Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label URL hijacking. Show all posts

For Three Years, Leading Messaging Servers were Scammed Using a URL Rendering Method

 

A complex URL rendering method has now been revealed as the source of global phishing attacks on several popular messaging and email systems.  Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal were all popular platforms. Over three years, this allegedly allowed some malicious attackers to create realistic-looking phishing texts. 

Experts feel the unexpected finding has arrived at precisely the right time. Furthermore, researchers claim so by injecting right to left override, these rendering issues generate a vulnerability in the application's interface by displaying wrong URLs (RTLO). 

Unicode Control Characters with these names render all clients more vulnerable to URI spoofing attacks. When an RTLO character is injected into a string, it enables the string to be shown right-to-left instead of left-to-right in a browser or messenger app. The majority of the time, this character is used to display Arabic or Hebrew messages. 

The majority of individuals are prime targets, with the final goal of acquiring access to phishing attempts by spoofing several well-known domains. A handful of these flaws have been awarded a CVE which affects a wide variety of IM program versions. 

  • CVE-2020-20093 — Facebook Messenger 227.0 or earlier on iOS and 228.1.0.10.116 or earlier on Android 
  • (CVE-2020-20093) CVE-2020-20094 — Instagram version 106.0 or earlier on iOS, and version 107.0.0.11 or earlier on Android C
  • CVE-2020-20095 — iOS 14.3 or older with iMessage
  • CVE-2020-20096 — WhatsApp 2.19.80 or earlier (iOS) and 2.19.222 or earlier (Android) 

Signal, thankfully, does not have a CVE because the exact attack method was made evident to them. 
The CVE IDs are  ancient as the vulnerabilities were first discovered in August 2019 by a researcher  named 'zadewg.' 

When two independent URLs are concatenated to look like a single entity, for example, if they are judged to be two different URLs. And if a person clicks on the URL on the left, they will be led to one website, whilst clicking on the URL on the right will take them to another. 

According to research, the rendering problem does not work as effectively on email platforms such as Outlook.com, ProtonMail, or Gmail. However, many people might predict a series of attacks on other IM or email apps. 

The one-liner PoC is freely available and simple to use, even for those with no technical knowledge or no hacking expertise. In fact, even when more advanced technical principles are involved, there is ample evidence of RTLO-based misuse in the field. 

Several more IM and email programs are likely vulnerable to the same exploit, but only those listed above have been proven as vulnerable. As a result, users of the listed apps should be vigilant when receiving messages with URLs, always click on the left side, and keep an eye out for app security upgrades which may fix the problem.

URL Hijacking Cases uncovered by Venafi


Venafi, a company that offers a range of solutions to help financial services companies secure their cryptographic keys and digital certificates, has uncovered over 100,000 URL hijacks with valid TLS ( Transport Layer Security) certificates targeting major retailers.

Venafi conducted an analysis of lookalike domains targeting 20 major retailers, as the festive season is around the corner. The analysis resulted in the discovery of 109,045 typosquatted domains of retailers from the United States, the United Kingdom, Australia, Germany, and France. These use TLS certificates to appear more genuine.
This is more than double from last year and of these only 20,000 certificates were issued for retail.

These URL hijackers targeted 20 dominant retailers from countries like the United States, the United Kingdom, Australia, Germany, and France. Of the 109,045, nearly 84,000 hijacked US domains with 50,000 copying countries major players. In the UK, Venafi could trace 14,000 fake retail certificates. The typosquatted domains were not limited to the UK and US, but Venafi also discovered 7,000 certificates for fake domains targeting retailers in Germany, 3,500 Australian retailers, and 1,500 targeting French retailers.

Jing Xie, a senior threat intelligence researcher at Venafi said," Some of these URLs probably serve a legitimate purpose, but many may be used by attackers for fraudulent purposes. We think the sheer volume of these sites is a strong indication that a large number of them are being used for malicious purposes, especially since we are so close to the holiday shopping season. " (Sc. SecurityWeek)

He also added, “Although our research did not analyze the specific threats connected with these domains, we know that lookalike domains are frequently used in phishing attacks and to distribute malware. For example, back in 2017, security researchers found that many certificates that contained the word ‘Paypal’ were used in phishing websites. It’s logical to assume that attackers are using similar tactics with other retail domains.”

60% of the total fake domains and 85% of lookalike domains targeting German retailers got their TLS certificates from Let’s Encrypt. Let's Encrypt Certificate Authority, is an online forum which gives free certificates to website owners that they can use to encrypt traffic, however, it seems miscreants are also taking advantage of its services.