Indelible is sharing information gathered on what appears to be a widespread campaign to use RFC8030 and APIs to impact systems with malfeasant push notifications. This activity to date is social engineering, bypassing many security controls and creates persistence by installing a service worker in the browser. After which a user may be presented with messages of the malfeasant site's choosing.
For the business and risk folks, this type of activity appears to be missed by many detective and preventative controls, highly resilient and, once on the system, can be used to display messages above the taskbar which are malfeasant or deceptive. The user does not need to do anything or allow any further activity for the message to appear.
Example of a legitimate push notification sent to a user. Credit Howtogeek.com
In this campaign, the push notifications are malfeasant in nature.
Example of a fake antivirus message delivered to a users endpoint.
For the technical security analysts, the report provides pointers into both network and disk artifacts to validate an impacted system.
The campaign observed is detailed in the graphic below and is still occurring in the wild and in most cases, the activity is not visible to the users, though the potential for messages and the telemetry collection does appear to be present.
This may help identify some of the IOCs and describe the activity which security operations analysts may be researching.
The potential for using this technique for purposes beyond what is happening now presents some level of risk for further social engineering. Additionally, there is enough evidence of tracking and telemetry gathering to be concerned that impacted systems can be identified through their external IP, unique identifiers and user agents.
Indelible has already made notification to Google, as Google Chrome appears to be impacted by this. Google's response has been to take the report seriously and investigate as they are likely best positioned to support security in this important web feature.
The notifications include fake antivirus infection messages, fake dating notices, Uranium investment notices and links which contain multiple redirectors.
See the PDF of Indelible's report on this and we thank peers in the industry who discussed, contributed or otherwise assisted with validation.
Full Report here:
More content may be added to this article, however at this time, we are publishing the report to help the community, including domains observed.
Domains observed:
vivdq[.]com
news-back2[.]com
www6[.]news-back[.]com
nwliko[.]com
news-delta[.]com
www7[.]news-back[.]com
chgilks[.]com
news-easy[.]com
www8[.]news-back[.]com
amsfi[.]com
latest[.]news-pro[.]today
www9[.]news-back[.]com
erihj[.]com
news-back[.]com
xyznews1[.]today
amsthr[.]com
news-gamma[.]com
xyznews2[.]today
amsvts[.]com
news-jupiter[.]com
xyznews3[.]today
ntsecd[.]com
news-mars[.]com
xyznews4[.]today
gewrh[.]com
news-pro[.]net
www9[.]news-back[.]best
nyphtrue[.]com
news-robot[.]com
you-just-won-prize[.]com
inpcut[.]com
news-venere[.]com
us[.]xmlppcbuzz[.]com
nydrctnk[.]com
news[.]qubscribe[.]com
onclickmega[.]com
coderformylife[.]info
news[.]ueep[.]com
abcnewspro[.]com
feed-6009[.]coderformylife[.]info
news[.]vuer[.]net
android-win-reward[.]com
hmikw[.]com
newscaffe[.]net
click-to-win-prize[.]com
hditers[.]com
newsmagic[.]net
easyinformer[.]com
ofhappinyer[.]com
newswe[.]org
fire-push[.]net
ittorchicer[.]com
notify[.]premium-news[.]me
notification[.]best
mol17[.]biz
pro-news[.]net
notify-guru[.]com
inpagepush[.]com
push[.]news-pro[.]today
notify-master[.]net
liatutsch-comeceful[.]icu
push[.]ueep[.]com
notify[.]rocks
vihwq[.]com
sticky[.]news
pro-web[.]net
lmy[.]de
today[.]ueep[.]com
pushpush[.]net
u21drwj6mp[.]com
today[.]vuer[.]net
pushpushnews[.]com
api[.]savemedia[.]website
www1[.]news-back[.]com
pushwelcome[.]com
fistcartyped[.]casa
www10[.]news-back[.]com
send-news[.]net
caradstag[.]casa
www2[.]news-back[.]com
smart-push[.]best
praght[.]tech
www3[.]news-back[.]com
win-your-prize[.]com
distributiontomatoes[.]com
www4[.]news-back[.]com
windowsguidenews[.]com
special-offers[.]online
www5[.]news-back[.]com
www1[.]news-back[.]best
www10[.]news-back[.]best
www5[.]news-back[.]best
catchynews[.]net
www2[.]news-back[.]best
www6[.]news-back[.]best
inspirenews[.]net
www3[.]news-back[.]best
www7[.]news-back[.]best
latest[.]android-central[.]news
www4[.]news-back[.]best
www8[.]news-back[.]best
latest[.]news-ai[.]today
lodder6[.]biz
personal-video[.]live
mol3[.]biz
check-now[.]online
achilles-ena[.]com
Comentários