We recently published a blog that uncovered an online retail scam involving popular brands such as Ralph Lauren, Nike, Adidas, and Prada.
As promised, our analysts have conducted further research, and we’d like to share what we’ve discovered.
Fake Ralph Lauren site
To extract money from unsuspecting users, the operation uses three distinct phishing/social engineering techniques:
Redirection to a PayPal page, with an attacker-controlled recipient email.
Catphishing users with a PayPal invoice.
Harvesting data to a local or intermediate server.
In our first blog, we described how the attackers skim payment card details and PII to a malicious server.
Let’s take a look at how the scam uses PayPal to extract money – either via direct payment or through a legitimate PayPal invoice.
Method 1 – Redirection to a PayPal payment page
After they’ve been fooled into visiting a hoax website, the user is prompted to enter personal information into a web form to create an ‘account’.
They’re then redirected to a payment page, such as the one below:
Fake Spyder Checkout Page
Once the user has entered their payment card details, the site redirects them to a PayPal login page, with the order ID and amount to be debited included as pre-configured parameters.
The minimum order amount appears to be $95-$99, with smaller orders following a different redirection path.
The attackers also don’t bother calculating an exact order amount. Once a minimum order threshold of $95-$99 is reached, any exceeding amount is ignored.
After analyzing the POST request generated by the card submission, we discovered that users are routed through another URL (belonging to ipn.suiku[.]top) before arriving at PayPal:
POST details
The URL then populates a PayPal page, with an attacker-controlled recipient email (see below for a list of associated emails) and the amount to be debited pre-loaded via a few lines of code:
PayPal redirection
Method 2 – Legitimate PayPal invoices
Instead of relying solely on payment card details, some of the sites use a legitimate PayPal invoice to extract money from unsuspecting users.
This type of technique should immediately raise concerns. Online consumer checkouts rarely – if ever – request payment via an invoice. Such methods of payment are almost exclusively reserved for B2B transactions.
This fake Reebok checkout page generates a PayPal invoice for $97, rather than asking for a direct card payment:
Fake Reebok payment sitePayPal invoice following redirection
Once users agree to pay the invoice, they’re then redirected to a PayPal login page to complete the transaction, as seen in method 1 above.
When analyzing the POST request code from a traffic capture after the checkout form has been submitted, we can see that the invoice page URL is directly embedded in the HTML:
Paypal invoice directly embedded in POST request submission
Next steps…
We’re adding a custom threat feed to the Silent Push platform that paid subscribers can use to stay one step ahead of the scam. We’ll also be passing our findings on to PayPal.
PayPal has safeguards in place that remind users of the need to be vigilant online, but as we’ve seen, this group of threat actors is casting their net far and wide with a variety of attack vectors that exploit some of the biggest names in online retail.
Visit silentpush.com for more information on how Silent Push can help to protect your infrastructure in the run-up to the holidays.
Register for the Community version to take advantage of the largest free library of SaaS-based threat defense tools available anywhere in the world.
Our Threat Analysts have uncovered a worldwide e-commerce fraud, featuring thousands of fake websites and payment portals for numerous big-name clothing and footwear brands, in the run-up to the holiday season.
Companies affected include Versace, Prada, Puma, Nike, Ted Baker, Converse, Ralph Lauren, Lacoste, Quicksilver Timberland, Vans, The North Face, La Perla, and Ugg.
A large group of threat actors are registering domain names that mimic a brand’s online presence, and tricking users into handing over Personally Identifiable Information and payment card details, through fake registration and payment forms, and hoax product pages.
The fake sites, featuring valid SSL certificates and HTTPS, all share some common denominators:
Textual errors, including spelling mistakes and branding/image anomalies.
Fake products ‘retailing’ for between $50-$300, often at huge discounts.
A focus on high-end goods from big-name online retailers.
A lack of product reviews.
Malfunctioning contact forms and social media buttons linking to standardized login pages.
The fake sites are put together using a standardized template, with some sites currently ranking on the front page of popular search engines, such as Bing, Yahoo, and DuckDuckGo.
We’ve published a list of IP ranges affected and are actively working on uncovering more Indicators of Compromise, including domain derivatives and site characteristics, as the threat landscape unfolds.
Scammers harvesting personal information and payment card details from fake websites.
Big name clothing and footwear brands affected in multiple countries.
Dangers for global consumers in the run-up to Cyber Monday and Black Friday.
Hoax websites appearing on the first page of search results.
The holiday season is nearly upon us. With Black Friday and Cyber Monday fast approaching on the 25th and 28th November, and with 60% of adults planning to start their Christmas shopping before December, the accelerated digitization of shopping habits throughout the COVID-19 pandemic has retailers crossing their fingers for an early rush to online checkouts.
Unfortunately, it’s not only big name brands that are vying for consumers’ attention.
Fake Ralph Lauren website
Silent Push Threat Analysts have uncovered an enormous fake ecommerce network – featuring high-end brands and thousands of hoax websites – that’s fooling unsuspecting shoppers into handing over personal data and payment card information in a global online shopping scam, affecting household names from around the world of retail, including:
Versace
Prada
Puma
Nike
Ted Baker
Converse
Nautica
Ralph Lauren
Lacoste
Quicksilver
Timberland
Vans
The North Face
La Perla
Ugg
The method
Capturing traffic
To redirect consumer traffic away from genuine companies, the scammers register domain names that mimic a brand’s legitimate online presence – usually by adding words to the company name, spelling words differently, or targeting a brand’s presence in a particular country.
Once the site is live, the scammers install an SSL certificate, allowing them to hide behind what appears to be a valid identity, using HTTPS and a padlock icon to build legitimacy with unsuspecting visitors:
Fake Prada websiteLegitimate Prada website
To make matters worse, the scammers have managed to get their websites listed on the front page of prominent search engines such as Bing, Yahoo and DuckDuckGo.
