Search This Blog

Showing posts with label Cookies. Show all posts

Malicious Chrome Extensions Siphoning Data from 1.4 million Users

 

Threat analysts at McAfee unearthed five malicious Chrome extensions manufactured to track user's browsing activity and deploy code into e-commerce websites. 

With over 1.4 million installs, the malicious extensions can alter cookies on e-commerce platforms without the victim’s knowledge so that scammers can receive affiliate payments for the purchased products. The five malicious extensions that exploit affiliate marketing are as follows: 

• Netflix Party (800,000 downloads), 
• Netflix Party 2 (300,000), 
• Full Page Screenshot Capture (200,000), 
• FlipShope Price Tracker Extension (80,000), 
• AutoBuy Flash Sales (20,000). 

"The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole explained. "The latter borrows several phrases from another popular extension called GoFullPage."

All five extensions employ an identical methodology to target users. The web app manifest ("manifest.json" file), responsible for managing the extension behavior on the victim’s system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the hackers' control (“langhort[.]com”). 

The data is deployed via POST requests each time the victim visits a new URL. The stolen data includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL. The researchers also disclosed that the user tracking and code injection behavior resides in a script named ‘b0.js’, which contains many other functions as well. 

Additionally, the security firm identified the evasive mechanism that delays the malicious activity by 15 days from the time of installation of the extension to help keep its activity concerted and avoid raising red flags. 

McAfee recommends users extensively check extensions before installing them, even if they already have a large install base, and to pay close attention to the permissions the extensions ask for, such as the permission to run on any website the user visits. 

Last month, security researchers at Kaspersky estimated that more than 1.3 million users have been impacted by malicious browser extensions in just the first six months of this year alone. In fact, from January 2020 to June 2022, researchers unearthed that more than 4.3 million users had adware concealed in their browser extensions. Although Google is working rigorously to eliminate malicious extensions, new ones continue to pop up at a rapid pace.

Sophos: Employing Stolen Session Cookies to Navigate MFA & Access Networks

Hackers on the internet keep getting better. Stealing cookies from recently completed or ongoing web sessions is one new strategy they have been employing to avoid multi-factor authentication (MFA). 

Recently, Sophos researchers reported a new attack technique that is already becoming more prevalent. According to the researchers, the "cookie-stealing cybercrime spectrum" is vast, encompassing entry-level hackers as well as sophisticated rivals who employ a variety of strategies. 

On dark web forums, cybercriminals purchase stolen credentials in bulk or collect cookies. Because ransomware groups exploit genuine executables, both those that are already present and those that are added as tools, 'their operations may not be detected by simple anti-malware defenses.'

Cookie theft

Cookies are used by cloud infrastructures as well for user authentication. It's becoming simpler for entry-level attackers to engage in credential theft thanks to the malware-as-a-service sector. 

For instance, all they need to do is purchase a copy of an information-stealing Trojan like Raccoon Stealer to bulk collect information like cookies and passwords and then sell them on illicit markets like Genesis. Once this data is purchased, other criminals in the attack chain, such as ransomware developers, can search through it for anything they think would help their attacks. 

In contrast hand, in two of the most recent events that Sophos studied, the attackers adopted a more focused strategy. For one event, the hackers infiltrated a target's network for months in order to collect cookies from the Microsoft Edge browser. The attackers employed Cobalt Strike and Meterpreter activity to take advantage of a legal compiler tool in order to scrape access tokens after the initial penetration occurred via an exploit kit.

The attackers dropped a malicious payload that scraped cookie files for a week using a legal Microsoft Visual Studio component.

"Although mass cookie theft has been an issue, hackers are using a far more focused and efficient method to steal cookies. There is no limit to the kinds of nefarious activities attackers might engage in with stolen session cookies now that so much of the workplace is web-based. Hackers have the power to alter cloud infrastructures, corrupt corporate email, persuade other staff members to download malware, and even modify product code. Their own imagination is their only constraint," said Sean Gallagher, principal threat researcher at Sophos.

