Scammers are attempting to trick Firefox users into downloading backdoored software via spam emails that supposedly advertise an "update" to the open-source browser.

A run of spam emails circulating over the weekend all include links to a download that bundles together a Mozilla Firefox 5.0.1 installer and a password-stealing Trojan horse. As a social engineering ruse it is about as subtle as a brick in the head, but there just may be enough credulous users out there to make the scam work. In reality, Firefox automatically updates itself, a point scammers obviously hope prospective marks do not know.

Scams of this type first punted Microsoft security updates but, over time, they have diversified to embrace a wider range of targets.

Net security firm Sophos detects the malware punted via the fake Firefox attack as Troj-PWS-BSF. It also detects the browser/malware bundle. Other vendors can be expected to follow suit.

A write-up of the scam, complete with extracts of the offending email, can be found in a blog post by Sophos here. ®

Related stories

• Mozilla CTO Eich: If your browser isn't open source (ahem, ahem, IE, Chrome, Safari), DON'T TRUST IT (14 January 2014)

  https://www.theregister.com/2014/01/14/eich_urges_open_source_surveillance_audits/

• Beware the ad-punting crapware-laden Firefox, warn infosec bods (13 August 2013)

  https://www.theregister.com/2013/08/13/fake_firefox_update_adware_scam/

• Mozilla to auto-block unwanted Firefox add-ons (12 August 2011)

  https://www.theregister.com/2011/08/12/mozilla_addon_blocking/

• Hackers subvert Firefox security warnings to sling scareware (20 October 2010)

  https://www.theregister.com/2010/10/20/scareware_scumbags_subvert_firefox_security_warnings/

• Fake Firefox update used to sling scareware (30 July 2010)

  https://www.theregister.com/2010/07/30/firefox_update_scareware_ruse/

• Spyware ad-on targets Firefox fans (1 September 2009)

  https://www.theregister.com/2009/09/01/firefox_spyware_add_on/