Researchers have uncovered a new social engineering trick that leads users to a malicious extension from Google Chrome impersonating to deliver Adobe’s Flash Player in order to lure victims in a click fraud campaign.
Security experts at TrendMicro believe that the malware is triggered by
opening Facebook or Twitter via shortened links provided in any social
networking websites. Once clicked, the links may lead victims to a site
that automatically downloads the malicious browser extension.
MALWARE INVOLVES DOWNLOADING MULTIPLE MALICIOUS FILES
The process is quite complicated as the malware drops a downloader file
which downloads multiple malicious files on the victim’s computer.
Moreover, the malicious program also has ability to bypass Google's
recent security protection added to Chrome against installation of
browser extensions that are not in Chrome Web Store.
Researchers came across a baiting tweet that advertises “Facebook Secrets”,
claiming to show videos that are not publicly available, along with a
shortened link that is to be clicked in order to get it. Curious users
easily fall victim to such campaign and click the given links to
download those videos.
What the user totally unaware of is that the file which he downloaded is a malware dropper with the name “download-video.exe”, detected as TROJ_DLOADE.DND, according to fraud analyst Sylvia Lascano of the security firm Trend Micro.
This malicious file then is used to drop additional malware into the
victims’ computer, one such is a Chrome browser extension which
masquerades as Flash Player, which could be used for more offensive
threats designed to steal victims’ credentials for various online
services.
MALWARE BYPASSES GOOGLE’S SECURITY POLICY
In order to evade detection, the malware circumvents Google's security
policy – which only allows extension installations hosted in the Chrome
Web Store – by creating a folder in the browser's directory where it
drops “browser extension components.”
The browser extension components that needs to be loaded are added to Chrome’s extension folder are as follows:
- manifest.json – contains browser extension description like name, script to load, version, etc.
- crx-to-exe-convert.txt – contains the script to be loaded, which can be updated anytime by connecting to a specific URL.
After all the data is parsed by the browser in the dropped component manifest.json, the extension is ready to work.
OPEN FACEBOOK OR TWITTER – BE A VICTIM OF CLICK FRAUD
Once installed, if a user visits Facebook or Twitter, the extension
quietly opens a specific site in the background that is written in
Turkish, which researchers believe is part of a click fraud or
redirection scheme.
“The site is written in Turkish and phrases such as ‘bitter words,’ ‘heavy lyrics,’ ‘meaningful lyrics,’ ‘love messages,’ and ‘love lyrics’ appear on the page. This routine could be a part of a click fraud or redirection scheme,” fraud analyst Sylvia Lascano of the security firm Trend Micro said in a blog post.
SHORTENED LINK HELPED THREAT ACTORS
By the time researchers discovered the campaign, the tweets promoting
the sophisticated malware dropper had been retweeted more than 6,000
times.
Here cyber criminals took help of shortened link in order to victimize a
large number of victims because of the fact that the shortened link
don’t have visibility of where it directs, and contributes to spreading
the campaign.
So, in order to protect your computers against this sort of threats,
avoid accessing links from any unknown and suspicious sources.
0 comments:
Post a Comment