Copyfish Chrome extension hijacked by attackers to serve up spam and adware

Copyfish, the free and popular optical character recognition (OCR) extension for Google Chrome, was hijacked by attackers over the weekend to unleash spam and adware on unsuspecting users. According to a statement released by German developer A9to9 Software, only the Google Chrome version of Copyfish, which is used to extract text from images and PDF files, was affected. The Firefox version was not touched and was working normally.

In a blog post on Sunday (30 July), the developer said one of its team members received an email claiming to be from Google on Friday saying they needed to update the Chrome extension or risk having it removed from the app store.

The unsuspecting staff clicked on the link in the email, which opened a new page requesting the user to input the company's Google developer account login credentials.

The hacker immediately uploaded a rogue version of the software (v.2.8.5), which went unnoticed by the company. The next day, the developers noticed that the new illegal version of Copyfish was inserting ads and spam into websites.

"We noticed the effect ourselves, as we, of course, run Copyfish on our machines," the developers said. "But it took a while until we realized it was indeed our own extension that caused the adware dialogs. Then it got worse."

The developers said they attempted to log into their Google developer account to find the cause of the problem when they discovered that the Copyfish extension code was gone. The hackers had moved the app to their own developer account and locked the A9t9 team out, they said.

"We currently have no access to it!" the team wrote on Sunday. "So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time... until we get it back. We can not even disable it — as it is no longer in our developer account."

On Monday, a Copyfish user submitted the team's blog post to the HackerNews forum where a reader there was able to help out.

"A HN reader that knows the UNPKG maintainer contacted him directly to get the malware npm packages removed (thanks!). This stops the adware for now," A9t9 said. However, they added that the fix was only temporary since they still did not have control over the app.

On Tuesday, Google support moved the Copyfish code back to the developers' account for them to upload a clean version of the app. Google also disabled the infected version on users' machines "to protect the users due to the changes made after the transfer from our account". In another update later the same day, the team confirmed that Copyfish was "back under our control" with the new clean and safe version of the Google Chrome extension reviewed by Google and available for download.

The threat actors behind the attack are still unknown. However, A9to9 noted: "The IP address and some more details were logged and point to a Macbook in St. Petersburg, Russia."

"You might have expected professional web developers to be a bit more circumspect in a case like this," Paul Ducklin, senior security advisor for Sophos wrote in a blog post. "But apart from containing a suspicious link, the original email from the crooks was at least vaguely believable."

He pointed out that the wording in the email was not quite right. He also noted that the phishing email used a non-Google link shortening service for the login link, which should have been another red-flag for the developers.

"Don't feel pressurised to act when you receive what sounds like bad news via email", he wrote. "Think before you click."