Copyfish software hijacked in phishing attack

The Google Chrome version of Copyfish, a browser plugin that allows users to copy text from videos and images, has been hacked after its publisher fell for a phishing scam.

The hackers, posing as Google, emailed a developer at a9t9 claiming that the company needed to update Copyfish or it would be removed from the Play store. The developer clicked on the attached link and provided their login details, inadvertently handing this information to the hackers.

The hackers then infested the app with adware and moved the Copyfish for Chrome code to a different account, meaning the developers couldn’t access their own product.

Developer regains control

According to Naked Security, “the rogue ad-serving component works by ‘calling home’ to a third-party website to fetch unauthorised JavaScript code.” a9t9 blocked the website so that the rogue ads it delivers never appear, but as the company noted: “[W]e still have no control over Copyfish, so there is a chance that the thieves [could] update the extension once more.”

The next day, a9t9 announced that it had regained control of the app and that Google had disabled the infected version.

Learn from a9t9’s mistakes

After a9t9 resolved the issue, it left the blog post detailing the events online “for others to learn – so hopefully they do not make the same mistake as we did.”

What lessons are there to learn? Let’s begin with the phishing email:

Your Google Chrome item, “Copyfish Free OCR Software,” with ID: [redacted] did not comply with our program policies and will be removed from the Google Chrome Web Store unless you fix the issue.

Please login to your developer account [link redacted] for more information.

Although the message is “vaguely believable,” as Naked Security writes, there are signs that it isn’t right, such as “did not comply” instead of “does not comply.” Naked Security also comments that the login link, which used a non-Google link-shortening service, should have been a red flag.

It’s possible that the developer who responded did so out of complacency. Copyfish isn’t well known, having about 35,000 users, so it’s easy to think that it would be of little interest to hackers. This thinking is wrong for two reasons. First, hackers often attack organizations indiscriminately, focusing on exploitable weaknesses (human or technological) rather than specific companies. Second, 35,000 users represents a lot of potential victims, allowing cyber criminals to generate a great deal of fraudulent ad views in a relatively short time.

Test your employees

You can evaluate your employees’ vulnerability to malicious emails with our Simulated Phishing Attack. It tests your staff’s responses to phishing emails and helps you to take immediate action to reinforce training or staff awareness. It can also help to:

  • Satisfy compliance and regulatory requirements
  • Adapt future testing to areas and employees at greatest risk
  • Reduce the number of employee clicks on malicious emails

Find out more about our Simulated Phishing Attack >>