- Koi Security detected 17 malicious extensions for Firefox that hid backdoors and tracking codes and were downloaded more than 50,000 times.
- The extensions downloaded payloads from remote servers, hijacked affiliate links, injected trackers, removed security headers, and enabled ad fraud mechanisms.
- Mozilla has removed all affected plugins and updated detection systems; Users should remove them and protect accounts.
More than a dozen Firefox extensions were found to be malicious because they installed backdoors and monitored users’ browsing habits, experts warned.
This is according to security researchers from Koi Security, who called the campaign “GhostPoster” and said that some of these extensions have a rather unique way of getting malicious code.
In total, these extensions have been downloaded more than 50,000 times.
Hijacking of affiliate links
Here is the full list of those found so far:
Free VPN forever
Saved Screenshot – Simple
best weather forecast
mouse gesture
Fast cached website loader
free mp3 download
Right click on Google Translate
google translator
Global VPN
dark-reader-for-ff
gbbd translator
I like the weather
The Google Translate Pro extension
Google Translate
Watch free videos on libretv
stop advertising
Right click on Google Translate
Some of these extensions even store malicious JavaScript code in the PNG logo. The code acts as a guide to download the main payload from a remote server. To complicate detection and attribution, attackers forced extensions to download the main payload 10% of the time.
The main charge can do anything. Most importantly, it hijacks affiliate links on major e-commerce sites and steals money directly from content creators.
Contact me for news and offers from other Future brands.Receive emails from us on behalf of our trusted partners or sponsorsBy submitting your information, you accept this General conditions of sale AND Privacy Policy and be at least 16 years old.
It then inserts Google Analytics tracking on every page the user visits and removes security headers from all HTTP responses.
Finally, you can bypass CAPTCHA using three separate mechanisms and insert invisible iframes, which are mainly used for ad fraud, click fraud and tracking. These iframes self-destruct after about 15 seconds.
While stealing money from affiliates and tracking user behavior is serious, researchers warned that the campaign could become even more destructive at any time if attackers decide to collect passwords or redirect users to fake login pages for banks and similar phishing sites.
After the news broke, Mozilla reviewed the report and decided to remove all detected add-ons from the browser store.
“Our plugins team investigated this report and subsequently took action to remove all of these AMO plugins,” the company told BleepingComputer. “We have updated our automated systems to detect and block extensions with similar attacks now and in the future. We continue to improve our systems as new attacks emerge.”
If you use any of these extensions, you should remove them immediately and protect your important accounts.
IN BeepTeam
