Security researchers from Sophos warn of fake emails purporting to be Firefox update notifications and directing recipients to a password-stealing trojan.The emails bear a subject of "New version released" and have their header spoofed to appear as if they were sent from a @firefox.com email address. The contained message is copied from the legit Firefox Update page and reads:
"A Firefox software update is a quick download of small amounts of new code to your existing Firefox browser. These small patches can contain security fixes or other little changes to the browser to ensure that you are using the best version of Firefox available.
"Firefox is constantly evolving as our community finds ways to make it better, and as we adjust to the latest security threats. Keeping your Firefox up-to-date is the best way to make sure that you are using the smartest, fastest and . most importantly . safest version of Firefox available.
"A Firefox update will not make any changes to your bookmarks, saved passwords or other settings. However, there is a possibility that some of your Add-ons won.t be immediately compatible with new updates."
The email ends with a recommendation reading "For security reasons please update your firefox version now [LINK]," however it's clear that the link does not lead to a location on mozilla.com.
The URL points to a file hosted on btopenworld.com, the web hosting service offered by BT to its broadband customers. The executable is actually an installer for Mozilla Firefox 5.0.1 with a password stealer attached.
Bundling the trojan with a legit Firefox installer instead of serving it directly is an attempt to divert the victim's attention from what's happening in the background. Users are always advised to download programs directly from the vendor websites or trusted download portals.
It's also worth keeping in mind that Mozilla does not send Firefox update alerts via email. In fact, starting with Firefox 5, the open source browser updates itself silently without no interaction from the user being required.