Phishing DMCA pages steal Google logins from Chrome developers

Security researchers found phishing pages posing as Google’s developer policy portal that display fake DMCA takedown notices to capture Google credentials from Chrome extension developers.

The pages run on domains that are not owned by Google and prompt developers to paste an extension link or ID. The site then pulls public data from the Chrome Web Store and shows the extension’s real name, icon and store entry alongside a fabricated complaint number, a “date received” and a red countdown set to 48 hours.

After generating the notice, the page asks the developer to “verify identity” by signing in with Google. The login prompt is an embedded form on the malicious page, not a real accounts.google.com window. The form uses images of a lock icon and an accounts.google.com label to appear authentic, but it cannot be dragged outside the browser or persist when the browser is minimized. Credentials entered into the form are sent directly to the attacker.

Analysis of a live sample identified dmca-chrome-extensions[.]click as a domain used in the campaign. The scam combines real extension metadata, Google branding and an urgent countdown to increase the chance that a developer will act without confirming the source.

If an attacker gains access to a developer’s Google account, they can alter an extension, publish malicious updates that reach users through automatic extension updates, and access other developer resources tied to the account.

Indicators of fraud include a login prompt that is embedded in the page rather than loaded at accounts.google.com in the browser address bar, a non‑draggable login window, and a sudden urgent countdown. Legitimate takedown notices and alerts for Chrome extensions appear in the Chrome Web Store developer dashboard, not on external web pages.

Researchers recommend that developers verify alerts directly in the Chrome Web Store developer dashboard and not follow links in unsolicited emails or pages. If credentials have already been entered on a fraudulent page, developers should immediately change the Google account password from a trusted device, sign out of all active sessions, check connected apps, and enable two‑factor authentication, preferably using a hardware security key. Developers should also inspect their listed extensions for unauthorized changes or new versions and roll back or remove malicious updates.

Security software with web‑phishing protection can block these pages before credentials are entered. Browser extensions and anti‑phishing tools that scan web pages can prevent access to known malicious sites and warn users when a page mimics a trusted service.

The campaign targets developer accounts because account access can be used to push changes and updates to many extension users through the Chrome Web Store.