Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Typo Squatting. Show all posts

Info-stealing Ads Spread by Malvertising

HP Wolf Security's cybersecurity researchers have issued a warning about various ongoing activities that aim to use typosquatting domains and malicious advertising to spread different types of malware to unwitting victims.

Additionally, the scammers paid various ad networks to broadcast ads promoting these bogus websites. Search engines can end up presenting harmful versions of the websites alongside trustworthy ones when users search for these programs in this manner. Users risk being misdirected if they are not careful and double-check the URL of the website they are viewing.

Bogus installers

A total of 92 domains that look like other software and may have been used to spread IcedID were found. If victims do find themselves in the incorrect location, they would not likely notice the difference.

The websites are meticulously created to resemble the real ones in practically every way. In the context of Audacity, the website hosts a malicious.exe file that poses as the installation for the program. 'audacity-win-x64.exe' is the file's name, and it is larger than 300MB in size. The attackers strive to avoid detection by being this large, in addition to antivirus software. The researchers found that several antivirus products' automatic scanning functions do not check really huge files.

According to Cyble security experts, Rhadamanthys was used to steal data from web browsers, crypto wallets, and messaging apps. It was spread using Google Ads that imitated AnyDesk, Zoom, Bluestacks, and Notepad++.

Another issue involved DEV-0569 abusing Google Ads to distribute BatLoader, according to Microsoft researchers. As part of the spreading process, the group imitated LogMeIn, Adobe Flash Player, and Microsoft Teams.

Due to their extensive capabilities, info-stealers are now a common type of malware utilized by hackers. The demand for this malware is so great that it rules many underground market forums.

Increased sales of victim data on the dark net will result from selling these new malware strains and the accessibility of info-stealer malware source code.

Users should double-check the integrity of these websites before downloading any installers as the most recent assault campaign mostly uses bogus websites that look legal to distribute malware. To reduce the risk of info-stealer malware, it is also advised to deploy MFA across all accounts.




Rhadamanthys: Malware Hidden in Google Ads


Threat actors are establishing fraudulent websites for popular free and open-source software in order to promote malicious downloads via advertisements present in the Google search result. 

The info-stealing malware Rhadamanthys uses Google advertisements as a means of luring people into downloading malicious software. The malware steals information including email addresses and passwords in addition to focusing on cryptocurrency wallet credentials. 

Rhadamanthys is sold to criminals as malware-as-a-service (MaaS), and its utility has multiplied as infostealers become a popular tactic to attack targets. 

As of yet, at least one prominent user on the cryptocurrency scene has fallen prey following the malware campaign. According to the victims, the hackers had stolen all their digital crypto assets, along with having access to their professional and personal accounts. 

What is Rhadamanthys? 

According to threat researcher Germán Fernández, Rhadamanthys, named after the demigod child of Zeus and Europa in Greek mythology, has been dominating Google advertising for the widely used OBS (Open Broadcasting Tool) platform, a free video recording, and streaming service. 

Since November 2022, Rhadamanthys’ popularity has been growing rapidly. It has now advanced to a point where, if an online user searches for an OBS, they will eventually encounter five malicious ads at the apex of their Google searches, before seeing legitimate results below. 

A user may download malware, alongside legitimate software after he clicks on these advertisement links. 

In one such instance, 'Alex', a crypto influencer, better known by his online persona NFT God, was hacked following the download of a fraudulent executable for the OBS video recording and streaming program, through Google’s search results. His life was permanently altered when he mistakenly clicked on the fraudulently sponsored advertisement rather than the genuine one. 

“Last night my entire digital livelihood was violated. Every account connected to me both personally and professionally was hacked and used to hurt others. Less importantly, I lost a life changing amount of my net worth,” he tweeted. 

How does Rhadamanthys work? 

According to a report by the security firm Cyble, Rhadamanthys is offered for sale on the dark web and is distributed via spam emails along with Google advertisements. 

Rhadamanthys will start by obtaining relevant device data after a successful intrusion. The data often includes the device's name, model, operating system, OS architecture, hardware details, installed software, IP addresses, and user credentials 

“The Rhadamanthys program is capable of executing certain PowerShell commands[...]It also targets document files, the theft of which (depending on the sensitivity of their data) can cause severe issues for victims,” reads a blog post by cybersecurity firm PCrisk. 

In addition to this, the MaaS targets cryptocurrency wallet credentials by attempting to extract crytowallets’ passwords in order to acquire control of them and their funds. 

“In summary, the presence of stealer-type malware like Rhadamanthys on devices can result in serious privacy issues, significant financial losses, and even identity theft,” PCrisk concluded. 

How Can You Protect Yourself? 

In order to delay the victim’s response, users are advised to evade the malware activity by checking the URL, since the malicious links may seem identical to the official OBS site. The fraudulent URL may contain subtle spelling mistakes, a malicious tactic used to create fake URLs, called Typosquatting.   

Beware of this Lethal Malware that Employs Typosquatting to Siphon Banking Data

 

Disneyland Team, a Russian-speaking financial hacking group was identified using lethal info-stealing malware with confusing typosquatted domains to siphon login data for banking sites. 

The malicious campaign was discovered by Alex Holden, the founder of cybersecurity consulting firm Hold Security, and reported on by KrebsOnSecurity. 

