One nice thing about writing developer-facing applications is I know I'll never get famous.
Most of the stuff I publish is generally used by 15-100 people. So imagine my surprise when over the course of ten days in October, one of my extensions jumped from 100 users to over 19,000. The extension in question was jQuery Injector, which is too niche for that sort of uptake. Clearly something was afoot.
Even more suspicious was how they dramatically stopped. Monitoring the uninstallations, one would expect after a legimate spike to see a spike in uninstallations as well, as people try out the extension and realize they don't need it. Again, not so.
So to me, the next question is "why?" Why target a niche extension with a botting attack? At this point, I would imagine the extension had roughly 1,000 "legitimate" users. This is a paultry number for any type of botnet attack.
Then in the beginning of November, I started to receive some interesting emails, all for Russian sources. Their names were all combinations of common Russian names (think "John Smith"-esque). All had some format similar to the following:
I have found that you are developer of Chrome extension jQuery Injector. I'm interested in acquiring your extension, can you contact me back so we can talk more about it?
I'm not a smart man, but I know when something is fishy. I messaged a few of them back, and they all had the following outline:
- They were prepared to offer me $1,000.
- They had no interest in the source code. At all. They didn't even care if I literally just changed the name and released the same.
- They just wanted access to the extension.
- They were all individuals, not companies.
This should be rather suspicious to anyone who works in software. From here I cut contact, so the following is my conjectures.
I think two type of scams are happening here.
Option 1: Adware. Before I cut contact, I managed to tease out from a few of the prospectors that they just wanted me to add a "small" script in the code. They were elusive on the purpose of the script, but assured me it was not harmful. Their gameplan was to bump a relatively unknown extension up on the Chrome store, get more legitimate installs, and then have the developer sneak in adware that wouldn't be expected from such a source.
Option 2: Account takeover. All the prospectors were elusive on how the tranfer was supposed to take over along with the payment aspect. Their gameplan was to target a small developer, hope the installs go to his head and have him think that he is getting a great deal selling one of his extensions. From there, gain access to the account and cancel the transaction. Once gained, infect all his extensions with malware or adware.
Overall, an interesting approach - I'm curious on the success rate.