A recent report by Koi Security has exposed a massive ongoing cyberattack campaign targeting cryptocurrency users via fake Firefox browser extensions.
More than 40 bogus Firefox extensions have been uploaded to the Mozilla Add-ons Store.
These malicious extensions impersonate widely used wallets, such as MetaMask and Keplr Coinbase Wallet, using the same logos, names, and cloned codebases from the real wallets. All of this, of course, comes with spyware code hidden inside innocuous-looking files.
They are meant to steal wallet credentials (like seed phrases or private keys) from the victims as well as capture users’ IP addresses. The stolen data gets sent to attacker-controlled servers.
In order to gain more legitimacy, the malicious actors posted a slew of fake five-star reviews. These are mostly extremely generic reviews written with the help of artificial intelligence (AI) or human-written reviews copied from legitimate extensions.
Why proper vetting is necessary
Such attacks will likely remain highly effective and dangerous until Firefox manages to improve detection and code review to prevent fraudsters from taking advantage of some gullible users.
In response to the incident, cybersecurity firm SlowMist has advised users not to rely solely on ratings or branding. Instead, they are supposed to verify the publisher's identity.
The firm has stressed that such extensions have to be treated as full-fledged software, and there should be proper vetting. It should also be noted that such extensions can auto-update.
Vladislav Sopov
U.Today Editorial Team