Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Persistent Phishing attack. Show all posts

Palo Alto Network: Domain Shadowing is a Prevalent Threat

 

As per Unit 42 of Palo Alto Network’s threat analysis, a fraudulent phishing technique known as domain shadowing is wreaking havoc. The company found that around 12,197 fake domains were shadowed between 25th April to 27th June of 2022, to provide malicious content. 
 
Cyber attackers are using domain shadowing for secretive attacks. Once a threat actor gets access to/hijacks your Domain Name System, they create their sub-domains containing malicious codes under your legitimate and reputed domains to perform malicious activities. The hijacked domains tend to be used in several ways, such as escaping security checks, distributing malicious software, committing fraud, etc. 
 
It is imperative to note that the attackers prepare these shadow domains without altering the functioning of the original domains, which also serves as a safeguard, since the victims are not aware that a threat exists, and the owners of the original domains rarely check on their domains to ensure their security. 
 
However, unit 42 employs a method to detect hacked domains or illegal sub-domains. It entails going through a checklist consisting of steps such as verifying whether the IP address of the domain and the sub-domain is the same or different, verifying whether the domain and sub-domains have been active for a certain period, and verifying the patterns of the domains and sub-domains. 
 
Domain shadowing can be called a new evolution in online threats or fast flux. It has been considered the most effective and hard-to-detect technique used by any malicious attacker to date. The fraudulent actor can access and add tens of thousands of sub-domains into hijacked domains, and as they are available randomly, the next victim’s domain cannot be tracked.  
 
According to Palo Alto Network’s threat researchers, when they became aware of the deceptive phishing technique and the increasing cases associated with it, only 200 of them were potentially harmful. VirusTotal also disclosed that some of these were organized into single phishing campaigns by registering 649 fake or deceptive domains on 16 trusted websites. 
 
The shadowed domains work to steal the user’s login credentials known as the phishing technique. To protect your website or data from domain shadowing, you should adopt new-generation security measures, including connected threat intel platforms and checking on the webpage before entering the credentials.

Vulnerability Lab discovered persistent XSS vulnerability in Paypal

vulnerability lab

The Vulnerability Laboratory Research Team discovered persistent web vulnerability in the official Paypal (core) ecommerce website content management system.

The security flaw allows remote attackers to implement/inject own malicious script code on the application side (persistent).

The persistent input validation vulnerability is located in the Adressbuch module with the bound vulnerable search function when processing to request script code tags as `Addressbuch` contacts. The code will be executed out of the search result listing web context. Remote exploitation requires low user interaction and a privileged paypal banking application user account.

Successful exploitation of the vulnerability results in persistent session hijacking (admin), account steal via persistent phishing or persistent search module web context manipulation.

In an email sent to EHN, The Vulnerability has submitted the proof-of-concept for the security flaw. You can find the poc code here : http://pastebin.com/LhB82k4F

The name with the code was saved in the addressbook. Only the matching and successful result leads to the persistent execution of the web context.

When the other user is searching the existing account of the addressbook the code will be executed persistent out of the matching search result web context listing.

Few months after the vulnerability notified the Paypal , Paypal security team has successfully patched the vulnerability on December 11.