According to the report, the hacking group specifically targets individuals compromised with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can siphon the data of internet-linked devices, and install additional malware.  

But Gozi is not as powerful as it used to be because search engine designers have launched multiple security measures over the years to nullify the threat of banking malware. But this is where typosquatting plays an important role by designing phishing websites with domain names that are common misspellings of websites. 

Take U.S. financial services company Ameriprise for example. Ameriprise employs the domain ameriprise.com. The Disneyland Team's domain for Ameriprise users is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.  

On observing carefully, you can make out small dots under the "a" and the second "e," and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the visually confusing scam. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin. 

So, when an individual falls into the trap laid by scammers and visits these bogus bank websites, it gets overlaid with the malware, which forwards anything the victim types into the legitimate bank’s website, while keeping a copy for itself. That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively making the MFA useless.

“In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site, KrebsOnSecurity reported. “These could then copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”

Info Stealer Identified in a PyPI Package

 

GitHub user duxinglin1 has identified three PyPI packages 'keep,' 'pyanxdns,' and 'api-res-py' using a malicious dependency, 'request,' 

Last month, duxinglin1 uncovered the vulnerable versions containing the misspelled 'request' dependency, rather than the authentic 'requests' library. CVEs assigned to the susceptible versions include: 

• CVE-2022-30877 - 'keep' version 1.2 contains the backdoor 'request', 
• CVE-2022-30882 - 'pyanxdns' version 0.2 impacted 
• CVE-2022-31313 - 'api-res-py' version 0.1 impacted 

According to duxinglin1, the risk with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average, while it is quite opposite with 'pyanxdns' and 'api-res-py' as they are small-scale projects. 

Two years back in 2020, Tencent Onion Anti-Intrusion System unearthed a malicious typosquat 'request' uploaded to the PyPI registry which copied the requests HTTP library but surprisingly dropped malicious info-stealers. 

"We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by PyPI, many mirror sites did not completely delete this package, so it could still be installed,” duxinglin1 explained. The malicious backdoor inside the counterfeit 'request' includes a base64-encoded URL to the 'check.so'. 

The file 'check.so' is loaded with a Remote Access Trojan (RAT), while 'x.pyx' contains data theft malware that exfiltrates cookies and private data from web browsers like Chrome, Firefox, Yandex, Brave, and others. Subsequently, the hackers with access to user credentials attempt to exploit other accounts employed by the developer, potentially leading to additional supply-chain attacks. 

When Bleeping Computer contacted the developers of each of these packages to identify whether this was due to a simple typographical error, or hijacking of maintainer accounts. The author of 'pyanxdns', Marky Egebäck, confirmed this was a result of a typographical error rather than an account compromise. 

Additionally, it appears that the developers of the other two packages also introduced 'request' rather than the legitimate 'requests' due to an innocent typing error. 

"Sorry to say by a simple typo in the setup.py file since git history shows that this was added when the install requires was added by me. This was [an] honest mistake based on a typo in the setup.py. I generally don’t publish things on PyPI but I made this quickly for a friend and myself. Not sure if he has promoted this but the purpose was mainly for personal use in [an] internal docker project," stated Egebäck.

US: Fake News and Hike in Malicious Campaigns



'The internet is stacked with fake news sites in the present times,' says the research of Domain Tools, a security analyst company. The company scrutinized some top news sites of the U.S and examined their vulnerability to URL hacking and false domains. The false URLs may advertise misinformation and harmful malware, according to study. “As skepticism of traditional media continues to rise, defending the society from fake news attacks has grown relevant to the constitutional process,” says Corin Imai, a security advisor of DomainTools.

The fake news in recent times has attacked the credibility of news and raised questions concerning professional journalism. In present times, the media coverage is full of falsehoods and misinformation. The majority of the mainstream news sites can be held responsible for spreading fake news among the general public.

Why should one pay attention to fake news sites? 

'It’s no mystery that since recent times fake news campaigns are on a hike,' says Imai. 'The research shows that various top news websites' domain names have been tricked, and are vulnerable to URL hacking.' Honesty and assurance are the pillars of splendid consumer aid expertise. The study by Domain Tools reveals how wicked users do clever tricks like typosquatting and replicating domains as methods to wind up fake news campaigns.

Typosquatting, also called URL hijacking, is a technique that clings on internet users who accidentally type a wrong domain while searching for a news site on a browser. Whereas, spoofing is when a trickster acts as a genuine publisher of a news site. These unlawful actions can result in unauthorized stealing of user data, circulate fake news via spoofing news sites and, download dangerous malware into the user's system.

How to identify misinformation campaigns and stay safe from fake news sites- 

Fake news sites often benefit from user's browsing pace by hogging on their favored source of information. This can lead to data theft or vulnerability to fake news and malware.
Steps to avoid fake news-

• Beware of suspicious or doubtful domain names. Always pay attention to whether the web search is correct.
• Bookmark your preferred news site. This benefit in avoiding typos while searching for a news site.
• Visit the news website directly; avoid clicking on links that lead to news or information.
• Be digitally literate. Stay up to date with the latest trends and technologies happening over the internet.

By following these basic precautions, one can be safe from the risk of fake news.