• Frank Angiolelli

PushBug - Uncovering Widespread Push Notification (RFC 8030) Abuse in the Wild.

Indelible is sharing information gathered on what appears to be a widespread campaign to use RFC8030 and APIs to impact systems with malfeasant push notifications. This activity to date is social engineering, bypassing many security controls and creates persistence by installing a service worker in the browser. After which a user may be presented with messages of the malfeasant site's choosing.


For the business and risk folks, this type of activity appears to be missed by many detective and preventative controls, highly resilient and, once on the system, can be used to display messages above the taskbar which are malfeasant or deceptive. The user does not need to do anything or allow any further activity for the message to appear.

Example of a legitimate push notification sent to a user. Credit Howtogeek.com


In this campaign, the push notifications are malfeasant in nature.


Example of a fake antivirus message delivered to a users endpoint.



For the technical security analysts, the report provides pointers into both network and disk artifacts to validate an impacted system.


The campaign observed is detailed in the graphic below and is still occurring in the wild and in most cases, the activity is not visible to the users, though the potential for messages and the telemetry collection does appear to be present.


This may help identify some of the IOCs and describe the activity which security operations analysts may be researching.



The potential for using this technique for purposes beyond what is happening now presents some level of risk for further social engineering. Additionally, there is enough evidence of tracking and telemetry gathering to be concerned that impacted systems can be identified through their external IP, unique identifiers and user agents.


Indelible has already made notification to Google, as Google Chrome appears to be impacted by this. Google's response has been to take the report seriously and investigate as they are likely best positioned to support security in this important web feature.


The notifications include fake antivirus infection messages, fake dating notices, Uranium investment notices and links which contain multiple redirectors.


See the PDF of Indelible's report on this and we thank peers in the industry who discussed, contributed or otherwise assisted with validation.


Full Report here:

PushBug - Uncovering a Large Scale Push
.
Download • 2.90MB


More content may be added to this article, however at this time, we are publishing the report to help the community, including domains observed.


Domains observed:


vivdq[.]com

news-back2[.]com

www6[.]news-back[.]com

nwliko[.]com

news-delta[.]com

www7[.]news-back[.]com

chgilks[.]com

news-easy[.]com

www8[.]news-back[.]com

amsfi[.]com

latest[.]news-pro[.]today

www9[.]news-back[.]com

erihj[.]com

news-back[.]com

xyznews1[.]today

amsthr[.]com

news-gamma[.]com

xyznews2[.]today

amsvts[.]com

news-jupiter[.]com

xyznews3[.]today

ntsecd[.]com

news-mars[.]com

xyznews4[.]today

gewrh[.]com

news-pro[.]net

www9[.]news-back[.]best

nyphtrue[.]com

news-robot[.]com

you-just-won-prize[.]com

inpcut[.]com

news-venere[.]com

us[.]xmlppcbuzz[.]com

nydrctnk[.]com

news[.]qubscribe[.]com

onclickmega[.]com

coderformylife[.]info

news[.]ueep[.]com

abcnewspro[.]com

feed-6009[.]coderformylife[.]info

news[.]vuer[.]net

android-win-reward[.]com

hmikw[.]com

newscaffe[.]net

click-to-win-prize[.]com

hditers[.]com

newsmagic[.]net

easyinformer[.]com

ofhappinyer[.]com

newswe[.]org

fire-push[.]net

ittorchicer[.]com

notify[.]premium-news[.]me

notification[.]best

mol17[.]biz

pro-news[.]net

notify-guru[.]com

inpagepush[.]com

push[.]news-pro[.]today

notify-master[.]net

liatutsch-comeceful[.]icu

push[.]ueep[.]com

notify[.]rocks

vihwq[.]com

sticky[.]news

pro-web[.]net

lmy[.]de

today[.]ueep[.]com

pushpush[.]net

u21drwj6mp[.]com

today[.]vuer[.]net

pushpushnews[.]com

api[.]savemedia[.]website

www1[.]news-back[.]com

pushwelcome[.]com

fistcartyped[.]casa

www10[.]news-back[.]com

send-news[.]net

caradstag[.]casa

www2[.]news-back[.]com

smart-push[.]best

praght[.]tech

www3[.]news-back[.]com

win-your-prize[.]com

distributiontomatoes[.]com

www4[.]news-back[.]com

windowsguidenews[.]com

special-offers[.]online

www5[.]news-back[.]com

www1[.]news-back[.]best

www10[.]news-back[.]best

www5[.]news-back[.]best

catchynews[.]net

www2[.]news-back[.]best

www6[.]news-back[.]best

inspirenews[.]net

www3[.]news-back[.]best

www7[.]news-back[.]best

latest[.]android-central[.]news

www4[.]news-back[.]best

www8[.]news-back[.]best

latest[.]news-ai[.]today

lodder6[.]biz

personal-video[.]live

mol3[.]biz

check-now[.]online

achilles-ena[.]com


©2020 by Indelible.