Google's Chrome browser is one of the most popular in the world. One reason it's so well liked is that it's easy to customize, thanks to add-on extensions. These are features that modify or enhance your browser experience.
Unfortunately, some of these extensions are under attack by hackers. Keep reading to see a list of those that have been impacted.
Hackers taking control of Chrome extensions
What's happening is, hackers are sending phishing emails to employees who work for extension publishing companies. The email is purportedly sent from Google, telling the publishing company that its extension needs to be updated immediately or it will be removed from the Chrome Web Store. The message contains a link that reads, "Click here to read more details."
That link is actually malicious. If the employee falls for the ruse and clicks the link, they are sent to a spoofed Google sign-in page. There, they are asked to enter the credentials to the developer's account.
This scam was originally discovered a couple weeks ago when developers of the CopyFish extension were successfully targeted. The day after an employee handed over the company's credentials, the extension was updated, and not by the developer.
Instead, it was updated by the cybercriminals behind the phishing email. The updated version of CopyFish began inserting ads/spam into websites. The developers couldn't stop it because the scammers took control of the account and blocked them from accessing it.
Now, there are seven more extensions that have been hit by this same attack. Here's the list of impacted extensions:
- Betternet VPN
- Chrometana (1.1.3)
- CopyFish (2.8.5)
- Infinity New Tab (3.12.3)
- Social Fixer (20.1.1)
- Web Developer (0.4.9)
- Web Paint (1.2.1)
This incident magnifies how serious of a threat phishing attacks are. Keep reading for some suggestions on how to stay protected.
How to protect against phishing attacks:
- Be cautious with links - If you get an email or notification that you find suspicious, don't click on its links. It could be a phishing attack. It's always better to type a website's address directly into a browser than clicking on a link.
- Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.
- Use unique passwords - Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it's simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.
- Set up two-factor authentication - Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It's like the DMV or bank asking for two forms of ID. Click here to learn how to set up two-factor authentication.
- Check your online accounts - The site Have I Been Pwned allows you to check if your email address has been compromised in a data breach.
- Have strong security software - Having strong protection on your gadgets is very important. The best defense against digital threats is strong security software.