CopyFish Extension for Chrome Stolen And Updated With Trojan Adware

Crooks recently hacked the popular Google Chrome extension Copyfish after compromising the Chrome Web Store account of German developer team a9t9 software.

Trojan malware has been around for a long time. A user installs an application to accomplish one task, but behind the scenes, the application is performing a completely different task — usually unwanted. The hiddens activities can take many forms depending on the desire of the bad guys; providing remote access to your system, steal bank account information, encrypt your hard drive and demand ransom, send expensive SMS messages or display unwanted advertising. Underlying it all is the desire for profit.

As far back as 1998, Trojans were active across networks with the NetBus remote control tool. Since then, Trojans have targeted every computing platform. Windows, Mac, mobile devices, even ATMs! All of these have a common attack method; the user needs to be tricked into executing the program. But what if the program was already installed and the bad guys just needed to deliver a trojanized update? Since the program was already installed it was already trusted it so the social engineering aspects of the attack are much easier. Users are already prepared to update their software regularly and many are configured to update automatically.

Some creative bad guys recently implemented such a plan. Rather than craft a new trojan and try to convince unsuspecting victims to install it, they targeted the software developer, took over the code and poisoned the update for most of the 30,000 users who had installed the extension into their Chrome browser. Note: The Firefox CopyFish extension appears to be unaffected.

Like most attacks these days, it all began with a phish. On July 28th, 2017 a developer of the CopyFish browser extension at a9t9 received an email that appeared to originate from Google. The message warned that the CopyFish Chrome extension needed to be updated or it would be removed from the store. Understandably the developer was anxious and clicked on the “Click here to read more details” link embedded in the message. That click opened what appeared to be the standard Google password dialog box and in his haste, the developer entered the password for the developer account. Unfortunately, the dialog box was fake and the credentials were funneled to the bad guys.

The next day, Saturday, July 29, using the ill-gotten credentials from the a9t9 developer, the bad guys moved the CopyFish extension to their own developer account and updated the extension with their trojan code. Updating the version of the extension to v2.8.5 initiated the update to Chrome users who had installed the extension with auto-updates enabled.

By Sunday, July 30, users of the CopyFish extension noticed that their Chrome browser was inserting unexpected and unwanted ads into websites. The a9t9 development team also noticed the behavior and upon investigation learned that the extension had been moved from their development account at Google. They no longer had control of their own code.

On Monday, July 31, through a friend-of-a-friend relationship, the malicious npm packages were removed from UNPKG service so the unwanted adware is stopped for now. The bad guys still control the extension in their Google developer account so they could update with a new trojan.

While Google and a9t9 work through the details to restore control to the rightful parties, it is best to uninstall the CopyFish extension. Now is also a good time to review all of the browser extensions you have installed. Every one is a potential entry point for attackers. Uninstall the ones you don’t need.

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.