Cookies Access Systems Against Safety Protocols

According to Digital Trends, hackers are able to abuse different online tools and services as a result of cookie theft. This exploitation can occur in browsers, web-based programs, web services, malware-infected emails, and ZIP files. Since cookies are so popular, hacking with them is a sophisticated practice.

Sophos lists Emotet botnet as one cookie-stealing virus that preys on data in the Google Chrome browser. Acquiring data from credit cards and saved logins are the objectives. Even if the browser is encrypted and uses multifactor authentication, the Emotet botnet can still gather login information.

Ransomware organizations also gather cookies. As hackers exploit genuine executables that are both already present and ones that can bring with them tools, simple anti-malware defenses are unable to detect their actions, according to eSecurity Planet.

Google Delays Phasing Out Ad Cookies on Chrome Until 2024

 

Google announced on Wednesday that it is postponing its plans to disable third-party cookies in the Chrome web browser from late 2023 to the second half of 2024. 

"The most consistent feedback we've received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome," Anthony Chavez, vice president of Privacy Sandbox, stated. 

Keeping this in mind, the internet and ad tech behemoth announced a "deliberate approach" to extending the testing window for its continuing Privacy Sandbox activities before phasing out third-party cookies. Cookies are packets of data that a web browser places on a user's computer or another device when they visit a website, with third-party cookies powering much of the digital advertising ecosystem and its capacity to follow users across other sites to serve tailored adverts. 

Google's Privacy Sandbox is an umbrella phrase for a collection of technologies aimed at improving consumers' privacy across the web and Android by limiting cross-site and cross-app tracking and offering improved, safer alternatives to serve interest-based ads. While Google had intended to launch the functionality in early 2022, it altered the timeframe in June 2021, proposing to phase away third-party cookies over a three-month period beginning in mid-2023 and concluding in late 2023. 

"It's become clear that more time is needed across the ecosystem to get this right," the company noted at the time. 

The second extension comes after Google introduced Topics API in January 2022 as a successor for FLoC (short for Federated Learning of Cohorts), followed by a developer preview of Privacy Sandbox for Android in May. 

In February 2022, the UK Competition and Markets Authority (CMA) formally accepted Google's commitments on how it develops the technology, emphasising the need to flesh out Privacy Sandbox so that it promotes competition and helps publishers increase ad revenue while also protecting consumer privacy. According to the revised plan, Privacy Sandbox trials will be opened to users worldwide next month, with the number of people participating in the testing increasing during the remainder of the year and into 2023. 

Google also stated that users will be prompted to control their participation and that the APIs will be broadly accessible by Q3 2023, with third-party cookie support expected to be phased off in H2 2024. For its part, the CMA confirmed that it is aware of "alternative approaches being created by third parties" and that it is "working with the [Information Commissioner's Office] to better assess their feasibility and possible implications.

Vidar Stealer Abuses Mastodon to get C2 Configuration Without Raising Alarms

 

The Vidar stealer has reappeared in a new campaign that takes advantage of the Mastodon social media network to obtain C2 configuration without raising alerts. New campaigns of Vidar Stealer's more recent versions suggest a new venue where Vidar receives dynamic configurations and drop zone information for downloading and uploading files. Vidar Stealer previously used the Thumbler and Faceit gaming platforms to access dynamic configuration from threat actors.

Vidar, first spotted in October 2018, is a descendant of the former Arkei Stealer, which, due to its simplicity, dynamic configuration methods, and continued development, appears to be one of the most popular stealers at the present. Vidar developers refined and centralized the execution vector, making each stealer independent and eliminating the need for extra executables.

All popular browser information such as passwords, cookies, history, and credit card details, cryptocurrency wallets, files according to regex strings provided by the TA, Telegram credentials for Windows versions, file transfer application information (WINSCP, FTP, FileZilla), and mailing application information are among the data that Vidar attempts to steal from infected machines. 

Vidar's victimology is made up of private individuals, streamers, and social influencers from all over the world. Manufacturing enterprises and financial institutions are targeted in some situations, usually in spam campaigns.

Vidar's usage of Mastodon, a popular open-source social media network, to gain dynamic configuration and C2 connectivity is what makes this campaign unique. The threat actors create Mastodon accounts and then put the IP of the stealer's C2 to their profile's description section. 

