged by Google as a Dangerous scam website. They read my email and made some steps to block it.
But this wasn’t the end. After this incident I received 2 more tentatives on 7-7-2017 and 21-7-2017 with the same tactics.
I reported them to Google and Google once again blocked and flagged the websites as a scam website.
The second and third attacks where through a bit.ly link witch is a bit lame but the first attack was very very hard to detect.
They changed domains on each attack because as I was reporting them, Google also blocked the website so they where forced to move to New domain name on every new round of attacks.
Im now sure that my steps where vital to stop this attack from spread in June and July but unfortunately I wasn’t targeted in August otherwise I had reported it and it would be blocked once again.
On 4-8-2017 Google sent an email to all Developers. This was the email:
Warning: Phishing Campaign Targeting Chrome Web Store Developers
Dear Chrome Web Store Developer,
Our records indicate that you have at least one extension published in the Chrome Web Store.
We’re writing to let you know that a number of developers have recently reported receiving phishing emails from email addresses that impersonate the Chrome Web Store policy team.
If you receive any emails that appear to be from the Chrome Web Store but do not belong to the google.com domain (for example, firstname.lastname@example.org), please use your gmail controls to mark the email as spam, and send the original email headers to email@example.com.
We also encourage you to increase your account security by enabling 2-step verification. You can also consider adding the Password Alert Chrome Extension, which can help identify phishing attacks.
The Chrome Web Store Team
Please all Developers from Google Chrome WebStore and Google Play, please report right way to Google when you suspect from hackers attack. They want to steal our work from us. Some Developers make their lives through their Apps and the money they get from there is how they put some food on the table.
If you report this cases right away you will prevent other Devs from get into the trap.
If you want to contact about this you can send an email to firstname.lastname@example.org or search on the Google Chrome WebStore by OinkAndStuff.
In the gallery you can see some of the scam emails and the emails sent to Google reporting the case. Our Apps/Extensions are 100% secure and security is rock solid on our work as you can see in the statement above. We are one of the leading Extensions/Apps Developer on Google Chrome WebStore and Google Play with over 33 Apps and 300k active users.
Update: Our story was published in a specialized security website: https://www.bleepingcomputer.com/news/security/chrome-extension-developers-under-a-barrage-of-phishing-attacks/
Update 2: The Story was also published on Croatia and Germany: