SoylentNews is people
SoylentNews
Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions.
These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions — Copyfish and Web Developer.
The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.
According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing.
All phishing emails contained the same lure — someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated.
The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.
The login page was identical to the real Google account login page, and this is how the owners of the Copyfish and Web Developer extensions compromised their accounts.
Source:
(Score: 0) by Anonymous Coward on Sunday August 13 2017, @02:10PM
You mean, they are increasing the confusion over which e-mails to believe and which ones to not believe? Do GOOG's e-mails contain links that you can click for more information which also require you to be signed into with your GOOG account?
Stand back, lemme try something...
...
FACEPALM!!!
(Score: 5, Informative) by fyngyrz on Sunday August 13 2017, @02:14PM (2 children)
Never go anywhere an email directs you. If something appears to come from Google, you go to the known related Google site directly and get after whatever it is using the provided tools. Likewise Amazon, etc., etc., etc.
The converse is also true: If you want people to visit your site, then just say come to our website and click. Don't put links in email. You're just enabling the black hats when you do that. Which makes you complicit.
I find it absolutely mind-blowing that a "developer" today - on either end of the process - would not know and incorporate this extremely basic, and absolutely critical, security boilerplate.
(Score: 2, Touché) by Anonymous Coward on Sunday August 13 2017, @03:09PM
You're dealing with web developers here, they aren't as much engineers/programmers as they are marketing/accountant types that realized they chose the wrong career so they jumped ship on the web 2.0/moBILE gold rush.
(Score: 3, Informative) by Arik on Sunday August 13 2017, @07:20PM
If laughter is the best medicine, who are the best doctors?
(Score: 2) by cubancigar11 on Sunday August 13 2017, @03:14PM (9 children)
The whole issue can be avoided if Google supported encryption in Gmail and sent only signed mails.
(Score: 0) by Anonymous Coward on Sunday August 13 2017, @03:56PM (8 children)
Does that really avoid the problem? Or just escalate the problem for the attackers? Some people seem to have a lot of time and money to invest in cracking things...
(Score: 2) by cubancigar11 on Sunday August 13 2017, @04:16PM (7 children)
It should decrease the probability of email related phishing attack to that of randomly encountering a phishing website. For example, Google can create a different key for signing chrome-extension related emails. Then developers can look for that sign proactively. I am hundred percent sure this has the chance to decrease phishing attacks to 0. Google has already put a feature to color the subject of an email. It can, just like a browser, color the subject to lime-green for signed mails.
A solution may not work but as of now there is not even an attempt to solve it. When Google implements encryption in gmail, automatically the caveats and workarounds will be found.
(Score: 2) by kaszz on Monday August 14 2017, @03:23AM (6 children)
Developers could stop using Microsoft and grow a brain.
(Score: 2) by cubancigar11 on Monday August 14 2017, @04:41AM (5 children)
Did I miss something?
(Score: 2) by kaszz on Monday August 14 2017, @05:40AM (4 children)
Too many people work in a sensitive environment like Microsoft that can't be hardened for the wild internet. Nor do they turn of html rendering or check email headers. To top it off, to many just click the links..
(Score: 0) by Anonymous Coward on Monday August 14 2017, @06:09AM (1 child)
If you think windows can't be hardened it shows how much you know.
(Score: 2) by urza9814 on Wednesday August 16 2017, @05:58PM
Not without an external firewall device. Either it's constantly phoning home telemetry crap, or you stop getting security updates because they use those to re-enable the telemetry crap. What's your plan for dealing with just that one issue?
(Score: 2) by cubancigar11 on Monday August 14 2017, @10:32AM (1 child)
Ah. I see what you are saying. I was like, where did MS come from :)
You are of course right. But phishing is not really OS problem. The email lead developers to a password harvesting website. Once you have handed over login password, anything is possible. PEBKAC is PEBKAC but we can at least make it just as easy as browsers, right?
(Score: 2) by urza9814 on Thursday August 17 2017, @11:31AM
Hmm...I agree it's not an OS problem, but it's certainly a Microsoft problem.
I just checked in Outlook (at work) and I can't find any way to determine who actually sent a mail. It'll show the name they want you to see, but not the actual source. If I'm at home (Thunderbird) or on my phone (K-9 Mail) I just click 'show headers' and it shows it. On Outlook if you click 'show headers' it...hides the part where it shows you the name the sender wants you to see. I can't see any obvious way to show their actual address. That's the absolute first thing I do whenever I come across a suspicious message, to check the true source address and what mailservers it came though; the fact that Microsoft doesn't readily give users access to that information certainly makes it harder to handle these kinds of spam and phishing messages.