A search on Bing for a popular product from global fashion retailer Reiss displays a scam website (sweetpondcottage[.]com) on the front page, underneath the company’s legitimate website, and well-known outlets such as John Lewis and Millets:
To get at consumer’s payment card details, the websites present visitors with what appear to be legitimate high-end products, offered at a significant discount (usually within the $50-$200 price range) compared to their standard RRP.
An Arc’teryx Alpha Parka winter coat sells for €1,000 on the company’s official website (arcteryx[.]com). Scammers have set up a similar domain targeting Irish consumers at arcteryxireland[.]com, featuring a product page that’s relatively similar to the original:
As well as fake sign-up forms, the scam also features phony payment pages – used to harvest payment card details – that re-direct consumers to suspect third-party payment services, which in turn have the potential to obtain money directly from a user’s bank account.
Investigating the payments operation
Let’s delve a little deeper into the mechanics behind the payment fraud, and investigate how the scammers were utilising customers’ payment card details and PII.
We used a dummy card to attempt to make a purchase on several domains. When the scam sites processed our fake payment, our scans showed that data was harvested the moment it was submitted.
On one fake domain featuring the popular outdoor apparel brand Jack Wolfskin (jackwolfskinoutlet[.]com), visitors are redirected to a seperate payment URL at the checkout – atsupport[.]com/ckgkt/ckout.asp.
Malicious payment site
The portal is designed to look like a genuine online checkout that’s verified by a legitimate third-party service, but once payment details are entered, the site uploads the card number, the CVV code and all other personal details to its own server, and other malicious servers.
Malicious POST informationMalicious POST informationMalicious POST information
Once the scammers have captured the data, they’re able to use it for all manner of purposes, including resale on the dark web, or to make purchases with directly.
Common denominators
Thankfully, all is not lost. As with most scam operations, there are tell-tale signs that should set the alarm bells ringing and alert users to the fact that they’re being taken for a ride.
1. Social media buttons not linking to official sources
Fake websites always avoid linking directly to a brand’s main social feeds.
To understand how potential customers are engaging with their brand, it’s standard practice for marketing departments to analyse traffic to their social media accounts.
Scammers know this, and return links to social media login pages or lists of Tweets by a company, rather than run the risk of being detected by a traffic algorithm.
Here’s an example. Note how the fake Facebook button is coded to provide a link to the user’s Facebook login page, rather than the official Arc’teryx page:
Scam website linking to a Facebook login pageGenuine website linking to a official Facebook page
2. ‘Contact Us’ form missing or incorrect
Threat actors aren’t in the business of encouraging communication from their marks, but that doesn’t stop them adding in a link to a ‘Contact Us’ form, in order to attempt to appear legitimate to anyone casually browsing the site.
All of the websites we encountered throughout the campaign had customer contact forms that either didn’t work, or triggered no response once completed (i.e. no auto-acknowledgment emails received after a message was sent).
3. Textual anomalies
Be on the lookout for spelling mistakes, grammatical errors, and strange text formats (fonts and spacing) that, for one reason or another, just seem out of place.
This kind of scam relies on teams of threat actors creating websites from a pre-configured template that allows them to pump out the maximum amount of fake content, in the least amount of time.
This leads to similarities within the same campaign, from site-to-site, that become relatively easy to spot once you know what you’re looking for.
Several of the fake sites we investigated placed a small amount of text under the brand name, and included a small marketing message in the top banner, directly under the address bar, that looks completely out of place on the website of a big name clothing brand.
Here’s a fake Nike Ireland page advertising (in italics on their ‘homepage’) the fact that they offer a ‘30-day money back guarantee’, between two dollar sign characters.
You’ll notice that the menu font for ‘Men’ and ‘Women’ is also not branded, and looks equally out of place:
Fake Nike homepage, with templated text
The message box stays in the same place throughout all the fake website – sticking to the template – but usually displays different text, depending on what page the user is on.
Here’s the same domain displaying a different message, on a different page, this time adapting the text to the main body content – promoting ‘Fast Delivery’ between two aeroplane icons (replacing the dollar signs from the homepage) on a pair of suspiciously cheap Nike trainers:
4. Suspect product pricing
It would appear that the architects of the scam have decided that offering goods for the same price range across all the fake websites – whatever brand they’re from, and whatever type of product they are – is the best way to grab a user’s attention.
Most of the fake online stores that we encountered advertised goods for ‘sale’ usually between $70 and $300, with items marked down at a huge discount, and an RRP displayed prominently alongside the ‘actual’ price.
Here’s a set of Ugg boots (that retails for £145 on the official website) being sold for £65 on a scam site, and an entire range of Timberland clothing advertised at around £40 a piece.
The scammers are swinging for the fences and focusing their efforts on big-name brands that sell high quality goods, allowing them to leverage their strategy of applying huge discounts on well-known product lines that are advertised twice, three times or quadruple the price anywhere else they’re available.
If it looks to good to be true, it almost always is.
Fake ecommerce operations rarely waste their time on low-end products that generate tiny amounts of revenue.
This particular campaign is intent on capturing the attention of consumers with a level of disposable income that allows them to shop at expensive outlets such as Versace, Prada and Ralph Lauren.
6. No product reviews
Product reviews – or a lack thereof – are always a dead giveaway.
We’ve already discovered thousands of websites spread across potentially hundreds of brand names, and that’s just the tip of the iceberg. Setting up this kind of campaign is a numbers game, and threat actors simply don’t have the time to create fake product reviews for every item they feature on their websites.
Unlike legitimate shopping portals, barely any of the products we encountered had an accompanying review section, and if they did, the link was broken.
