{“lastseen”:”2026-06-02T20:05:07″,”description”:”A new scam is targeting people who publish Chrome extensions. \\n\\nThe scam arrives as an official-looking \\”copyright removal request\\” claiming your extension is about to be removed from the Chrome Web Store and that you have 48 hours to appeal.\\n\\nIt even looks personalized. After you enter your extension’s ID to \\”verify\\” it, the page pulls in your extension’s real name and icon. But it’s all part of a phishing attack designed to steal your Google username and password.\\n\\nIf attackers gain access to a developer account, they may be able to take over the extension, access developer resources, or potentially push malicious updates to users.\\n\\n## What’s actually going on\\n\\nIf you’ve published a Chrome extension, you might encounter a page that looks like an official Google notice warning that your extension is being removed for copyright infringement.\\n\\nThe page asks you to enter your extension ID, then displays your real extension details alongside a complaint number and countdown clock. It pressures you to sign in with Google to file an appeal before time runs out.\\n\\nNone of it is real. The page is not operated by Google. The complaint, deadline, and countdown are fabricated. The goal is to trick you into entering your Google username and password into a fake sign-in window controlled by the scammer.\\n\\n**The most important rule to remember** : Genuine warnings about your extension appear in your Chrome Web Store developer dashboard, not on a third-party website.\\n\\n## Why scammers want developer accounts\\n\\nChrome extensions have access to users’ browsers, and they can be updated automatically.\\n\\nIf attackers gain control of a developer account, they may be able to modify an extension, access developer resources, or potentially distribute malicious updates to existing users.\\n\\nThat’s what makes developer accounts such attractive targets, and why scams like these are prevalent.\\n\\n## What the scam looks like\\n\\nThe page is hosted on a domain that has nothing to do with Google. In the version we analyzed, the site used the address `dmca-chrome-extensions[.]click`.\\n\\nDespite that, it uses Google’s branding and presents itself as a \\”Chrome Web Store Developer Policy Center.\\”\\n\\nThe page first asks for the link or ID of your extension. That seems harmless, which is exactly why it works.\\n\\n\\n\\n## It uses your own extension to look convincing\\n\\nAfter you enter your extension ID, the page briefly displays a \\”Looking up extension\u2026\\” message and then builds a fake takedown notice around your real extension.\\n\\nWhen we tested the scam with Malwarebytes Browser Guard, it displayed our genuine extension name, icon, and Chrome Web Store listing alongside the fake complaint.\\n\\n\\n\\nThe site is simply pulling publicly available information from your extension’s Chrome Web Store page. Anyone can see that information. The scammers use it to make the fake notice appear legitimate.\\n\\nEverything else is invented.\\n\\nThe complaint number, \\”date received,\\” 48-hour deadline, countdown timer, and timeline of events are generated by the scam page itself.\\n\\n## The countdown is there to rush you\\n\\nA red warning banner claims your extension will be permanently removed unless you act within 48 hours, and a clock counts down by the second. The whole layout pushes you toward one button: sign in with Google to \u201cverify your identity\u201d and file your appeal. \\n\\nThe urgency is designed to create pressure so you react before taking the time to verify the claim.\\n\\n## The fake sign-in window\\n\\nWhen you click \\”Continue to verification,\\” a Google sign-in window appears with a title bar, padlock, and address showing `accounts.google.com`.\\n\\n\\n\\nIt looks authentic, but it isn’t.\\n\\nThe \\”window\\” is actually part of the web page itself. The padlock and address are just graphics designed to look like a real browser window.\\n\\nThe scammers even tailor the appearance to match your operating system, showing Mac-style windows on macOS and Windows-style windows on Windows devices.\\n\\nAnything typed into this fake sign-in form is sent directly to the scammers.\\n\\nOne giveaway is that the window cannot leave the browser page. Try dragging it to the edge of your screen and it stops at the browser border. Minimize the browser and it disappears as well.\\n\\nMost importantly, your browser’s real address bar still shows the scam site’s address, not Google’s.\\n\\n## How to stay safe\\n\\nThe good news is that a few simple habits defeat this scam.\\n\\n * **Don ‘t trust the link. **If you receive a warning about your extension, go directly to your Chrome Web Store developer dashboard and check there.\\n * **Be suspicious of urgency.** Legitimate policy processes don’t rely on countdown clocks to force immediate action.\\n * **Check the address bar.** A real Google sign-in page appears at accounts.google.com in your browser’s actual address bar.\\n * **Test the window.** If a sign-in window can’t be dragged outside the browser or disappears when the browser is minimized, it’s probably fake.\\n * **Turn on stronger sign-in protection.** Passkeys and hardware security keys make stolen passwords far less useful to attackers.\\n * **Use security software with phishing and web protection.** Our Browser Guard, which is also part of Malwarebytes Premium can help block malicious websites and phishing pages before you enter sensitive information.\\n\\n\\n\\nThis isn’t a crude phishing page. It uses your real extension details, mimics Google’s branding, and creates a convincing sense of urgency.\\n\\nIf you receive a warning about your extension, don’t follow the link and don’t race the countdown. Go directly to your Chrome Web Store developer dashboard and verify the claim there.\\n\\nWhen in doubt, close the tab.\\n\\n## **If you already entered your details**\\n\\nAct quickly.\\n\\n * **Change your Google password immediately from a trusted device.**\\n * Sign out of all active sessions in your Google account security settings.\\n * Review connected apps and devices for anything unfamiliar.\\n * Turn on two-step verification, preferably using a passkey or security key.\\n * Check your Chrome Web Store listings for changes, uploads, or new versions you didn’t publish.\\n\\n\\n\\n## **Indicators of Compromise (IOCs)**\\n\\n**Domain**\\n\\n`dmca-chrome-extensions[.]click`\\n\\n* * *\\n\\n**Stop threats before they can do any harm.**\\n\\nMalwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser \u2192”,”published”:”2026-06-02T18:24:07″,”modified”:”2026-06-02T18:24:07″,”type”:”malwarebytes”,”title”:”These convincing copyright notices are designed to steal Google logins”,”source”:””,”references”:””,”id”:”MALWAREBYTES:85EC87F7CBD6CC83B7BF9E5573AE598C”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/06\/these-convincing-copyright-notices-are-designed-to-steal-google-logins”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-02T20:05:07″,”description”:”A new scam is targeting people who publish Chrome extensions. \\n\\nThe scam arrives as an official-looking \\”copyright removal request\\” claiming your extension is about to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-59389","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n