Falling victim to a phishing attack can have several frightening results. Clicking on a phishing email’s links can lead to your gadget being infected with malware, ransomware or even lead to identity theft to name a few.
It’s bad enough when one person has to suffer the consequences of an attack. Imagine if an entire company and its clients were impacted. This actually happened after a recent attack.
Cybercriminals take control of Chrome extension
What we’re talking about is the Copyfish extension for the Chrome browser. Last week, cybercriminals were able to trick an employee of the extension’s publisher, A9t9, with a phishing email.
The employee received an email that was purported to be from Google. The email stated that A9t9 needed to update Copyfish immediately or it would be removed from the Chrome Web Store. There was a link in the email that said, “Click here to read more details.”
If you guessed that the link was malicious, you’re right. It opened a spoofed Google sign-in page, where the unsuspecting employee entered the password for the developers’ account.
The following day the Copyfish extension was updated, and not by the developer. Instead, it was updated by the cybercriminals who stole the password through the phishing email. The updated version of Copyfish began inserting ads/spam into websites.
Once A9t9 realized it was their extension causing spam to appear, they tried logging into the developer account to fix it. They were not successful. The hackers have taken control of the account and blocked A9t9 from accessing it.
In a statement, A9t9 said, “We logged into our developer account and boom – our Copyfish extension is gone! It seems the hackers moved it to THEIR developer account. We currently have no access to it!
“So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time…until we get it back. We can not even disable it – as it is no longer in our developer account.”
The company has notified Google of the situation and its developer support is working on a fix.
This incident shows how important it is to be able to recognize phishing attacks. Keep reading for some suggestions.
How to protect against phishing attacks:
- Be cautious with links – If you get an email or notification that you find suspicious, don’t click on its links. It could be a phishing attack. It’s always better to type a website’s address directly into a browser than clicking on a link.
- Watch for typos – Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.
- Use unique passwords – Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it’s simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.
- Set up two-factor authentication – Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It’s like the DMV or bank asking for two forms of ID. Click here to learn how to set up two-factor authentication.
- Check your online accounts – The site Have I Been Pwned allows you to check if your email address has been compromised in a data breach.
- Have strong security software – Having strong protection on your gadgets is very important. The best defense against digital threats is strong security software.