Here’s the product page for the Arc’teryx jacket we analysed earlier on. The real website encourages you to read user reviews. The fake website doesn’t:
Legitimate user review linkFake website with no reviews
Extent of the campaign
Given that the operation relies on templated websites that can be quickly populated with images, text and links without a great deal of effort, there are currently thousands of IP addresses and domain names active within the campaign, affecting prominent brands across the world.
Our Threat Analysts are working on producing a custom feed that’ll proactively track activity on the Silent Push platform across all the various iterations of domain names and IP addresses.
We discovered Chinese characters in some malicious code on several prominent scam sites, and numerous domains we encountered were registered in China, but without definitive evidence across the majority of IoCs in the campaign, we need to keep an open mind as to where the scam originated:
Chinese characters in malicious website codeMalicious domain registered in China
We’re currently conducting further research into the operation that delves into the technical specifics, and sheds even more light on how threat actors are deploying domains and websites, what to look out for and, potentially, who’s behind it.
We’ll be publishing a deep dive over the next week or so. Follow us on LinkedIn and Twitter, and keep an eye out for more blogs.
Silent Push is an industry-leading extended threat intelligence solution that generates game-changing insights, and identifies new threats to your organization before they launch.
We scan the Internet’s entire IPv4 range every day, and alert you to new threats and rogue assets before they emerge, providing you with the most comprehensive view of Internet activity available anywhere in the world.
Silent Push Community App
The Silent Push Community App allows you to deploy a vast array of powerful domain/IP queries, record lookups and anti-exploit tools free of charge.
Give your teams full access to the Explore and Query Buildersections of the Silent Push App – including access to the Silent Push API – with zero subscription costs.
Silent Push for Enterprise
Silent Push for Enterprise enriches your security stack, providing industry-leading intelligence that you can use to proactively hunt and identify threats to your organization way in advance of your competitors.
Take our product tour and discover how Silent Push will transform the way your organization protects its corporate assets, and analyzes risk.
Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.
Our Threat Intelligence Team was on the lookout for PayPal typosquatting domains, when one particular domain (paypalsec[.]us) led them to a far larger discovery – an entire network of threat activity, masquerading as numerous global brand names and infecting machines with a malicious file disguised as a remote monitoring tool – WinDesk.Client.exe.
The initial discovery
We found the domain (registered through NameSilo on 2022-08-18) using the Silent Push Live Unsanctioned Assets query – an A record search by qanswer, netmask and various other network parameters.
The domain had some text and images that mimicked Paypal’s actual website, but most of the content populated as unrelated placeholders, which suggested that the site had been built using a multi-purpose template, rather than coded from scratch.
Fake websitePayPal’s actual website
Threat actors aren’t in the business of coding individual websites for hundreds of malicious domains, and sometimes rely on communal site builders to put together phishing websites that target different brands.
The ‘Cancel Now’ button on this particular domain prompted a download of an executable file – WinDesk.Client.exe – that we offer further analysis of below.
The delivery method
Once we’d confirmed the identity of the domain, we analyzed WHOIS, IP and PADNS data in an attempt to find out what other activity it was linked to, leading us to another domain connected to the same Paypal phishing website – help01[.]us (also registered through NameSilo on 2022-08-18).
We repeated the process for the IP address associated with help01[.]us, and discovered 30 other domains connected to similar phishing websites, impersonating big name brands such as Amazon, Microsoft, Geek Squad, and Paypal, using the same basic phishing techniques with some subtle differences (see IoC list at the bottom of this article).
Instead of a ‘Cancel Now’ button, these websites featured an ‘Enter Code’ field.
After a few attempts, we entered a code that was accepted as valid, which started the download of WinDesk.Client.exe.
Fake Amazon pageFake GeekSquad page
Analysing the trojan
WinDeskClient.Exe actively tries to stop itself from being run in a sandbox environment, using a combination of debugging restrictions and sleep timers, but our Threat Analysts were able to run it in a test environment in order to ascertain what the file actually does, and more importantly, where it sends information to.
Once run, WinDesk.Client.exe facilitates the install of a parent process – dfsvc.exe – with two further executables initiated from the level above:
> dfsvc.exe
> ScreenConnect.WindowsClient.exe
> screenconnect.clientservice.exe
In its legitimate guise, ScreenConnect.WindowsClient.exe is an executable file which belongs to the ScreenConnect platform (now known as ConnectWise Control), a widely-used remote access tool for customers of ConnectWise.
Process tree (Credit – app.any.run)
ScreenConnect.WindowsClient.exe does have the potential to record keystrokes, but its the final drop – screenconnect.clientservice.exe – that reveals the most information.
The service attemps to establish a connection with 104.168.5[.]29, which resolves to firsto[.]cc.
We weren’t able to ascertain precisely what data the client process is attempting to send, but the security implications are clear and obvious.
Links to Norton and GeekSupport scams
A passive DNS replication check shows that the server is linked to to another IP – 198.23.212[.]167 – which is connected to phishing sites that are actively impersonating brands such as Norton and GeekSupport:
firsto[.]top
firsto[.]cc
mslxt[.]xyz
ncareback[.]xyz
backup02[.]xyz
gkscare[.]com
geeksupportcare[.]com
xpchelps[.]us
support2norton[.]us
xpchelp[.]us
Network communication from screenconnect.clientservice.exe
The attack vector likely originates via email, with threat actors gaining the trust of users before fooling them into entering a code (usually via a telephone conversation) that prompts the download.
A few weeks ago, GeekSquad customers fell victim to a scam featuring a fake website, that asked them to contact a phone number to cancel a fake subscription. Norton customers experienced the same basic scam in June,
It’s safe to assume that the version of WinDeskClient.Exe we analysed, and where it’s attempting to send information to, was an integral part of both scams.
Further investigation uncovered over 350 domains hosted among 42 IP addresses over the last month, impersonating not just Norton and GeekSquad, but big names such as Amazon and MacAfee (see IoC list at the bottom of this article).
