A newly discovered cyberattack is taking control of victims’ Gmail accounts by using a malicious and custom Mozilla Firefox browser extension called FriarFox. Experts in the area claim that this threat, observed in January and February, targeted Tibetan organizations and was linked to TA413, a known advanced persistent threat (APT) group that researchers believe is aligned with the Chinese state because it is The group is often aligned with the Chinese Communist Party’s interests in espionage and surveillance of civilian dissidents, including those related to the Tibetan diaspora.
The complex delivery method with FriarFox guaranteed attackers to access the Gmail accounts of their victims, something especially worrying considering that email is one of the main attack vectors and one of the most valuable assets such as source of information about people.
Once the cybercriminals had access to the compromised account, they could reset the password and send emails from that address with the user’s signature, also accessing their contact list, which was extremely compelling.
The attack originated from phishing emails, first detected in late January, and targeted various Tibetan organizations. One of the emails discovered by investigators was allegedly from the “Tibetan Women’s Association”, which is a legitimate group based in India. The subject of the email was: “Within Tibet and the Tibetan exile community”.
The email contained a malicious URL, posing as a YouTube page. Actually, this link led the recipients to a homepage on the topic of Adobe Flash Player update, where the malicious browser extension download process begins.
The researchers said that this latest campaign shows that TA413 appears to be shifting towards using more modified open source tools to engage victims. And is that the experts said that FriarFox seems to be based on an open source tool called “Gmail Notifier (no restart)”. This is a free tool that is available in various locations.
Once again, a sign that cybercriminals do not rest and are always looking for ways to steal, spy, deceive, etc., from users on the web.
Other reads:
Rogue Software – Fake Security Programs
Browser extensions – Be very careful with these
