One lousy click: the phishing blunder that sank an entire product

Do you need to extract text from images, videos or PDFs?

Not only is there an app for that, it turns out there’s even a browser plugin called Copyfish to help you, too.

Copyfish is supposed to let you grab subtitles from films, captions from cartoons, and so on, while you’re browsing.

(We’re assuming that the name is a pun on HHGttG’s Babelfish, the eel-like creature you stick in your ear that automatically translates everything you hear into your own language.)

Unfortunately, the Copyfish software project is in all sorts of crisis right now, thanks to a phishing attack over the weekend.

In Copyfish’s case, it seems very much that an injury to one ended up being an injury to all.

According to the creators of the Copyfish tool, this is what happened:

  • An email arrived, apparently from Google, telling Copyfish that its plugin wasn’t compliant with the Chrome Web Store rules and might be removed.
  • The email included a handy link that supposedly went to the relevant developer dashboard so that Copyfish could look into it.
  • A helpful Copyfish developer decided to investigate, and clicked on the given link to log in.
  • The link was bogus, and so the developer ended up revealing the company password to a bunch of crooks.

What next?

After that, things happened quickly.

More ads and web spam than usual started appearing on the computers of Copyfish’s own computers.

After a while, Copyfish rather scarily figured out that the ads were being inserted by its own Chrome plugin.

Worse still, the infected version that was doing the adware injection was an update the company didn’t even know was out there.

The crooks who’d acquired the password had lost no time:

  • Locking Copyfish out of its own Chrome Web Store account.
  • “Upgrading” the plugin from version 2.8.4 to an unofficial release numbered 2.8.5 and adding in a bunch of ad-serving malware code.
  • Moving the Copyfish for Chrome code to a different account.

Presumably, the Copyfish developers all had automatic plugin updates turned on, so they’d unexpectedly acquired an unauthorised version of their own software.

The only word we can think of to describe this sort of situation is, “Ouch.”

Apparently, the rogue ad-serving component works by “calling home” to a third-party website to fetch unauthorised JavaScript code; Copyfish managed to get this rogue site blocked so that the rogue ads it delivers never appear.

But as the the company noted earlier today: “we still have no control over Copyfish, so there is a chance that the thieves [could] update the extension once more.”

Ironically, Copyfish’s breach notification page invites you to sign up to the company’s newsletter “[i]f you want to get an email once the issue is fixed”…

…so watch out for further fake emails telling you that version 2.8.6 is ready!

What to do?

You might have expected professional web developers to be a bit more circumspect in a case like this – but apart from containing a suspicious link, the original email from the crooks was at least vaguely believable:

Your Google Chrome item, “Copyfish Free OCR Software,” with ID: [redacted] did not comply with our program policies and will be removed from the Google Chrome Web Store unless you fix the issue.

Please login to your developer account [link redacted] for more information.

To a native speaker of English, the wording here isn’t quite right (e.g. did not comply would read better if it were does not comply), and to a fluent techie, the login link – which used a non-Google link shortening service – should have been a red flag that something was wrong.

So here’s our advice to reduce the risk of account takeovers of this sort:

  • Don’t click on login links in emails. If you never click on login links, even when you trust the email, but always find the login page in a trusted way of your own, the crooks will find it much harder to phish you in this way.
  • Turn on two-factor authentication (2FA) whenever you can. 2FA means you need a one-time login code, as well as your username and password, every time you login. That’s one more thing the crooks need to figure out every time they try to phish you.
  • Don’t feel pressurised to act when you receive what sounds like bad news via email. Ask for a second opinion from someone you actually know and trust – a nearby colleague, for instance – especially when the email apparently relates to an official company account.
  • Never believe the contact details provided in an email. If the email comes from an imposter, the contact details will lead back to the crooks, who will simply “confirm” any lies they told in the original email. Get details such as websites, email addresses and phone numbers from a trusted third party source that you found for yourself.

Think before you click!