The majority of these domains had three things in common:
They were all registered on NameSilo;
The used *.dnsowl.com nameservers;
The were hosted on low-density IP addresses on AS-COLOCROSSING(30823)
Thankfully, this particular group of threat actors spent too much time playing fast and loose with legitimate websites, and failed to secure their own internal infrastructure, leading us to some interesting discoveries.
The front end operation
We’ve already blogged about open directories – they’re the ultimate quick win for anyone looking to secure entry into restricted file systems, without having to worry about phishing, social engineering or payloads.
Using the Silent Push Open Directory search, we quickly discovered an open index on 192.227.173.35, that contained a single compressed file – desk.zip.
The file contained a directory of website assets, including images, components, and, crucially, a database with username and password tables for accessing the control panel of the phishing page builder used to construct the malicious websites we’d already uncovered.
Phishing website builderPhishing website builder
Unfortunately, we didn’t uncover anything further on the front end of the control panels, besides different variations of the phishing website and the domains used to download the malware (which we’d already uncovered), but nonetheless, it was an interesting insight into how threat actors put together their operation, and provided us with a significant amount of intel to pass on to our customers.
Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.
Indicators of Compromise
This list will not be updated after the initial blog post. For live tracking of malicious infrastructure subscribe to our enterprise service. Sign up for a trial.
Created in May 2014 and released a year later, The InterPlanetary File System (IPFS) protocol is a method of storing and sharing files via the Internet that bypasses traditional methods of client-server connections, that uses distributed hash tables (DHTs) to identify and deliver files to you over a global peer-to-peer (P2P) network.
All that’s needed to retrieve data is a hostname and the file’s content identifier:
https://<gateway>/ipfs/<CID>
Sound familiar? It should do. IPFS architecture is closely linked to that other darling of the decentralised web – Bittorrent. The similarities are there for all to see – they’re both decentralised, they both operate on P2P networks and they’re both content based – there are, however, a few subtle but important differences.
IPFS vs. Bittorrent
First of all, IPFS has the potential to replace the way that the world accesses and ‘remembers’ the Internet – the protocol can be used to host entire websites, not just distribute files, as with torrenting, and founder Jean Benet has vocalised his intent to create a fully-archived ‘permanent web’ that the Wayback Machine can only dream of.
There’s also the ‘trust’ element. IPFS doesn’t need you to download a torrent file that may or may not point to the correct data. All that’s required is an IPFS hash, and you can pretty much guarantee that you’ll be receiving the correct file.
There’s lots of other technical factors to consider – from the way IPFS manages duplicate files, to how it eliminates the ability of nodes and peers to ‘go dark’, thereby creating a far more accessible and transparent data community – but the long and short is that despite Bittorrent being around over two decades, and still commanding a significant portion of global upload traffic (as high as 10%), IPFS is proving hugely popular with tech firms and organisations that require decentralised storage (either via files or apps).
IPFS vs. centralised storage
Before you start to think about ditching your trusty file server, it’s important to note that IPFS isn’t an out-of-the-box replacement for a standard secure corporate file system, no more than torrenting is an alternate solution for accessing company HR records. It takes time, energy, resources and a fair bit of savvy to recreate the practicalities of a client-server environment within IPFS, and quite frankly, the client technology doesn’t seem to be there yet.
IPFS, as a protocol, is used for three main reasons:
to download publicly available files – large or small, common and rare (although lesser-used files have a tendency not to survive within a global namespace);
blockchain storage;
as a storage method for decentralised apps (dApps) on the Ethereum blockchain (here’s a simple example).
What are the security implications of using IPFS
First of all, IPFS doesn’t require an open door onto your server architecture or workstations. Various third-party services exist that provide custom IPFS domains, separate to your standard public DNS infrastructure, that exist solely for the purpose of distributing data via IPFS. However, as we’ll go on to discuss, these services aren’t without their problems.
You also don’t need to worry about data being changed to contain malicious files once you’ve started interacting with it. IPFS uses encrypted hashes to manage content on the namespace. If any piece of data is amended, the entire address changes with it.
Organisations should, however, be on their guard. As with any emerging protocol, threat actors have started to ramp up their efforts to discover and propagate exploits across the entire IPFS network that have the potential to wreak havoc on corporate IT systems.
Two cybersecurity researchers from Piraeus University – Constantinos Patsakis & Fran Casino – have recently uncovered numerous ways through which IPFS can be used to host malicious files – or even entire botnets – without any reasonable expectation of detection, and describe how such methods can be transposed to other distributed storage systems.
Unfortunately, the concept of using IPFS for nefarious purposes is nothing new. Back in 2018, threat actors hijacked Cloudflare’s IPFS gateway (see above) to replicate an Azure Blob Storage exploit that fooled users into handing over information via what appeared to be a secure SSL site.
IPFS phishing
It may not be time to hit the panic button just yet, but the warning signs are starting to emerge. IPFS is actively being described by prominent threat intelligence brands as a ‘hotbed’ for phishing attacks, across the entire Internet, not just limited to filesharing within a global namespace.
Services from Google Weblight (an official Google service that speeds up Android browsing), to prominent cloud-based storage platforms such as Filebase, NFT repositories and the aforementioned Microsoft platforms have all been subject to IPFS-specific exploits that trick unsuspecting users into handing over information and feature the tried-and-tested techniques of URL redirection, and reputation masking.
Should I disable IPFS on my corporate network?
As with any emerging technology, it was more or less inevitable that threat levels were going to rise in direct proportion with its uptake. IPFS is experiencing a surge in popularity related to its efficacy when working with blockchain technology or decentralised file storage methodologies.
