- Koi Security discovered 17 malicious Firefox extensions hiding backdoors and tracking code, downloaded more than 50,000 times
- The extensions scraped payloads from remote servers, hijacked affiliate links, injected trackers, removed security headers, and enabled ad fraud mechanisms.
- Mozilla removed all affected plugins and updated detection systems; Users must uninstall them and protect accounts
More than a dozen Firefox extensions were found to be malicious, placing backdoors and tracking users’ browsing habits, experts warned.
This is according to security researchers at Koi Security, who called the campaign “GhostPoster” and said that some of these extensions have a rather unique way of recovering malicious code.
In total, these extensions were downloaded more than 50,000 times.
Affiliate Link Hijacking
Here is the full list of those found so far:
VPN-free-forever
easy saved screenshot
best weather forecast
gesture-crxmouse
fast-cache-site-loader
free mp3 downloader
Google-translate-right-clicks
google-translator-esp
Worldwide VPN
dark-reader-for-ff
gbbd-translator
I like the weather
google-translate-pro-extension
谷歌-翻译
libretv-watch-free-videos
advertising stop
right click on Google Translate
Some of these extensions actually store the malicious JavaScript code in the PNG logo. The code serves as instructions on how to download the main payload from a remote server. To make detection and attribution difficult, the attackers made the extensions download the main payload 10% of the time.
The main payload can do all kinds of things. Firstly, it hijacks affiliate links on major e-commerce sites, stealing money directly from content creators.
It then injects Google Analytics tracking into each page the user visits and strips security headers from all HTTP responses.
Finally, it can bypass CAPTCHA using three separate mechanisms and can inject invisible iframes, mainly used for ad fraud, click fraud and tracking. These iframes self-destruct after approximately 15 seconds.
While stealing money from affiliates and monitoring user behavior is definitely serious business, researchers warned that the campaign could become even more destructive at any time, if attackers decide to start harvesting passwords or redirect users to fake banking login pages and similar phishing sites.
After the news broke, Mozilla investigated the report and decided to remove all discovered extensions from its browser store.
“Our plugins team investigated this report and, as a result, took action to remove all of these AMO extensions,” the company told BleepingComputer. “We have updated our automated systems to detect and block extensions using similar attacks now and in the future. We continue to improve our systems as new attacks appear.”
If you are using any of these extensions, you should remove them immediately and protect your critical accounts.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
