A new phishing campaign was seen last week targeting multiple Google Chrome extension developers. The attackers were masquerading as Kevin Murphy (dev-support@webstoredevsupport[.]com), who claimed to be an employee that is part of the Chrome Web Store Team. The attackers made an attempt to scare the developers into filling out a Google form with a valid postal address or their account will be suspended due to a new “Google policy.” For the developers that clicked the link, they were redirected, via the domain usgbc.org. The link, https://[extension_ID].usgbc.org/forms/?ext_id=[extension_ID]&authuser=[email], would take users to “profile.chromewebstoresupport[.]com” and then ask them to sign into their Google account. If this link was clicked, users would be redirected to another page (https://login.chromewebstoresupport[.]com) to login into their Google account. More than likely, the attackers obtained some new credentials for Chrome extensions due to the campaign.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in