The goal is to secure communications from the compromised machine to the configuration source, and because Mastodon is a trusted platform, security tools shouldn't red flag it. At the same time, Mastodon is a relatively unmoderated space, making it unlikely that these malicious profiles will be discovered, reported, and removed. According to Cyberint researchers that uncovered this campaign, each C2 they saw included between 500 and 1,500 separate campaign IDs, indicating Vidar's widespread deployment. 

In preparation for data exfiltration, Vidar Stealer stores all acquired data in a working directory with a random 25-character name, including credentials from a variety of chat, email, FTP, and web-browsing applications, as well as cryptocurrency wallets, a desktop screenshot, and details of the system configuration.

Raccoon Stealer has been Upgraded to Steal Cryptocurrency Alongside Financial Information

 

With the rise of ransomware and as-a-service offers, malware has become an ever-growing concern in the cyber realm. The developers of the Raccoon Stealer which is an information stealer have shifted their target, according to ZeroFox Threat Research. 

Since the beginning of the quarter, there have been several upgrades, the most prominent of which is the installation of new "crypters." The goal of a crypter is to obfuscate a binary by adding junk code, breaking up the flow of code without affecting the original functionality, or encrypting parts of code so that static signatures cannot identify them. Support for stealing various new bitcoin wallets has also been added, as well as the addition of Discord to the list of targeted applications. 

The stealer is being bundled with malware such as malicious browser extensions, crypto miners, the Djvu/Stop consumer ransomware strain, and click-fraud bots targeting YouTube sessions, according to samples received by Sophos. 

Raccoon Stealer is a sort of information stealer malware that was originally advertised in April 2019 on several underground forums by an attacker using the handle "raccoonstealer." It can steal stored auto-fill data, cookies, credentials, credit card info, and history from Chromium-based browsers like Google Chrome and Microsoft Edge, just like most other stealers. Theft of many cryptocurrency wallets on a targeted basis is also possible. New cryptocurrencies are frequently added via updates, but it may also be customised to look for any wallet.dat file. 

A "clipper" for cryptocurrency theft is included in the upgraded stealer. The QuilClipper tool specifically targets wallets and associated passwords, as well as Steam-based transaction data. "QuilClipper steals cryptocurrency and Steam transactions by continuously monitoring the system clipboard of Windows devices it infects, watching for cryptocurrency wallet addresses and Steam trade offers by running clipboard contents through a matrix of regular expressions to identify them," the researchers noted. 

In the two years after its release, the team behind Raccoon Stealer has established itself as a capable team, frequently releasing new features and gaining a mostly positive reputation among the community. They've also showed a readiness to add functionality in response to customer requests, as demonstrated by the recently launched API for automatically creating encrypted builds.

Here's a Quick Look at Pros and Cons of 'Cookies' in Terms of Browsing Experience

 

Cookie – the term which most of you are familiar with. Every single time when you open a new website, they have their own cookie policy and they ask you to accept their term and conditions. So, what role does cookie plays? Does it help in enhancing your browsing experience or there are some risks involved too? Let’s find out the answers in the article given below.

What are cookies?

Cookies, also called HTTP cookies, are small bits of data stored as text files on a browser. Websites use those small bits of data to keep track of users and enable user-specific features. They enable core website functionality, such as e-commerce shopping carts, and are also used for more controversial purposes, such as tracking user activity. Cookies are a necessary part of the way the web works as well as a source of privacy concerns and security risks. For this reason, casual web users and web developers have good reason to better understand how these tiny bits of data work.

Why cookies are so important? 

Cookies remain a critical component of online world. And while companies are now obliged to be more transparent about cookie collection and consumption, another problem remains. If attackers can get their hands on post-MFA cookies, they may be able to bypass further attempts and gain full access to enterprise networks. This is the crux of cookie hijacking, also known as session hijacking.

In practice, cookie hijacking relies on the stateless nature of HTTP. This means it naturally separates each operational request — such as users looking for access to a corporate network, bank account, or e-commerce account — into separate processes. As a result, web-based apps can’t ‘remember’ users. Using only HTTP would be extremely frustrating, with login and password details required for every task.

