Precaution advised: Potential risks lurk in Firefox add-ons, as per Mozilla's alert regarding potential system-wide threats.
In a recent report published by The Register, Mozilla is warning its developer community about ongoing phishing attacks targeting their email accounts. These attacks, carried out by cybercriminals posing as Mozilla or AMO (addons.mozilla.org) representatives, are designed to steal login credentials to developer accounts.
The threat actors use phishing emails claiming that developers must update their Mozilla Add-ons accounts to continue accessing developer features. These emails create a sense of urgency, encouraging recipients to click malicious links that lead to credential theft. Sometimes, the emails come from suspicious or generic addresses like Gmail accounts and may include misspellings of "Mozilla."
By compromising add-on developer accounts, attackers can push malware updates to unsuspecting users, potentially compromising the integrity of the browser extension ecosystem. This could lead to the distribution of malicious extensions that steal sensitive data such as cryptocurrency seed phrases.
A seemingly benign Chrome add-on called "Color Picker, Eyedropper - Geco colorpick" was found to be malware. This discovery led to the uncovering of a web of similar malicious add-ons. The add-on, with thousands of downloads and positive reviews, hijacked browser activity and tracked users' website visits. It also communicated with remote C2 infrastructure, indicating a potential security threat.
Mozilla advises developers to verify email authenticity using SPF, DKIM, and DMARC checks and only trust emails from official Mozilla domains like , , or . Developers are urged to avoid clicking links in suspicious emails and instead log in via bookmarked sites to reduce risk.
Security researchers from Koi Security discovered this malicious activity. By tainting browser add-ons with malware, cybercriminals can engage in supply chain attacks, potentially gaining access to users' bank accounts, social media accounts, cryptocurrency tokens and NFTs, passwords, session cookies, and more.
In summary, the threat actors behind these attacks are cybercriminals impersonating Mozilla/AMO via phishing emails. Their method involves urgent-looking phishing emails aiming to steal developer account login credentials. Their goal is to hijack add-on developer accounts to push malware-laden or malicious extensions to Firefox users, potentially stealing valuable data like cryptocurrency wallet seed phrases.
Gaming enthusiasts should be aware of the increased risk of data breaches in the browser extension ecosystem, particularly with malicious extensions disguised as harmless tools like the "Color Picker, Eyedropper - Geco colorpick." Meanwhile, cybersecurity professionals should emphasize the significance of technology advancements, such as data-and-cloud-computing practices, in bolstering the security of developer accounts and protecting sensitive data from cyberattacks.
