Malicious Firefox extension allows hackers to hijack Gmail account
A few days ago, a hacker group used malicious Firefox extensions and Scanbox malware to infect victims. The purpose of this move is to hijack the victim’s Gmail account and Firefox browser so that they can collect the target’s data and record their keyboard keystrokes. According to a Proofpoint report, the attack started in January and continued throughout February.
The phishing email delivered by the attacker to the target mailbox will be redirected to the you-tube[.]tv domain controlled by the attacker, which will display a fake Adobe Flash Player Update page.
If the target uses the Firefox browser and logs in to their Gmail account, the JavaScript analysis script executed from the domain will automatically prompt the target to install a malicious extension called FriarFox. If they are using Firefox but are not logged into their Gmail account, they will be asked to add the corrupted FriarFox extension to the browser, which will cause the extension to fail to install.
If the potential victim is using a web browser other than Firefox, then they will be redirected to a legitimate YouTube login page.
The FriarFox malicious extension is based on the open-source Gmail Notifier Firefox plug-in, which mimics the Flash update process by changing its icon and metadata description. Hackers also added malicious JavaScript to hijack the victim’s Gmail account and infect their system with Scanbox malware.
Once the victim is tricked into installing the FriarFox extension, the hacker will be able to take over the user’s Gmail account and Firefox browser to perform the following malicious actions:
Gmail Access
- Search emails
- Archive emails
- Receive Gmail notifications
- Read emails
- Alter FireFox browser audio and visual alert features for the FriarFox extension
- Label emails
- Marks emails as spam
- Delete messages
- Refresh inbox
- Forward emails
- Perform function searches
- Delete messages from Gmail trash
- Send mail from compromised account
FireFox Browser Access – (Based on Granted browser permissions)
- Access user data for all websites.
- Display notifications
- Read and modify privacy settings
- Access browser tabs.