Whilst this can be interpreted as a democratisation of file distribution technology that puts even more flexibility, choice and useability in the hands of standard users, it also means that threat actors – ever on the hunt for low-hanging fruit – have a new technological landscape to explore, and more attack vectors to develop. This, coupled with the fact that the tech is still in its infancy next to established P2P methods and client-server configurations, means that we’re still getting to grips with IPFS – both as a concept, and an operational reality.
CISOs and CTOs need to make an informed decision on whether or not their organisation absolutely needs to exploit the benefits of IPFS, whilst taking on its associated risks as an emerging technology. Follow Silent Push and other trusted industry voices. Educate yourself on how IPFS is evolving, both in practical terms, and as a security risk.
What companies should definitely avoid is adoption for adoption’s sake. It’s easy to get caught up in the limitless wonderland of decentralised file storage, dApps and blockchain technology, but the question remains – is unsafe commercial traffic worth the cool factor? The answer is a resounding no.
How can Silent Push assist you in using IPFS?
We’re currently updating our app so that IPFS gateways are flagged and published in our customers’ threat intel feeds – just like we do with Tor exit nodes and other gateway infrastructure.
It’s not up to us to make a judgement on whether or not IPFS is suitable for your organization, but we’re committed to providing our customers with the most amount of information possible, gathered from our daily IPv4 and IPv6 scans of the entire Internet, so that they can make an informed choice on how their networks operate.
For more information on IPFS and the Silent Push app, book a demo today.
Take advantage of Silent Push’s vast array of threat defense tools by signing up for our free Community Edition.
The attack vector was simple – employees received a text message asking them to renew their company credentials via what appeared to be at first glance a legitimate URL:
Original SMS message
Staff members followed the link – believing it to be genuine – and inputted their credentials, which enabled threat actors to harvest numerous sets of authentication details, providing them access to restricted customer records.
Twilio’s response was admirable – they immediately consulted with similarly affected firms, cell carriers and the security community to mitigate any further damage – but threat actors resumed their assault by sending messages over alternate carriers, and used different hosting providers to facilitate access to compromised login portals.
Linked phishing pages
Analysis of the attack
In any phishing attack, supplemental domain analysis is the key to both unlocking the attack vector, and protecting against further intrusions originating from the same IoC.
We analysed the DNS information of twilio-sso[.]com, and identified a subdomain of orderlyfashions[.]com, hosted on the same IP address as the original IoC.
The domain populates a website that displays a customised Dolibarr login page – an open source ERP and CRM platform:
Malicious Dolibar login page
Upon further analysis, we uncovered several phishing domains targeting Twilio, all of which redirected to the same Dolibarr login page.
It is possible that threat actors were using a communal login portal – redirected from multiple domains – the purpose of which is unclear, but possibly as a central administration portal. The control panel could just be a skin to hide their phishing control panel or it may be that they used a vulnerability in the control panel to take over the infrastructure and launch their campaign from there. A number of things lead us to believe the former is the more likely scenario.
Wherever we found the login page, once we’d analysed the IP addresses which used to host it, we found even more SSO phishing pages.
Here’s a few domains that we uncovered by following an IP chain that originated with the Dolibarr panel:
It didn’t stop there. Once we’d set about mapping out the threat actors DNS infrastructure, we discovered numerous other websites with the same portal attached to them:
Threat actors cast their nets far and wide. Social engineering is a numbers game – the more users they can get in front of, the more chance they have of harvesting authentication data.
This particular threat actor also created phishing targeting other companies – Accenture, Microsoft, Manpowergroup, Sykes, Telus, TTEC, iQor, and Rogers Communication.
After we’d consolidated our results, a pattern started to emerge – all of the above organisations provide some sort of communication service (UCaaS, VOIP, messaging etc.) and most of them facilitate a service that allows companies to communicate with their customer base, and vice versa.
This particular group of threat actors clearly think that online SSO portals are less likely to be questioned than other forms of cloud-based authentication, and for good reason – information is a commodity, and SSO login information commands top dollar.
Time overlap of campaign with Actinium group on the same infarstructure.
With the right security tools and search methodologies in place, threat sources aren’t particularly difficult to uncover. As an example sykes-sso[.]com is hosted on 155.138.240[.]251. The same IP that contains several subdomains of lotorgas[.]ru – a well-known part of ACTINIUM’s DNS infrastructure.
lotorgas[.]ru – part of the ACTINIUM threat feed
Twilio was just one of many targeted organizations. There are numerous mini campaigns here targeting different types of organization. Each category of target gives the attacker potential access to many other organizations. For example, one set of targets are Business Process Outsourcing companies like Arise. Another is transactional email companies like Sendgrid and Mailchimp.
We reveal some of the IOCs associated with these campaigns below. We are still tracking more of this infrastructure in different categories of targeted organization. For a comprehensive live feed, subscribe to the service.
How Silent Push helps companies prevent phishing attacks
Silent Push’s proprietary scanning software maps out the Internet’s entire IPv4 infrastructure, every day – all 4,294,967,296 addresses – allowing us to provide an up-to-date assessment of risk levels and malicious activity at any given time. We also re-resollve all DNS every day and make behavior attributes from the changes.
We have the most complete view of the entire internet every day and its changes.
Public DNS infrastructure gives you your first insight into all manner of attack vectors – not just SMS phishing and SSO spoofing.
Organizations need to monitor the larger extended attack surface for infrastructure targeting them and take up-front blocking action on it to prevent attackers finding ways in.
Our platform features a detection-focused analytics engine that provides organizations with a top-down view of changes to their infrastructure, any domains of interest and critical DNS variables – including NS and AS records – that keeps them one step ahead of threat actors, and ensures they don’t end up on the wrong end of a global news report.
We will provide you with daily threats that are targeting your organization.
Reference information
URLS with a compromised Dolibarr control panel
orderlyfashions[.]com
mail.getfoodz[.]com
lefmakeup[.]xyz
*.orderlyfashions[.]com
*.getfoodz[.]com
*.lefmakeup[.]xyz
Phishing domains related to the same control panel
Search through indexed directories and files from open directories to help protect your organization.
