Compromised Websites and Download Bomb Attacks
In recent weeks a resurgence of download bomb attacks has been observed in the wild, attempting to add legitimacy to malicious websites serving a tech support based phishing scam. For users of Menlo Security’s Isolation Platform (MSIP), this attack is trivially defeated with zero malicious content reaching the end user’s device. However, the same may not be said for reputation based security, as we review below.
This tech support scam aims to trick users into calling a premium rate phone number in exchange for removing a reported malware infection. In the past, this has been achieved by redirecting users to a website which presents a notification that their browser has been compromised, and that they should call a telephone number provided. Usually the alert continues to be displayed despite being dismissed; however this is easily defeated with mechanisms built into Google Chrome to prevent exactly this.
An example of the phishing content:
In some cases, an audio file may also be downloaded and played, that vocalizes the alert.
1 Example taken from https://benedikt-bitterli.me/reverse/, one example of the observed malicious content
An example GIF of the download attack:
As can be seen in this GIF, when this download attack is successful, the browser becomes completely unresponsive and even cannot be closed.
Analysing the websites serving this attack, they can be broadly broken down into three categories:
1. Outright phishing websites. These sites directly serve the phishing scam, and are likely propagated as direct links in phishing scams. These sites make no attempt to hide their intent and are often short lived.
2. Masquerading websites. These websites attempt to masquerade as legitimate websites, often containing simple content, which is displayed for the majority of visitors. In the event a visitor reaches the domain using a vulnerable browser, they are redirected to a malicious domain serving the phishing scam. By masquerading as a legitimate website, the reputation and categorization of the domain tend towards a reputable level, allowing categorization services to not perceive the domain as a risk.
3. Compromised websites. In one case in particular, a reputable international company’s website was compromised, leading to a subset of page requests, around 6% of those observed by the Menlo Security cloud service, being redirected to a malicious domain.
In the cases where a user was redirected to a malicious domain, the domains were short lived, and often from hosting services such as DigitialOcean.
While the Outright phishing websites are likely to become quickly identified as malicious domains, and as a result, reputation-based security solutions would likely prevent access, the troubling fact is that they would have been unlikely to catch the Masquerading websites immediately, and for Compromised websites, the response time would be even worse. Ultimately, this exposes users to these attacks, and potentially other infection vectors.
Once the compromised domain was identified, Menlo Security’s UK team disclosed the issue to the owning company. MSIPs vulnerable service detection identified the remote servers as running outdated and vulnerable software, in particular Drupal 7, which may have been the vector used to infect the servers hosting the site. It was also noted that a number of their web servers may have been compromised, as subsequent attempts to reach the real domain resulted in different varieties of this phishing scam being presented, and in being redirected to a number of various IPs and domains.
MSIP’s Threat Details
Since the detection, the compromised servers have now been updated and appear to no longer be redirecting users to malicious domains.
Importantly, as a result of our Isolate-All approach to the internet, despite one of the domains serving malicious content belonging to a reputable company and as a result being identified as a reputable domain, Isolate-All protects the end user.
In one instance, this phishing content was served from a website belonging to one of the 20 largest companies in India, with a turnover in excess of $18 Billion, even noting that one of their key business areas is cybersecurity. This highlights that, no matter the size of the company, no website is safe from attack, and potentially even a bigger target due to the reputation that can be leveraged from hijacking a global brand’s domain. The situation is likely to be compounded, as it appears the servers themselves are running outdated software with known CVEs. Overall, an “Isolate-All” strategy is the best form of protection, as despite the reputation of the website being positive, an end user would still be protected, and with MSIP, was.
- Since this investigation the domain has been removed.
Other compromised / Masquerading domains