What Are Progressive Web Apps? 

Progressive Web Apps (PWA) combine new technologies with established best practices for creating reliable, accessible, and engaging experiences. They give users a native-like experience with a user-friendly opt-in installation flow.

To keep cookies out of the hands of cyber-attackers, it’s now critical for companies to dish up defenses. These can include: 

HTTPS Cookies Only 

While many enterprises now use HTTPS on login pages to prevent potential eavesdropping attacks, this isn’t enough to prevent cookie hijacking. Using HTTPS across all websites, services and PWAs instead helps expand protection to session keys and reduce the risk of cookie-jacking attacks. Using the secure cookie flag on any application server, which tells the browser to only send cookie data over HTTPS, also helps prevent plaintext eavesdropping of session details.

Improved Storage Architecture 

To reduce the time between request and response and improve the performance of PWAs, the use of HTML web storage is common. The problem? HTML cookie storage streamlines the attack process for cookie stealers looking to copy session access, while web storage at scale remains vulnerable to cross-site scripting (XSS) attacks. To limit the chance of cookie compromise, we recommend skipping web storage in favor of secure, local solutions. 

Extensible IAM Services 

Comprehensive IAM services. Much like MFA, these tools aren’t enough in isolation to defend applications at scale. When layered with complementary solutions such as RASP and HTTPS, however, IAM solutions can help mitigate overall risk.

Total Cookie Protection Launched in The New Upgrade of Firefox

 

Mozilla's latest Firefox 86 has been rolled -out for desktop, Mac, Windows, and Linux platforms. The browser upgrade brings features like multiple image mode and video replay, backward and forward buttons. Total Cookie Protection has been integrated into the Strict Enhanced Tracking Protection (ETP) platform, which has been revealed on Tuesday with the launch of Firefox 86. Complete cookie protections were referred to as 'huge advance' in containing cookies that are placed into new 'cookie jars' by websites. 

Cookies are text files containing tiny pieces of information by which the computer can be detected. While intended to enhance the viewing experience on the website, it could also be used, despite any permission, to track online activities. Google now plans to destroy third-party cookies as part of its Sandbox privacy project on its Chrome web browser, an effort that aims to allow personal ads while restricting data detection. 

Mozilla uses the 'cookie jar' example to explain the current blocker, whereby each third-party that drops a cookie in the browser has all the collected knowledge limited to its own cookie jar. This stops trackers from monitoring the activities from site to site. In its battle to protect the privacy of people while accessing the internet, Mozilla's Total Cookie Protection is the most recent maneuver. Total cookie protection adds up to current Firefox attempts to prevent websites and online publicity providers from making a profile of one’s web history through using internet cookies as well as other computer scripts. 

“Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website,” Mozilla wrote in a blog post. 

The company wants to silo off each because the cookie data is exchanged on the pages. Online advertisers can then understand what websites users want to access so that they can try and send relevant ads. 

“In combining Total Cookie Protection with last month’s super cookie protections, Firefox is now armed with very strong, comprehensive protection against cookie tracking,” the company said. 

The Total Cookie Protection also provides an exception for non-tracking cookie-related scripts such as third-party login or password plugins.

The potential solution should therefore help avoid the breakdown of a website. Mozilla has taken a page in the "first party isolation" of Tor browser to develop total cookie protection, which also requires cookies to be segregated into the website domain.

2 New Android Malwares on The Hunt to Gain Control of User’s Account



As per discoveries of competent security software two new Android malware is on the hunt to 'discreetly' access control of the victim's account so as to send different ill-intentioned content. The two malware together steal cookies collected by the browser as well as applications of famous social networking sites and accordingly making things easier for the thieves to do their job. 

While cookies are frequently perceived as quite harmless since they are characterized as small bits of data collected by websites to smoothly track user activity online with an end goal to create customized settings for them in the future however in a wring hands, they represent a serious security hazard. A grave security risk since, when websites store these cookies, they utilize a unique session ID that recognizes the user later on without having them to enter a password or login again. 

