New piece of spyware does its dirty work using a real Mozilla Firefox extension

A new trojan uses actual Mozilla Firefox browser extensions as an entryway into an unsuspecting user's machine.

The FormSpy spyware trojan was spotted again late yesterday making the rounds via a spam email, says Craig Schmugar, virus research manager for McAfee Avert Labs. McAfee issued an alert on the malware yesterday. It was first discovered by McAfee earlier in the week.

"The order of the information was repackaged and then spammed out again, but pointed to the same FormSpy trojan," Schmugar says.

FormSpy is installed as a Firefox extension, unbeknownst to the user, when he or she downloads an attachment in the message. The message poses as Dell or Wal-Mart, for instance, thanking the user for shopping with them and says information on their order is in the attachment. When they click on the attachment, another new Trojan that McAfee found on Monday, Downloader-AXM, inserts FormSpy into the Firefox browser.

"Then an executable installs a modified Firefox extension," Schmugar says, with FormSpy. FormSpy captures keystrokes, so it can grab information on Web forms the user fills out. "It also sniffs traffic flowing over the wire to the local network," including passwords.

FormSpy shows up as "NumberedLinks 0.9" as it's installed into the Mozilla browser. It can transmit information captured via the user's browser to a malicious Website.

"The significant element of this mass-spamming is that the trojan author figured there was a significant enough number of Firefox users that it would be worth blindly sending this trojan out, without knowing which specific browser the recipients would be using," Schmugar says.

As of press time, McAfee had no reports of infected machines but had heard about the exploit from users who had seen but didn't fall for the scam. "The mass spamming of trojans is unfortunately a regular occurrence," Schmugar says.

So is there a way to secure extensions? Not really, Schmugar says, because making code more feature-rich also opens it up to vulnerabilities. "It's difficult to balance security and functionality in software."

A Mozilla spokesperson declined to comment.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights