back to article Hacked Chrome web dev plugin maker: How those phishers tricked me

The chap behind Chrome Web Developer, a popular third-party extension that was briefly hijacked to inject ads into browsers, today confirmed he was the victim of a phishing attack. Chris Pederick, a Brit living abroad in San Francisco, California, said he received an email on Tuesday claiming to be from Google warning that his …

  1. JimC Silver badge
    Alert

    There's a big lesson in this

    And it is that it doesn't matter who you are or how much you know, its still painfully easy to get caught out by the criminals because we have built an infrastructure that's fundamentally insecure.

    And this is why everyone who bleats about end users being the problem because they won't adopt super unique passwords, or whatever other precautions is themselves part of the problem. We have to get to an IT infrastructure where its easier to do it the right secure way than it is to do things the wrong way. The trouble is a lot of sacred cows will have to go by the wayside for that to happen.

    1. Anonymous Coward
      Holmes

      Re: There's a big lesson in this

      The other big lesson? Blame it all on the Russians.

      I mean, how could any of us be responsible for any of our security mistakes, when big, bad Putin is inside our computers all the time.

  2. Adam 52 Silver badge

    "I seem to constantly be logged out of my Google account, so having to log in is not unusual"

    This.

    I've given up checking the cert on accounts.google.com or even checking that it isn't accounts.goggle.com; the stupid login page seems to pop up randomly at unexpected times. At first I found it suspicious, but it happens so often that now I just type in a password without checking.

    1. Anonymous Coward
      Anonymous Coward

      "At first I found it suspicious, but it happens so often that now I just type in a password without checking."

      Exactly why I use 2FA.

  3. Amorous Cowherder

    Kudos to the guy for admitting it was his own fault and doing his very best to sort it out ASAP, given the piss-poor example set by PR agencies these days it's good to see there's still honest people about. As my Granny used to say, better to own up and face the music now than be found wanting later when it's far too late.

    1. Pompous Git Silver badge
      Joke

      "As my Granny used to say, better to own up and face the music now than be found wanting later when it's far too late."
      As my grand-daddy used to say: "You can fool some of the people some of the time. And you can jerk the rest off!"

      1. psychonaut
        Joke

        "You can fool some of the people some of the time. And you can jerk the rest off!"

        wow, what sort of work did he do? transvestite rent boy? ;)

      2. Solarflare

        As my grand-daddy used to say: "You can fool some of the people some of the time. And you can jerk the rest off!"

        I'm not wholely convinced that he was talking about the same sort of situations...or that he should have been allowed near children.

        1. Pompous Git Silver badge

          "I'm not wholely convinced that he was talking about the same sort of situations...or that he should have been allowed near children."
          Fortunately the scope of that joke is restricted to those 18 years and older ;-)

    2. Jim Cosser

      ^ This 'We take security very seriously, we have reviewed and improved our processes' I'd much rather have someone say 'I dropped one here' as this guy has.

  4. Flocke Kroes Silver badge

    The other big lesson

    When you hijack someone else's account, change the password promptly.

    1. Stuart 22

      Re: The other big lesson

      "When you hijack someone else's account, change the password promptly."

      Nope - that will be sure to generate an automated email to the owner which will alert them to the compromise. Bad boys will do the worst very quickly and just disappear.

      1. DropBear Silver badge

        Re: The other big lesson

        "that will be sure to generate an automated email to the owner which will alert them to the compromise"

        I don't know about that - my phone pings me (and it even has a bloody persistent notification status icon all just for this, without me having installed anything FFS!) before I even raised my hands from typing the password logging in from a PC Google thinks it doesn't like; even having entered the correct (long!) password at the first try, even from the same geographic area as usual, with an IP that hasn't changed for literally decades, from which it saw me log in numerous times - my browser just don't have its latest and greatest cookie since I purge them at the end of session on this machine...

        Somewhat ludicrously, I also get alerted by email, which I'm (as a suspected fraud) free to delete for a "real owner" never to see assuming "he" doesn't have a push-email receiving device and checks his mail the old fashioned way, periodically. So yeah, I'm not sure what if anything more doing stuff like changing a password would trigger, given I see the whole nuclear spectacle for simply logging in from anywhere but home, from the one browser I allow to keep cookies persistently...

