Hackers Use Fake Chrome Web Store Copyright Notices to Steal Google Credentials

A new phishing campaign is targeting Chrome extension developers using fake copyright removal notices that look like official messages from the Chrome Web Store.

The scam tricks developers into entering their Google credentials on a counterfeit sign-in page, putting both their accounts and their users at serious risk. As browser extensions have become a regular part of everyday internet use, this type of targeted attack is growing harder to ignore.

The attack works by sending developers a notice claiming their extension is about to be removed for copyright infringement. The message gives the victim just 48 hours to appeal, creating a sense of urgency that pushes them to act fast.

Everything about the page looks real, including a complaint number, a live countdown clock, and a layout that mirrors Google’s own communications.

Analysts at Malwarebytes identified and documented this scam in a report shared with Cyber Security News (CSN), warning that it is sophisticated enough to fool even technically aware developers.

The scam page is hosted on a domain called dmca-chrome-extensions[.]click, which has no connection to Google, yet presents itself as a “Chrome Web Store Developer Policy Center” using Google’s real branding.

The consequences of falling for this scam extend far beyond the developer. If attackers gain access to a developer account, they could push malicious updates to an extension already installed by thousands of users.

A single compromised account could silently affect a large number of people who had no reason to suspect anything was wrong.

What makes this campaign stand out is how well it exploits trust. It does not rely on vague threats or generic emails. Instead, it pulls in real, publicly available details about your actual extension to make the fake notice feel entirely personal and legitimate.

Hackers Use Fake Chrome Web Store Copyright Notices

When a developer enters their extension ID on the scam page, the site immediately fetches the extension’s real name, icon, and Chrome Web Store listing.

This information is publicly available, but seeing your own extension displayed alongside a fake complaint makes the threat feel genuine. The scam wraps all of this around a fabricated complaint number, a “date received,” and a countdown timer ticking down in real time.

The fake sign-in window that appears after clicking “Continue to verification” is one of the most convincing parts of the attack. It shows a padlock, a title bar, and an address reading accounts.google.com, but it is really just a graphic embedded within the scam page.

The attackers even customize its appearance based on whether the visitor uses a Mac or Windows device, making it look even more familiar.

One way to spot the fake is to try dragging the window beyond the browser’s edge. A real window moves freely, while this one stops at the border and vanishes when the browser is minimized.

How to Protect Your Developer Account

The researchers outlined several practical steps that developers can take right away to avoid falling victim. The most important one is straightforward: never follow a link in a warning email and assume it is real.

Any genuine notice about your extension will appear inside your Chrome Web Store developer dashboard, not on a third-party website.

Developers should treat any message that uses a countdown clock or tight deadline to force immediate action with deep suspicion.

Legitimate policy processes do not rush you. Always check your browser’s real address bar before entering login details, as the scam site’s domain will still be visible instead of accounts.google.com.

Turning on two-step verification using a passkey or hardware security key adds another layer of protection, since stolen passwords alone would not be enough for an attacker to break in.

If a developer has already entered their credentials on the scam page, they should change their Google password immediately, sign out of all active sessions, and review their Chrome Web Store listings for any new versions they did not publish.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	dmca-chrome-extensions[.]click	Fake Chrome Web Store phishing page used to harvest Google developer credentials

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.