Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Firefox extension used as password stealer? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Firefox extension used as password stealer?

A reader sent us a suspicious e-mail, which included a link to an .xpi file (a Firefox extension) as attachement. Looks like a very nice find! I am still looking at the extension. Just from a preliminary glanze at it, the extension may try to steal the content of form fields.

The origin appears to be russian. The link went to ht tp : //qs-s.  nm.  ru (again: inserted spaces to protect the innocent)

 

The e-mail:

Subject
We have received mnoey. Here your book. Read and grow rich!
Body
ht tp:// qs-s. nm. ru - We have received money. Here your book. Read adn grow rich!

(and thanks for the person posting the comment below to point out I forgot to break up the second instance of the URL :-) ).

 Still working on exactly figuring out what this does. E.g. if it is just adware or actually steels passwords. May have to wait until I get home and get to run it in the lab.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

 

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3606 Posts
ISC Handler
:) but you haven't protect the innocent in the next lines ...
Anonymous

Sign Up for Free or Log In to start participating in the conversation!