Unscrupulous Crypto Scammers Swamp Firefox Marketplace with Deceptive Virtual Wallet Apps
In a bid to secure the digital assets of its users, Firefox creator Mozilla has been engaged in a "constant cat and mouse game" with malware developers seeking to bypass its detection methods [1]. The latest threat the company is addressing is the "FoxyWallet" malware campaign, which involves over 40 malicious Firefox browser extensions impersonating popular cryptocurrency wallets like Coinbase Wallet, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero [1][3][5].
These fake extensions, found on the Firefox Add-ons store, appear as imitations of the legitimate wallets but are not made by official or verified publishers [1][2]. They behave normally to avoid suspicion, as they use cloned genuine codebases with hidden malware embedded [1]. The malicious code looks for inputs resembling wallet keys or seed phrases when users interact with the extension [1].
The malware campaign targets wallets by stealing users' wallet secrets and seed phrases, exfiltrating any input strings longer than 30 characters, and sending this sensitive data along with the victim’s IP address to attacker-controlled servers [1]. Further exploration suggests a Russian-speaking threat actor behind the campaign, with Russian-language comments found in the code and metadata [6].
Mozilla has taken steps to identify and remove malicious crypto-stealing extensions. Many of the malicious extensions flagged in Koi Security's report had been removed by Mozilla's team before publication [4]. However, some fake extensions were still available on the Firefox Add-ons store as recently as yesterday, despite the firm having reported their findings to Firefox [1].
To avoid being a victim of FoxyWallet or similar scams, users are advised to download and install extensions from verified publishers, treat extensions as full software assets, use an extension allow list, and implement continuous monitoring [2]. Staying informed about ongoing malware campaigns targeting crypto wallets and promptly removing any suspicious extensions is also crucial [1][3].
If you suspect you have installed a FoxyWallet extension, uninstall it immediately, change your wallet passwords and seed phrases using a secure device, and consider transferring funds to a secure wallet. Mozilla's Add-ons Operations Manager, Andreas Wagner, noted that the firm has uncovered "hundreds" of scam crypto wallets in recent years [2].
[1] - https://security.mozilla.org/blog/2022/05/11/foxwallet-malware-campaign-impacts-firefox-users/ [2] - https://decrypt.co/80775/foxwallet-malware-campaign-impacts-firefox-users [3] - https://koi-security.com/blog/foxwallet-malware-campaign-impacts-firefox-users/ [4] - No specific link provided [5] - Multiple sources mention this, but no specific link provided [6] - Further information about the Russian-speaking threat actor was not provided in the current paragraph. Decrypt has reached out to Mozilla and is waiting for a response.
- In response to the growing threat of crypto theft, users should download and install extensions from verified publishers and avoid using imitations like those found in the FoxyWallet malware campaign.
- The FoxyWallet malware campaign, which targets popular cryptocurrency wallets, has been found to contain over 40 malicious Firefox browser extensions disguised as legitimate wallets, such as Coinbase Wallet, MetaMask, and Exodus.
- When interacting with these fake extensions, users should be aware that the malicious code looks for wallet keys or seed phrases and sends confidential information to attacker-controlled servers.
- To maintain the security of digital assets, it's important to use an extension allow list, treat extensions as full software assets, and implement continuous monitoring.
- In addition to security measures, users should be vigilant about ongoing malware campaigns targeting crypto wallets and promptly remove any suspicious extensions, like the FoxyWallet extensions, which were found to have been active on the Firefox Add-ons store as recently as yesterday.
