Overview A sophisticated phishing campaign is targeting Chrome extension developers using fake copyright removal notices that mimic official messages from the Chrome Web Store. The scam tricks developers into entering their Google credentials on a counterfeit sign‑in page, putting both their accounts and their users at serious risk.
Researchers at Malwarebytes documented the campaign, warning that it is convincing enough to fool even experienced developers.
Attack Mechanism
The phishing emails claim that a developer’s extension will be removed for copyright infringement unless they appeal within 48 hours, creating urgency and fear.
| Stage | Technique | Impact |
|---|---|---|
| Fake Copyright Notice | Email impersonating Chrome Web Store | Urgency and fear of extension removal |
| Counterfeit Appeal Page | Hosted on dmca‑chrome‑extensions[.]click | Collects extension ID and developer details |
| Fake Sign‑In Window | Embedded graphic imitating accounts.google.com | Harvests Google credentials |
| Account Compromise | Attackers access developer dashboard | Push malicious updates to users |
Everything about the phishing page looks authentic — complaint number, countdown clock, and layout identical to Google’s communications.
When a developer enters their extension ID, the site fetches the real extension name, icon, and listing from the Chrome Web Store, making the fake complaint appear legitimate.
Technical Insights
The scam domain dmca‑chrome‑extensions[.]click poses as a “Chrome Web Store Developer Policy Center”, using Google’s branding and interface.
The fake sign‑in window is particularly deceptive — it displays a padlock and the familiar accounts.google.com address bar, but it’s actually a static image embedded in the page.
Attackers even tailor the window’s appearance based on whether the victim uses Mac or Windows, increasing realism.
A simple test can expose the fraud: drag the window beyond the browser edge. A genuine pop‑up moves freely; the fake one disappears when minimized.
How to Protect Your Developer Account
Malwarebytes researchers recommend several immediate actions:
- Never click links in warning emails — genuine notices appear only in your Chrome Web Store dashboard.
- Ignore countdown clocks and urgent deadlines — legitimate policy processes never rush you.
- Verify the address bar — ensure the domain is truly
accounts.google.com. - Enable two‑step verification — use passkeys or hardware security keys to block unauthorized access.
- Change passwords immediately if credentials were entered on the scam page.
- Review extension listings for any new versions not published by you.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| Domain | dmca‑chrome‑extensions[.]click | Fake Chrome Web Store phishing page used to harvest Google developer credentials |
(Note: IP addresses and domains are intentionally defanged to prevent accidental resolution. Re‑fang only within controlled threat intelligence platforms.)
Expert in the Cloud Insight
This campaign demonstrates how trust exploitation has become the new frontier of phishing. By leveraging real extension data and authentic branding, attackers bypass traditional skepticism and target the developer supply chain — a vector capable of impacting thousands of users at once.
For defenders, the lesson is clear: developer accounts are high‑value targets. Continuous education, multi‑factor authentication, and domain verification are now non‑negotiable for anyone publishing browser extensions.
Leave a Reply