A popular free optical character recognition (OCR) extension for web browsers called Copyfish was hijacked by attackers who used the extension to spew spam.
In a statement released Sunday by distributor A9t9 Software, it was only the Google Chrome extension that was hijacked. Other versions of Copyfish, such as its Firefox OCR software extension, were not impacted. In a blog, posted Monday, the company said trouble began on Friday when it received an email from what it thought was Google warning the app maker needed to update its Copyfish app or face it being booted from the Google Play marketplace. The note read:
> “Your Google Chrome item, ‘Copyfish Free OCR Software,’ with ID: [redacted] did not comply with our program policies and will be removed from the Google Chrome Web Store unless you fix the issue. Please login to your developer account [link redacted] for more information.”
Next, an unsuspecting team member clicked on a link and up popped a “Google” password dialog box. “The unlucky team member entered the password for our developer account,” according to a statement by the company A9t9 Software.
As a result, on Saturday the Copyfish extension for Google Chrome was automatically updated to a rogue version of the software (v.2.8.5) within an unspecified number of browsers. The following day, Copyfish developers noticed the new version of the extension was inserting ads and spam into websites.
“We noticed the effect ourselves, as we, of course, run Copyfish on our machines. But it took a while until we realized it was indeed our own extension that caused the adware dialogs,” the company said in the statement.
Then it got worse, the company said.
“We logged into our developer account and boom—our Copyfish extension is gone! It seems the hackers/thieves/idiots moved it to THEIR developer account. We currently have no access to it!” wrote the company.
According to A9t9, it has lost control of the Google Chrome extension and has lost even the ability to disable it on effected Chrome web browsers. “So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time… until we get it back. We can not even disable it – as it is no longer in our developer account.”
On Monday, a Copyfish user posting to HackerNews noted that the hackers in control of Copyfish were using UNPKG.com and Node Package Manager to distribute the Chrome extension adware.
“I reached out to both services to have it shut down. Hopefully that will at least kill it temporarily,” wrote the good cyber Samaritan on the HackerOne site.
That stopped the adware for now, according to Copyfish developers. “The problem is that we still have no control over Copyfish, so there is a chance that the thieves update the extension once more,” he said.
The company said it is currently working with Google developer support to help coordinate a fix. No other information is available.
In hindsight, A9t9 Software said there were small, but important tells, that should of tipped any developer off to something fishy going on. For starters, the Google Tech Support email that initially requested A9t9 Software update its Copyfish software prompted the engineer to visit a free version of the web-based custom support platform Freshdesk.
“I remember thinking ‘So Google uses Freshdesk? That is interesting…’,” recalled the author of the A9t9 Software blog on the extension snafu.
Another missed red flag was that the phishing email used a Bitly link not immediately visible to the email recipient because the email was HTML-based. “That is another lesson learned: Back to standard, text-based email as the default,” the company said in its blog post.