Monday, August 4, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Mozilla flags phishing wave aimed at hijacking trusted Firefox add-ons

TH Author

Mozilla is warning of an ongoing phishing campaign targeting developers of Firefox add-ons.

The browser maker urged devs to “exercise extreme caution and scrutiny” when reviewing seemingly legitimate emails from senders pretending to be Mozilla or AMO (addons.mozilla.org).

Although phishing emails can take many forms, Moz said this campaign usually lures devs into clicking through a malicious link to update their account. Failure to do so, or so the crims claim, would result in the dev losing access to developer features.

The company did not specify the motivations behind the phishing attacks, although it can be reasonably assumed that if developers are being targeted, gaining access to trusted developer accounts is likely the game plan.

Mozilla was also quiet on the scale and success of the phishers’ efforts thus far, but given the spate of scammy extensions targeting crypto users of late, gaining access to trustworthy developer accounts could be used to push more of these credential-stealing add-ons.

Lukasz Olejnik, an independent security and privacy researcher, said there are many of these extensions about, with new ones popping up regularly. Their primary aim is to steal seed phrases, which can be used to remotely recover and take control of wallets.

“It’s a constant cat-and-mouse game: attackers upload them, browser vendors try to catch and remove them, only for new versions to pop up again,” he blogged.

“At this point, it’s safest to assume that most crypto-related Firefox extensions contain malware. Especially those that are new, or have few users. In fact, every such extension should be considered compromised by default and avoided completely. Stay alert.”

Koi Security published research in July that found more than 40 malicious Firefox add-ons were being used as part of a single campaign, all designed to steal crypto wallet credentials.

They appear to be legitimate wallet tools developed by trusted crypto wallet brands such as Coinbase, MetaMask, OKX, and more, but once installed, they silently exfiltrate wallet secrets, like seed phrases.

The campaign has been ongoing since April 2025, Koi Security said, although Mozilla did not explicitly link its recent phishing warning with these findings.

Mozilla did, however, acknowledge the role its add-ons play in the increased losses incurred from crypto scams in the US following the FBI’s 2024 Internet Crime Report, which noted $5.8 billion in losses for the year – up 47 percent compared to 2023.

Andreas Wagner, add-ons operations manager at Moz, said malicious developers continually work to bypass the company’s detection methods, which include an automated system to determine an extension’s risk. If a certain risk threshold is exceeded, human reviewers step in and, where necessary, remove scammy add-ons.

The potential consequences of falling for crypto scams are well documented, and in one particularly tragic case from 2023, an Ohio woman was scammed out of her life savings worth around $663,352. ®

READ MORE HERE