        Actually it's rather like Google rubber-stamping me on each login (the way some parties/clubs do once you enter) then slamming me against the wall and yelling "who are you and what did you do with the real DropBear?!?" each time I take a shower...

  5. Arachnoid

    Lucky it was a security app developer..........

    Can the restricting of access to accounts from only certain I.P. address help in such situations?

    1. Anonymous Coward
      Anonymous Coward

      Re: Lucky it was a security app developer..........

      Having a client-side certificate would be better...

    2. thegroucho
      Big Brother

      Re: Lucky it was a security app developer..........

      I am sure you can quickly read up on number of incidents when whole IP blocks have been announced by people other than their original owners.

      Some like the Pakistan Telecom Youtube brouhaha have likely been fat finger/incompetence.

      Other cases while portrayed as such (human error, etc.) have more likely been orchestrated by state players.

      So - back to restricting access based on IP ... it works until somebody hijacks the BGP announcement.

    3. CrazyOldCatMan Silver badge

      Re: Lucky it was a security app developer..........

      access to accounts from only certain I.P. address help in such situations

      Not really. Under quite a lot of situations (mobile access, use at work, etc etc) you can't really know what your IP address is going to be. And even if you do find out, those addresses won't be under your control and are subject to change without warning.

      It might tighten up security a bit (subject to the limitations of other people also on the shared network with you will also have access) but the admin overhead would be too much.

  6. Adam 1 Silver badge

    injecting advertisements?

    Seriously, the miscreants gain total pwnage of a developer plugin with millions of users through clever social engineering but all they want is a tiny click through percentage. Something tells me that either we haven't heard the whole story yet or the developer should purchase some lottery tickets.

  7. Anonymous Coward
    Anonymous Coward

    2017, and email clients still allow hyperlinks ?

    Am I alone in thinking that while not a silver bullet, just forcing people to cut email hyperlinks out and paste into a browser, rather than helping make them live would be a start ?

    1. Anonymous Coward
      Anonymous Coward

      Re: 2017, and email clients still allow hyperlinks ?

      Yes, you are alone in that :)

    2. JimC Silver badge

      Re: 2017, and email clients still allow hyperlinks ?

      Integrating html and email was never a good idea from a security point of view.

      1. CrazyOldCatMan Silver badge

        Re: 2017, and email clients still allow hyperlinks ?

        Integrating html and email

        You read my mind. For me, emails should still be 7-bit ascii :-)

    3. Anonymous Coward
      Anonymous Coward

      Re: 2017, and email clients still allow hyperlinks ?

      When the mail client is a web browser itself.... at least some good mail client disable hyperlinks if they spot anything strange. But GMail didn't catch the phishing email, it looks, all the mighty Google AI couldn't...

    4. Ken Moorhouse Silver badge

      Re: 2017, and email clients still allow hyperlinks ?

      I have various customers where I've installed a program where the mail server disables links that are embedded in html. Works well apart from the occasional gripe that the link has to be copied, pasted and edited before it can be accessed.

      It really is impossible these days to judge the bona fides of senders. For instance, would you associate zapiermail.com as being genuinely coming from Facebook? And, if you are used to that state of affairs, how would you know if it was spoofed to appear as if it was coming from Facebook?

      A big moan I've mentioned in these columns before is BT's use of custhelp.com to offer help to their customers. Last time I looked custhelp.com was registered to Oracle, but if you're not an IT person that doesn't mean a thing.

      1. Anonymous Coward
        Anonymous Coward

        Re: 2017, and email clients still allow hyperlinks ?

        What software is that, does it work with Exchange? It's something I've been looking for.

        1. Ken Moorhouse Silver badge

          Re: What software is that, does it work with Exchange?

          It doesn't work with Exchange. I use Mdaemon which gives the flexibility to run an external program as part of its message processing routine, it takes the message filename as a command line parameter and you can then do whatever you want to the message so long as it's fast doing so, and doesn't crash. I use Delphi for anything like this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019