Once possessing a user's ID, swindlers can trick the websites into assuming that they are in fact the person in question and thusly take control of the latter's account. What's more, that is actually what these cookie thieves did, as described by computer security software major Kaspersky, creating Trojans with comparable coding constrained by a similar command and control (C&C) server. 

The primary Trojan obtains root rights on the victim's device, which permits the thieves to transfer Facebook's cookies to their own servers. Be that as it may, in many cases, just having the ID number isn't sufficient to assume control for another's account. A few sites have safety measures set up that forestalls suspicious log-in endeavors as well. 

Here is when the second Trojan comes in. This malignant application can run a proxy server on a victim's device to sidestep the security measures, obtaining access without raising any doubt. From that point onwards, the thieves can act as the 'person in question' and assume control for their social media accounts to circulate undesirable content. While a definitive aim of the cookie thieves remains rather obscure, a page revealed on the same C&C server could provide a clue: the page promotes services for distributing spam on social networks and messengers. 

In simpler words, the thieves might be looking for account access as an approach to dispatch widespread spam and phishing attacks. 

Malware analyst Igor Golovin says "By combining two attacks, the cookie thieves have discovered a way to gain control over their victims` account without arising suspicions. While this is a relatively new threat -- so far, only about 1,000 individuals have been targeted -- that number is growing and will most likely continue to do so, particularly since it`s so hard for websites to detect." 

He adds later "Even though we typically don`t pay attention to cookies when we`re surfing the web, they`re still another means of processing our personal information, and anytime data about us is collected online, we need to pay attention." 

According to Kaspersky experts all hope’s isn’t lost they made certain recommendations which might help a user to save themselves from becoming a victim of cookie theft : - 
  1. Block third-party cookie access on your phone`s web browser and only let your data be saved until you quit the browser
  2. Periodically clear your cookies
  3. Use a reliable security solution that includes a private browsing feature, which prevents websites from collecting information about your activity online.

Facebook Files a Lawsuit Against a Company for Running Malicious Ads?



Reportedly, Facebook filed a lawsuit against a “Chinese Company” that allegedly put user accounts at large only to put up suspicious ads on the platform.

The running and distribution of advertisements which were about “counterfeit goods” and “dietary pills” was the only purpose of compromising the accounts in question.

The aforementioned company, per reports, goes by the name of “ILikeAD Media International Company Ltd.” It is, according to sources represented by the authors of the malware scheme, namely, "Huang Toa" and "Chen Xiao Cong".

Purportedly, the aforementioned authors apparently employed two basic ploys to mask their actual aim.

Using images of celebrities, aka “celeb bait” to lure people into clicking on them is one of them and the other happens to be something called “Cloaking”.

Cloaking refers to the act of hiding something from the Facebook systems so that the real destination of a link and advertisement is concealed.

The ad after getting clicked on would lead the users to the genuine “landing page” whereas Facebook would be tricked into seeing a version that’s legitimate according to the policies and terms of the advertising policies.

Per Facebook, in most cases, Cloaking is foolproof as it hardly ever leaves tracks behind, making it pretty tough to realize the identity of actors. This majorly happens to be the reason why there are no specific rules about this.


Reportedly, another attack along the same lines was observed when fake PDF file editor was being pushed only to steal Amazon and Facebook session cookies. The malware at work, per reports, goes by the name of “Socelars”.

Along with session cookies, other data like access tokens, email addresses, credit card information, account IDs et cetera have allegedly constituted a part of the compromised data.

The cookies are later on used to link with several Facebook URLs where one among them accesses the “account_billing” directory.

The information allowing users to call a Facebook Graph API and extract data from the users’ Ads Manager settings is the major part of what’s inside the directory.

The malware which was being distributed via numerous websites was in actuality a new “Trojan” which had almost nothing in common with the other types.

There’s no knowing if the above-mentioned malware has anything to do with the organization that Facebook sued but it surely suits the description.

All the users who had fallen prey to the schemes pulled off by the cyber-cons were handsomely compensated for, along with getting their accounts secured and free of any unauthorized access.

Facebook is very well aware of the jeopardy its users almost got into and is all-in for taking precautionary measures to erase any chances of repetition.