- Koi Security uncovered 17 malicious Firefox extensions that hid backdoors and tracking code, downloaded over 50,000 times
- The extensions pulled payloads from remote servers, hijacked affiliate links, injected trackers, stripped security headers, and enabled ad fraud mechanisms
- Mozilla removed all affected add-ons and updated registry systems; users should uninstall them and secure accounts
More than a dozen Firefox extensions were found to be malicious, planting backdoors and tracking users’ browsing habits, experts have warned.
That’s according to security researchers from Koi Security, who dubbed the campaign “GhostPoster” and said some of these extensions have a rather unique way of picking up malicious code.
In total, these extensions were downloaded more than 50,000 times.
Hijacking of affiliate links
Here is the full list of those found so far:
free-vpn-forever
screenshot-saved-easy
weather-best-view
crxmouse gesture
cache-fast-site-loader
freemp3 downloader
google translate right click
google-translator-esp
worldwide-vpn
dark-reading-for-ff
translator-gbbd
i-as-weather
google-translate-pro-extension
谷歌 translation
libretv-watch-free-videos
ad-stop
right click google translate
Some of these extensions actually store the malicious JavaScript code in the PNG logo. The code serves as instructions on how to download the main payload from a remote server. To make detection and attribution more difficult, the attackers made the extensions download the primary payload 10% of the time.
The main payload can do all sorts of things. First of all, it hijacks affiliate links on major e-commerce sites – and steals money directly from content creators.
It then injects Google Analytics tracking into every page the user visits and strips security headers from all HTTP responses.
Finally, it can bypass CAPTCHA using three separate mechanisms and can inject invisible iframes that are mostly used for ad fraud, click fraud and tracking. These iframes self-destruct after about 15 seconds.
While stealing money from affiliates and tracking user behavior is certainly a serious matter, researchers warned that the campaign could become even more destructive at any point if the attackers decide to start harvesting passwords or redirecting users to fake bank login pages and similar phishing sites.
After the news broke, Mozilla investigated the report and decided to remove all the detected extensions from its browser store.
“Our add-ons team has investigated this report and, as a result, has taken action to remove all of these extensions from AMO,” the company told BleepingComputer. “We’ve updated our automated systems to detect and block extensions that use similar attacks now and in the future. We continue to improve our systems as new attacks emerge.”
If you use any of these extensions, you should remove them immediately and secure your critical accounts.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