Most people have listened to an elderly relative extolling the virtues of the ‘good old days’, including a semi-smug description of their front door being left open in the summer – usually justified by the fact that they didn’t have anything worth stealing.
Open directories are just that – an open door onto your fileserver which, unlike an average 1950s living room, contains information that is extremely valuable, for a variety of reasons.
In the world of global commerce, data is a highly lucrative and sought-after commodity. By using open directories, threat actors are able to seize vast amounts of commercially sensitive information in a matter of seconds, and they’re gone before you even know they were there.
Let’s take a look at the global problem of open directories, what the consequences are, and how you can find them using the Silent Push Open Directory Finder.
An example of an open directory- the full file structure of the server is browsable by anyone on the internet.
What are open directories?
Open directories are freely accessible links to files hosted on a webserver that’s connected to the Internet, and not subject to any authentication methods or external access rules.
There’s no software-based trickery involved. Open directories can be found using a simple Google search, tailored towards different categories of data. Once a threat actor has identified an open directory, they’re free to browse through an organization’s file structure without circumnavigating RBAC or permissions-based security measures.
Whilst it is undoubtedly immoral to access and/or download sensitive information that isn’t meant for prying eyes, the act of browsing through an open directory is a legal gray area. There’s no global consensus on how such scenarios should be legislated against, and sentiments vary from jurisdiction to jurisdiction.
How damaging can they be to your organization?
Very. Extremely. Catastrophically, in fact.
Malicious activity on open directories is nigh on impossible to detect. The first you’ll hear of it is either a phone call from a law enforcement/regulatory agency, an email from a hacker demanding money to keep quiet, or a very annoyed customer wondering why their data has been passed around the Internet for the last few years.
Then there’s the compliance and liability aspect. Cyber insurance policies don’t cover the commercial or operational consequences of an open directory exploit, so unless you have the working capital to deal with the fall-out, it could lead to untold reputational and financial damage and land you in pretty hot regulatory water.
Last, and by no means least, is the data itself. Take a moment to think about the data held on your organization’s webservers and fileservers, and what would happen if you exposed it to the world through an open directory.
By working with firms to improve their threat resilience, we’ve seen sensitive data held in open directories that would make a privacy protection lawyer spontaneously combust:
Full environment files.
Commercial application configs.
Cryptowallet logins.
VPN installers.
.xls and .docx files containing PII and GDPR/HIPAA-regulated data.
Once you start investigating open directories on the behalf of large organizations, the horror stories come thick and fast. We recently came across a fairly sizable prison in the USA that left the door open to tens of thousands of electronic prisoner and staff records, including legal information, social security numbers and conviction details.
How do you prevent them?
Like other forms of threat protection (such as stopping subdomain takeovers), securing your organization’s data by preventing open directories is done through a combination of vigilance and good housekeeping.
Anyone who’s ever browsed the Internet has, somewhere along the line, received the dreaded error 403 Forbidden or 404 File Not Found, instead of a web page. As an organization looking to protect its data, these errors are your friends, not your enemies – this is what users are faced with when a server has been configured to block access to directory content.
Methods vary from platform to platform (from simple login controls to modifying your .htaccess files and ensuring that IIS is configured correctly), but if you host ANY kind of sensitive data on a webserver, you need to make sure that it’s configured so that external and unauthenticated users aren’t able to view directory data.
Silent Push Open Directory Finder
Find open directories exposed on your infrastructure or search for your name across all open directories
The Silent Push Open Directory Finder searches the global IPv4 range (all 4,294,967,296 addresses) for open directories, to a granular set of parameters that can be configured to your organization’s unique requirements.
Our cloud-based platform provides search and filter options (with RE2 regex support) on all known open directories, including variables such as range, partial match and time window. Results can either be outputted in full, or to a file for further interrogation.
If you’re a large, multi-site, multi-jurisdictional organization with an extensive online presence, you’ll be presented with a realtime list of open directories within the specified range.
Enterprise-level threat monitoring (including open directory detection) doesn’t need to be resource hungry. With the right tools, it is quite literally as easy as clicking a few buttons, in order to shore up your commercial data and close the aforementioned door onto your network that leads to something considerably more valuable than your grandmother’s collection of faux-porcelain dogs.
Now in Splunkbase version 2 of our add-on with enrichment for Splunk Enterprise
Log analyzers such as Splunk play a key role in enterprise-level cybersecurity operations by collecting large amounts of data across multiple threat environments, but deciding what to do with reams of traffic logs from different geographic locations can often be a daunting task.
The Silent Push plugin for Splunk Enterprise allows organizations to leverage the data collection and analysis capabilities of both platforms, and correlate information to produce actionable insights that vastly improve threat awareness, and general WAN security.
Let’s delve a little deeper into the front-end functionality, and take a look at how both platforms interact with one another.
Core functionality
Before you install the plug-in from Splunkbase, you’re going to need four things to get you started:
● An active Splunk Enterprise instance.
● Your Splunk Enterprise admin credentials.
● Your Splunkbase credentials.
● A Silent Push account, and an API key.
So, what does the plug-in actually do? On a basic level, the plug-in analyses data received by Splunk based on a group of parameters defined in Silent Push – also known as “filter profiles” – which is then stored within Splunk in a series of parameter-specific data dumps known as “indexes”.
The plug-in contextualizes suspect data as an “observable” (otherwise known as an IoC, or “indicator of compromise”), and aggregates a threat score based upon individual parameters within the observable.
Once the data has been collected, users are able to perform adaptive responses that trigger further actions within Splunk Enterprise, providing an end-to-end threat detection and management service.
Users are able to automatically correlate data between Splunk and Silent Push in the form of “notables”, that can be visually displayed in custom dashboards from within Splunk Enterprise.
Data enrichment and enhanced threat scoring
Enrich your alerts in Splunk Enterprise Security with Silent Push Risk Scores
When dealing with large amounts of data, visualization is key. Plug-in users are able to create custom search objects that query indexes for observables based on data reputation, severity, threat urgency and geographic location – all gathered from Silent Push.
Once Silent Push has provided additional context, and the data has been refined to a set of variables, users are able to mine indexes and perform two key actions (alongside standard actions such as NS lookups and ping), courtesy of the plug-in:
Enriching – Risk objects are subject to granular analysis by Silent Push, which outputs all manner of enriched data not previously displayed by Splunk Enterprise. This is where the plug-in comes into its own and goes over and above what is expected of an industry-standard log analyzer.
Scoring – The plug-in re-scores the risk object via a tailored algorithm. In order to prevent unnecessary actions, this only occurs when an object’s risk score is lower than the proposed Silent Push risk score.
Data enrichment is a key part of Silent Push’s offering, and contains a whole host of additional data, including granular ASN analysis, threat rankings, reputational data, subnet info and a lot more. Once the data has been enriched and scored, it’s passed through to an index within Splunk for further analysis, and for the user to do with it as they please.
Sticking with the trend of integration, data enrichment and scoring can be performed from within Splunk Enterprise’s Incident Review dashboard – a central hub for IM-related activities – and can either be carried out manually, or scheduled as a recurring task.
Key benefits
The Silent Push plug-in satisfies a pressing need for enterprise organizations to harness the power of multiple detection and analysis platforms to enhance their WAN security operation, without any added subscription costs or costly manual interventions.
In the global threat detection sphere, context is king. Physical and logical resources are at an all time high, and it’s simply not enough for threat analysts to be provided with vast amounts of data, without the facility to drill down into specific variables that enable organizations to tailor their cybersecurity operation to unique threat environments.
Take a closer look
To find out more about the Silent Push Splunk Enterprise plug-in, visit the info page on Splunkbase or take an in-depth look at its functionality in the accompanying knowledge base article.
Everything is linked, even if you’ve forgotten you linked them
Walk into most cybersecurity seminars, product demonstrations or corporate training sessions and you’d be forgiven for thinking that antimalware platforms are the savior of humanity.
LAN-based Security-as-a-Service is undoubtedly here to stay, but the most clear and present danger to corporate IT infrastructures across the globe can’t be solely combated with virus definitions, or all-singing-all-dancing gateway devices. If irreparable financial and reputational damage is the potential problem, the most pressing solution lies in the most unassuming of places – your public DNS records.
What are sub-domain takeovers?
On a basic level, subdomain takeovers occur when hackers gain unfettered access to one or more subdomains within an organization’s DNS records.
In technical terms, it’s usually a CNAME record (although NS, A records and even mail records are vulnerable) that’s no longer pointing to a valid source, and it can happen to anyone. A few years ago, researchers discovered no less than 670 Microsoft subdomains that were wide open to an attack.
Subdomain takeovers feature a number of different attack vectors that are usually a heady mix of opportunism and good old-fashioned bad housekeeping. Let’s take a look at two common intrusion methods.
Expired subdomains
When organizations allow a subdomain to expire, but forget to remove the DNS record associated with it in their main domain, what was once a legitimate subdomain prefix is now up for grabs to anyone who wants it, along with a ready-made backdoor onto an organization’s public DNS platform.
A domain taken over by us for safe keeping
Non-existent services
Even if you have your DNS records in relatively good order, you’re still not safe. If one of your subdomains is directed at an external service that has either been moved elsewhere, or removed entirely, a threat actor is able to establish a presence on said service with the invalid subdomain – also called a “dangling DNS attack” – and with a little CNAME magic, it’s theirs.
The trouble with cookies…
The consequences of a subdomain takeover are many and varied – from XSS attacks to email spoofing – but the one that organizations need to be most wary of are compromised session cookies, and again, it comes down to a lackadaisical approach to DNS security.
If your organization shares browser cookies across some or all of your subdomains, and one of those subdomains is hijacked, you run the risk of not only allowing a threat actor to utilize hashed credentials stored in the cookie and authenticating themselves as a user, but exposing your company-wide SSO service, and all that it provides access to.
A modern problem
As with most cybersecurity threats, subdomain takeovers’ risk level is directly proportional to how difficult it is to detect and combat, and grows exponentially with the size of the organization, and the amount of subdomains they operate with.
The explosion of SaaS-based commerce and cloud service platforms over the last decade has given rise to innumerable third-party platforms that require some form of DNS validation. This phenomenon – coupled with aggressive marketing tactics that often require companies to register numerous subdomains to validate landing pages and individual products and services – means that low-hanging DNS records, and the session cookies and hashed credentials they provide access to, are becoming more and more of a commodity for threat actors around the world.
It’s not just an issue with how modern domains are structured. Well-established security countermeasures are ill-equipped to deal with the kind of DNS oversights that lead to domain takeovers. PKI certificates – whilst always advisable on any network – aren’t much use with compromised cookies, and no amount of endpoint protection will prevent a threat actor from accessing your public DNS records, should they have the means to do so.
Common countermeasures
Fortunately though, it’s not all doom and gloom. There are a number of ways that organizations can operate with a secure set of DNS records and simultaneously improve WAN security across the board, not limited to close management of topic-specific factors such as wildcard certs that provide a threat actor with blanket access to any domain associated with them.
