Analysis Summary

Mozilla has issued an urgent alert following the discovery of a sophisticated phishing campaign targeting developers on its addons.mozilla.org (AMO) platform. These attacks are designed to steal credentials by sending fake emails disguised as official Mozilla communications. The emails often include misleading messages such as “Your Mozilla Add-ons account requires an update,” creating a sense of urgency. One reported victim admitted to falling for the scam but later removed their extension after realizing the mistake, confirming that at least one developer account was compromised.

Security experts warn that these phishing emails exhibit several red flags, including the use of deceptive domains like “mozila” and failures in basic email authentication protocols such as SPF, DKIM, and DMARC. Legitimate Mozilla messages always originate from verified domains like mozilla.org or firefox.com, and they consistently pass email security checks. Developers are urged to be cautious of any links embedded in emails and to verify domains carefully before interacting.

Mozilla’s advisory stresses the importance of adopting a layered security approach. Developers are advised to avoid clicking links in emails, even if they appear to come from Mozilla. Instead, they should manually visit Mozilla’s official websites to verify any account-related updates. The advisory further emphasizes that credentials should never be entered on any site other than mozilla.org or firefox.com to prevent credential theft.

To support its community, Mozilla has provided guidance from the U.S. Federal Trade Commission and the U.K. National Cyber Security Centre, helping developers better identify phishing indicators and report suspicious activity. This campaign underlines a broader threat trend, where attackers increasingly exploit trusted developer accounts to distribute malicious extensions, thereby posing significant risks to both users and the broader Firefox ecosystem.

Impact

• Sensitive Credentials Theft
• Gain Access

Remediation

• Avoid clicking embedded links in emails claiming to be from Mozilla. Instead, manually visit mozilla.org or firefox.com.
• Verify sender domains only trust emails from verified domains like mozilla.org, firefox.com, or their subdomains.
• Check email authentication headers to ensure the message passes SPF, DKIM, and DMARC checks.
• Watch for misspelled domain names (e.g., "mozila" instead of "mozilla") as red flags.
• Never enter Mozilla credentials on unverified websites or links received via email.
• Enable two-factor authentication (2FA) on your Mozilla developer account for added protection.
• Regularly monitor your add-ons and account activity for any unauthorized changes.
• Report phishing attempts to Mozilla and refer to resources