- Feb 4, 2016
- 2,520
A Firefox extension called Image Previewer was discovered today that not only displays popups, but also injects a Monero in-browser miner into Firefox. While we have seen numerous Chrome extensions injecting in-browser miners, this is the first time I have seen a Firefox addon with this behavior.
The Image Previewer addon is promoted by web sites that pretend to be a manual Firefox update, but in reality push a Firefox addon to the visitor. This is done through repeated Javascript alerts and user authentication prompts that push the user into installing the addon directly from the site.
Fake Firefox Update Page
When this addon is installed it will inject an iframe to a Javascript file that monetizes sites that you visit using popups, link click hijacking, and ad injection. This is done by first connecting to http://searchye.tools/cfg/cnt.json, which will respond with a URL that will be injected into the page as shown below
Injected Script
The addon will then open the page Loading... in an iframe. This page contains the setup script for the in-browser Monero miner. The variables used in the URL are important as well as they specify the user id associated with the miner and the throttle, which is the percentage of time that the miner threads should be idle.
Last edited by a moderator:
