PushBug - Uncovering Widespread Push Notification (RFC 8030) Abuse in the Wild.
Indelible is sharing information gathered on what appears to be a widespread campaign to use RFC8030 and APIs to impact systems with malfeasant push notifications. This activity to date is social engineering, bypassing many security controls and creates persistence by installing a service worker in the browser. After which a user may be presented with messages of the malfeasant site's choosing.
For the business and risk folks, this type of activity appears to be missed by many detective and preventative controls, highly resilient and, once on the system, can be used to display messages above the taskbar which are malfeasant or deceptive. The user does not need to do anything or allow any further activity for the message to appear.
Example of a legitimate push notification sent to a user. Credit Howtogeek.com
In this campaign, the push notifications are malfeasant in nature.
Example of a fake antivirus message delivered to a users endpoint.
For the technical security analysts, the report provides pointers into both network and disk artifacts to validate an impacted system.
The campaign observed is detailed in the graphic below and is still occurring in the wild and in most cases, the activity is not visible to the users, though the potential for messages and the telemetry collection does appear to be present.
This may help identify some of the IOCs and describe the activity which security operations analysts may be researching.
The potential for using this technique for purposes beyond what is happening now presents some level of risk for further social engineering. Additionally, there is enough evidence of tracking and telemetry gathering to be concerned that impacted systems can be identified through their external IP, unique identifiers and user agents.
Indelible has already made notification to Google, as Google Chrome appears to be impacted by this. Google's response has been to take the report seriously and investigate as they are likely best positioned to support security in this important web feature.
The notifications include fake antivirus infection messages, fake dating notices, Uranium investment notices and links which contain multiple redirectors.
See the PDF of Indelible's report on this and we thank peers in the industry who discussed, contributed or otherwise assisted with validation.
Full Report here:
More content may be added to this article, however at this time, we are publishing the report to help the community, including domains observed.