Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:00 AM
Connect Directly

Trojan Uses Firefox Add-On

New piece of spyware does its dirty work using a real Mozilla Firefox extension

A new trojan uses actual Mozilla Firefox browser extensions as an entryway into an unsuspecting user's machine.

The FormSpy spyware trojan was spotted again late yesterday making the rounds via a spam email, says Craig Schmugar, virus research manager for McAfee Avert Labs. McAfee issued an alert on the malware yesterday. It was first discovered by McAfee earlier in the week.

"The order of the information was repackaged and then spammed out again, but pointed to the same FormSpy trojan," Schmugar says.

FormSpy is installed as a Firefox extension, unbeknownst to the user, when he or she downloads an attachment in the message. The message poses as Dell or Wal-Mart, for instance, thanking the user for shopping with them and says information on their order is in the attachment. When they click on the attachment, another new Trojan that McAfee found on Monday, Downloader-AXM, inserts FormSpy into the Firefox browser.

"Then an executable installs a modified Firefox extension," Schmugar says, with FormSpy. FormSpy captures keystrokes, so it can grab information on Web forms the user fills out. "It also sniffs traffic flowing over the wire to the local network," including passwords.

FormSpy shows up as "NumberedLinks 0.9" as it's installed into the Mozilla browser. It can transmit information captured via the user's browser to a malicious Website.

"The significant element of this mass-spamming is that the trojan author figured there was a significant enough number of Firefox users that it would be worth blindly sending this trojan out, without knowing which specific browser the recipients would be using," Schmugar says.

As of press time, McAfee had no reports of infected machines but had heard about the exploit from users who had seen but didn't fall for the scam. "The mass spamming of trojans is unfortunately a regular occurrence," Schmugar says.

So is there a way to secure extensions? Not really, Schmugar says, because making code more feature-rich also opens it up to vulnerabilities. "It's difficult to balance security and functionality in software."

A Mozilla spokesperson declined to comment.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • McAfee Inc. (NYSE: MFE)
  • Mozilla Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-21
    An issue was discovered in Contactmanager 13.x before, 14.x before, and 15.x before for FreePBX In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
    PUBLISHED: 2019-10-21
    Trend Micro Anti-Threat Toolkit (ATTK) versions and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
    PUBLISHED: 2019-10-21
    app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
    PUBLISHED: 2019-10-21
    resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
    PUBLISHED: 2019-10-21
    On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.