Scammers are attempting to trick Firefox users into downloading backdoored software via spam emails that supposedly advertise an "update" to the open-source browser.

A run of spam emails circulating over the weekend all include links to a download that bundles together a Mozilla Firefox 5.0.1 installer and a password-stealing Trojan horse. As a social engineering ruse it is about as subtle as a brick in the head, but there just may be enough credulous users out there to make the scam work. In reality, Firefox automatically updates itself, a point scammers obviously hope prospective marks do not know.

Scams of this type first punted Microsoft security updates but, over time, they have diversified to embrace a wider range of targets.

Net security firm Sophos detects the malware punted via the fake Firefox attack as Troj-PWS-BSF. It also detects the browser/malware bundle. Other vendors can be expected to follow suit.

A write-up of the scam, complete with extracts of the offending email, can be found in a blog post by Sophos here. ®

Related stories

• Mozilla to auto-block unwanted Firefox add-ons (12 August 2011)
• Hackers subvert Firefox security warnings to sling scareware (20 October 2010)
• Fake Firefox update used to sling scareware (30 July 2010)
• Spyware ad-on targets Firefox fans (1 September 2009)