First and foremost, organizations need to treat their DNS records with the TLC that they deserve, and recognise that corporate cybersecurity doesn’t begin and end with
endpoint security. CTOs and CISOs need to keep a firm grip on every last subdomain, and maintain an understanding of what services are being used and whether they’re still in use – e.g. when formulating workflows for decommissioning services, be sure to add a line entry that specifies a CNAME removal
As well as internal governance, it pays to be skeptical. If your organization is thinking about using an external service that incorporates DNS functionality and subdomain registrations, don’t be afraid to ask their onboarding team about how they specifically protect against subdomain takeovers. If they’re good, they’ll be able to tell you about common countermeasures such as linked TXT entries, or banning re-registrations. If they seem unsure about what you’re asking, alarm bells should be ringing.
Looking ahead
Last year witnessed a 20% increase in apex and subdomain takeovers. Threat actors are constantly on the lookout for the next big thing, and they may just have found it. Data from our own threat protection platform has identified almost 3 million global DNS entries that are ripe for the picking as dangling records – 2.7 million CNAMES and over 300,000 NS records. There are also 3.9 million MX records dangling but less likely to be taken over.
The problem isn’t limited to small-time SaaS/PaaS/IaaS platforms with a laid-back approach to DNS security. This is an issue that affects the world’s largest cloud service providers – the very same providers who are supposed to operate with the most sophisticated threat models the industry has to offer. Our own data shows 70 expired services on Microsoft Azure’s content delivery network (azureedge.net) with an attached domain, that run the risk of being hijacked, and nearly 80 of the same across the global GitHub platform.
In the same way that law enforcement authorities need to focus more on the individuals that provide criminals with access to ransomware platforms, rather than the criminals themselves, the security community needs to evangelize less about malware as an existential cyber threat, and shout from the rooftops about subdomain takeovers and cookie hijacking as the next major development in enterprise-level threat protection.
Fake trading app scams involve both mainstream regulated platforms, and new, unregulated crypto exchange start-ups.
Let’s take a look at standard a real-world example: a malicious app download from attacker-controlled infrastructure.
Fake trading platform pretending to be the legitimate platform Epoch Financial
Outline
Silent Push has uncovered a threat actor operating via several websites, Android and iOS applications with counterfeit versions of trading platforms on the traditional stock market, and across a variety of crypto exchanges.
Bespoke fake trading platforms mimic well-known financial organizations – including such as the Australian Securities Exchange (ASX), Coinbase, CoinSmart, eToro and Nasdaq – lure unsuspecting victims into trusting their services, only to steal their investments.
This particular group has scammed and stolen money from countless individuals worldwide. We’ve conducted a large investigation, collecting hundreds of Indicators of Compromise (IoCs), as well as reports from victims which allowed us to map their infrastructure and put together a pattern of events that revealed a common set of attack vectors.
Image 1 – Example of a spoofed Nasdaq application download page
Threat actor profile and history
Although we’re unable to pinpoint a date when this threat group began its activity, we can confirm that several active items of malicious infrastructure were deployed in early 2021.
We also have access to reports which describe several occurrences with similar characteristics to this group, around that time period.
Given that these victims were located in Asian countries and that we found a small number of websites written in Asian dialects, we can only assume that this threat actor is located in Asia.
After analyzing their current infrastructure, American and European organizations appear to be at the highest risk.
Chinese version of a fake trading platform spoofing a well-known brand
Platform design
A visual pattern is evident across the majority of the websites we investigated.
Despite having different branding, the pages are structured in the same way: there is an initial website similar to the one displayed below, which is used as a landing page to attract potential victims.
From this website, visitors are able to navigate to one of the following two pages:
– the app download page, similar to the one displayed in Image 1; – the website login page, where users can register and login into an account.
We believe that this is a web alternative to the app, which allows the users to transact funds and analyze fake stock indexes, as is visible in Image 3.
This fits into the Crime-as-a-service model with the fraudulent platform being distributed by different affiliate providers.
Image 3 – Example fake trading app content
Victims’ reports
We found many complaints concerning this malicious agent surfacing on the internet. As suspected, the majority of them were written by scammed individuals but also by people who wish to take down this organization.
Initial interactions with the threat actors vary due to a possible affiliate scheme. We have seen varying reports from Romance Scams (hence Sophos referring to this as Cryptorom) to Forum recommendations.
Whatever the initial introduction and resulting conversation the victim eventually puts money into the fake account.
Unfortunately, once the victim tries to withdraw the money, they see themselves logged out of their account and unable to log in, while the threat actors keep their funds and plan the next target.
We found similar messages on various websites as well as announcements from some fintechs reporting this robbery scheme.
Messages concerning the scam on the Forexpeacearmy website
Installation process.
The primary target is mobile devices.
The threat actors encourage users to download a mobile app or a web app, with download links for both iOS, and Android.
It appears that the attackers exploit two main ways to get around the Apple approvals process:
The first one is done by creating a configuration profile, which is a .mobileconfig file that can be easily shared.
The second one is through Testflight, a tool created by Apple, that allows developers to test their applications and provide Beta versions of new apps without facing the severe verification protocols found on the Apple Store. TestFlight apps allow public downloads to up to 10,000 accounts.
When it comes to Android users, an .apk file with a tailored name matching the specific website gets downloaded.
Careful analysis reveals obfuscated information using a combination of StringFog, base 64 and a XOR operation to encrypt suspicious data.
Using Silent Push to combat malicious infrastructure
Taking everything into account, we are confident that this threat actor will continue to develop and distribute trading platforms, in order to exploit and steal funds.
The methods of delivery will vary, as expected with an affiliate program. We recommend blocking access to the underlying app download infrastructure and utilizing proactive threat intelligence to pinpoint malicious domains and DNS infrastructure.
With that in mind, we’ve collated an extensive list of IoC, available for paid Silent Push customers.
Paid users have access to pre-built customizable queries that allow them to identify malicious infrastructure before it becomes a problem, as well as access to granular WHOIS, server and DNS information, and curated risk scores.
If you have been affected by the Counterfeit Trading scams please share the details with us so we can keep trying to get them taken down as we find them. Contact us via [email protected].
