Hacker uses browser extension to take over target's Gmail account
Several organizations based in Tibet (China) have recently been targeted in a large-scale cyber espionage campaign deployed by a group of hackers backed by a utility. malicious extension on Firefox browser. This extension is designed to take over Gmail accounts and infect the victim's system with malware.
Initial investigation showed that this attack campaign was conducted by a hacker group with relatively close ties to China - TA413. Coordination activities began in January and continued throughout February, according to a Proofpoint report published on February 25.
Notably, this malicious campaign featured Scanbox, a malicious code known for its ability to spy on information. Scanbox can allow malicious actors to accurately collect data of the target, and also record their keystrokes.
"Scanbox has been used in multiple campaigns since 2014 to target the Tibetan immigrant community along with other ethnic minorities in China," the Proofpoint experts said. "This malware is also capable of tracking visitor data to specific websites, performing logging and collecting user data that can be leveraged in future intrusion attempts." .
FriarFox . Malicious Extension
As detected by Proofpoint, phishing emails sent by attackers (TA413) to the target's mailboxes redirect them to a 'you-tube[.]tv' domain controlled by themselves. The domain is then displayed disguised as a fake Adobe Flash Player Update landing page.
JavaScript configuration scripts executed from this domain will automatically prompt targets to install a malicious add-on called FriarFox if they are using the Firefox web browser and signed in to their Gmail account.
If the target uses any other web browser (not Firefox), they will be redirected to the legitimate YouTube login page. If they're using Firefox but aren't signed in to their Gmail account, they'll be asked to add this malicious FriarFox add-on to their browser.
FriarFox was developed on top of the legitimate open source Firefox Notifier extension, by changing its icon and description metadata to mimic the Flash update process. In addition, FriarFox also attached (in an intentional manner) malicious JavaScripts designed to take over the victim's Gmail account and infect their system with Scanbox malware.
When a victim is tricked into installing the FriarFox extension, the TA413 malicious actors take over the victim's Gmail account and use the victim's Firefox browser to perform the following malicious actions:
For Gmail accounts:
- Search email
- Email archiving
- Get Gmail notifications
- Read emails
- Change Firefox browser's visual and audio alert features for FriarFox extension
- Label your email
- Mark email as spam
- Delete message
- Refresh inbox
- Email forwarding
- Delete messages from Gmail trash
- Send email from compromised account
For Firefox (based on browser permissions):
- Access user data for all sites.
- show notification
- Read and modify privacy settings
- Access browser tabs.
'The use of browser extensions to target users' private Gmail accounts combined with Scanbox malware distribution demonstrates TA413's experience and skill,' Proofpoint concluded. essay.
You should read it
- 5 applications and extension Gmail you should try today
- How to use Firefox Relay to create virtual email
- How to handle when email automatically sends bulk spam
- A malicious extension 'occupies' Chrome and Firefox browsers appears, preventing users from uninstalling
- Gmail in China works again
- Mozilla removed nearly 200 malicious Firefox add-ons in just 2 weeks
- What is email encryption? Why does it play an important role in email security?
- Send Email using PHP
- Beware of the 7 most common types of spam
- The only secure email is the text-only email
- How to retrieve the true source of email
- ROPEMAKER allows an attacker to change email after sending
Maybe you are interested
How to Detect and Avoid Malicious EXE Files on Windows
More than 200 apps containing malicious code were discovered and downloaded millions of times on the Google Play Store.
Detection of malicious code infecting the web browsers of 300,000 PCs, silently stealing user data
The App Store was tricked into approving malicious apps
Google Chrome will warn users about password-protected malicious archive files
All VSCode users need to be wary of malicious extensions!