Articles Firefox extension used to hack Gmail

Firefox extension used to hack Gmail


Proofpoint has discovered a campaign associated with the Chinese group TA413. According to the researchers, the campaign was active from January to February 2021. Hackers attacked Tibetan organizations around the world using a malicious Firefox extension that steals Gmail and Firefox data and then downloads malware onto infected systems.

The researchers say that cybercriminals attacked Tibetan organizations with targeted phishing emails that lured victims to sites prompting them to install a fake Flash update, allegedly required to view the content.

In fact, these resources contained code that divided users into groups. So, only Firefox users with an active Gmail session were offered to install a malicious extension, while other victims were not interested in hackers.

The malicious extension was called Flash update components, but in fact it was a variation of the legitimate Gmail notifier (restartless) extension, and was capable of abusing the following features.


  • Search emails
  • Archive emails
  • Receive Gmail notifications
  • Read emails
  • Changing the audio and visual alert functionality in Firefox
  • Flag emails
  • Mark emails as spam
  • Delete messages
  • Refresh Inbox
  • Forwarding letters
  • Search
  • Delete messages from the Gmail Trash
  • Send mail from a compromised account

Firefox (depends on the rights granted):

  • Access to user data for all sites
  • Display notifications
  • Read and change privacy settings
  • Accessing browser tabs

However, the attack did not end there. The extension also downloaded and installed ScanBox malware on the infected machine. It is an old malware tool based on PHP and JavaScript that has been used more than once in attacks by Chinese hack groups. The last recorded use of ScanBox dates back to 2019, when analysts at Recorded Future noticed attacks on visitors to Pakistani and Tibetan sites.

ScanBox is able to track visitors to certain sites, act as a keylogger, and steal user data that could be used in future attacks.

Interestingly, this time the fake Flash attacks worked better than ever. While most users have long known to stay away from sites offering Flash updates, support for Flash was discontinued early this year. On January 12, 2021, all Flash content stopped playing in browsers, and this seems to be what made the TA413 attacks much more successful than usual.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you