A new phishing campaign was seen last week targeting multiple Google Chrome extension developers. The attackers were masquerading as Kevin Murphy (dev-support@webstoredevsupport[.]com), who claimed to be an employee that is part of the Chrome Web Store Team. The attackers made an attempt to scare the developers into filling out a Google form with a valid postal address or their account will be suspended due to a new “Google policy.” For the developers that clicked the link, they were redirected, via the domain usgbc.org. The link, https://[extension_ID].usgbc.org/forms/?ext_id=[extension_ID]&authuser=[email], would take users to “profile.chromewebstoresupport[.]com” and then ask them to sign into their Google account. If this link was clicked, users would be redirected to another page (https://login.chromewebstoresupport[.]com) to login into their Google account. More than likely, the attackers obtained some new credentials for Chrome extensions due to the campaign.
