CopyPhish: a recent case of a successful contextualized phishing attack which resulted in stealing the entire IP of a SME and damaged also their reputation

Written by Enrico Frumento, CEFRIEL

This recent attack dates back to end of July, beginning of August and involves some interesting issues about tangible and intangible stolen assets of an SME.

First of all these are the simple facts:

 

The attack

The affected company produces Copyfish, an quite good OCR recognition browser extension (apparently installed 37.000 times). Ironically, due to their  name (the hashtag CopyPhish was immediately used on the social media), they fallen in a well contextualized phishing attack (as well explained by themselves). The mail is not that original actually, but enough to support the attacker’s business plan. The mailbox to which the phish attempt was sent, is of the extension developer and wasn't protected with 2FA, yet it was publicly known because it was wired in the addon itself. The specific element of this attack is that it was purely human related: it only involved humans and exploited some problems related to the internal human factor policies. There is not a single bit of technological exploitation or even a infection of their systems. Everything happened due to an human error. It is a pure Human Attack Vector.

Having a first sight to the phishing email it may look as a relatively simple trick delivered via a phishing email, but a deeper analysis reveals something more.

  • it is useful to remember that contextualized phishing doesn't have to be very complex: being highly contextualized, the only need is to be smarter than the victims.
  • The hook or the meme is almost similar to the CEO Scam type of phishing [1], it leverages on impersonation and leverage on its authority to create a pretext and allow the victim to voluntarily execute the exfiltration (which becomes uneasy to be spotted this way).
  • CEO Scam works this way, if you change some terms the situation becomes:
    1. Fraudsters gather publicly available information – usually through the Internet – about the company to be targeted.
    2. They find out details of the development structure, and those employees who are authorized to handle cash source code transfers.
    3. The criminals use this data in order to impersonate the head of company Google and coerce developer into making an upload of the entire source code of their extension to a designated site.

The result is a number of stolen assets: the IP, the A9T9 reputation, their whole source code, the credentials of the Google chrome extension store.

 

The company is relatively small and produces an extension with a good reputation and a strong specialized IP. Reputation in the browser extensions market is usually quite important because this is a market filled of fake extensions or adware or rogue extensions. Customers, need to trust the persons behind these products, otherwise they do not install anything or write negative comments.

These guys fallen in a very contextualized phishing attempt, which resulted in a steal of the entire source code (actually their entire IP) and their google chrome add in store credentials. Through their legit account the extension has been immediately put down and a modified trojanized version distributed from another account. The attack had also another impact, because their reputation, and their IP got compromised, both intangible assets.

 

Interestingly the situation solved only due to the hype of this case, which convinced Google to handle the situation and restore the problem. This because there were the early effects of a reputation contamination on the social media, associating the A9T9 problems to a generic problem of Chrome (not incredibly on the social media there were a lot of negative comments about the overall insecurity of the Chrome and Google ecosystems).

 

The attack is extremely interesting for a lot of reasons:

  1. The uniqueness of the product and company names makes simple to track down on the internet what is happening.
  2. The consequences on intangible assets which affected A9T9 and Google and also both their remediation strategies (mentioned above).
  3. The attack is relatively simple and the used social engineering tricks are evident, yet very efficient. A proof that the way of defences in SE is a long one.
  4. The company is little and the consequences are easy to track, even the remediation strategies, quite classic, not always correctly handled but at the end effective.
  5. The attacker proven to have an unexpected lucky bet, because what he did after getting the A9T9 credentials was to monetize the asset distributing a version of the extension, trojanized with advertisement. A quite simple and ready-made strategy. A lot of additional damages were possible, ranging from injection of malware in the users community up to scan the reuse of the password on other A9T9 accounts.

 

Update

There is an interesting update to the story. Apparently the attackers realized how juicy were these low hanging fruits and managed to attack, in exactly the same way, another Chrome extension developer. “The method the attackers used to compromise the extension’s account is the same one that was so successful a few days ago against the developers of the Copyfish Chrome extension: a phishing email impersonating the Chrome Web Store team, with a link that points to a site mimicking Google’s customer support system.”

https://www.helpnetsecurity.com/2017/08/03/chrome-extension-hijacked/

 

[1] “[ALERT] FBI: "CEO Fraud Is Now 5.3 Billion Email Scam"”, KnowBe4, https://blog.knowbe4.com/alert-fbi-ceo-fraud-is-now-5.3-billion-email-scam

 

by Enrico Frumento (CEFRIEL)

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618