<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1626328370711236&amp;ev=PageView&amp;noscript=1">
banner-blog.jpg

blog

Compromised Websites and Download Bomb Attacks

Compromised Websites and Download Bomb Attacks

In recent weeks a resurgence of download bomb attacks has been observed in the wild, attempting to add legitimacy to malicious websites serving a tech support based phishing scam. For users of Menlo Security’s Isolation Platform (MSIP), this attack is trivially defeated with zero malicious content reaching the end user’s device. However, the same may not be said for reputation based security, as we review below.

 

 

The Scam

This tech support scam aims to trick users into calling a premium rate phone number in exchange for removing a reported malware infection. In the past, this has been achieved by redirecting users to a website which presents a notification that their browser has been compromised, and that they should call a telephone number provided. Usually the alert continues to be displayed despite being dismissed; however this is easily defeated with mechanisms built into Google Chrome to prevent exactly this.

 

An example of the phishing content:

Screenshot at Jul 12 09-14-36

In some cases, an audio file may also be downloaded and played, that vocalizes the alert.

 


1 Example taken from https://benedikt-bitterli.me/reverse/, one example of the observed malicious content

 

At this point the user could close the browser and return to their previous activities. However, the download bomb attack attempts to add legitimacy by locking up the browser and preventing the user from closing the page. The reviewed sites all utilized the same mechanic: a tight loop attempting to create and save thousands of tiny 2 byte files, using JavaScript Blobs in the client’s browser. The browser becomes unresponsive attempting to service the excessive file “download” requests.

 

An example GIF of the download attack:

1

 

As can be seen in this GIF, when this download attack is successful, the browser becomes completely unresponsive and even cannot be closed.

 

In both forms of the attack (with and without the download bomb), MSIP successfully prevented any malicious content from reaching the client browser. Alerts that were undismissible when viewed natively were not displayed when viewed isolated; and all file downloads, despite being 2 bytes, were fully scanned and identified as benign before allowing them to reach the client. As the JavaScript that generates these files was being executed by our cloud-based Disposable Virtual Container, the user was not blocked from closing their browsing session down.

 


2 Example taken from https://malwaretips.com/threads/scammers-use-download-bombs-to-freeze-chrome-browsers-on-shady-sites.79651/

 

 

Sources

Analysing the websites serving this attack, they can be broadly broken down into three categories:

  1.      1. Outright phishing websites. These sites directly serve the phishing scam, and are likely propagated as direct links in phishing scams. These sites make no attempt to hide their intent and are often short lived.

  1.      2. Masquerading websites. These websites attempt to masquerade as legitimate websites, often containing simple content, which is displayed for the majority of visitors. In the event a visitor reaches the domain using a vulnerable browser, they are redirected to a malicious domain serving the phishing scam. By masquerading as a legitimate website, the reputation and categorization of the domain tend towards a reputable level, allowing categorization services to not perceive the domain as a risk.

  2.      3. Compromised websites. In one case in particular, a reputable international company’s website was compromised, leading to a subset of page requests, around 6% of those observed by the Menlo Security cloud service, being redirected to a malicious domain.

 

In the cases where a user was redirected to a malicious domain, the domains were short lived, and often from hosting services such as DigitialOcean.

 

While the Outright phishing websites are likely to become quickly identified as malicious domains, and as a result, reputation-based security solutions would likely prevent access, the troubling fact is that they would have been unlikely to catch the Masquerading websites immediately, and for Compromised websites, the response time would be even worse. Ultimately, this exposes users to these attacks, and potentially other infection vectors.

 

Once the compromised domain was identified, Menlo Security’s UK team disclosed the issue to the owning company. MSIPs vulnerable service detection identified the remote servers as running outdated and vulnerable software, in particular Drupal 7, which may have been the vector used to infect the servers hosting the site. It was also noted that a number of their web servers may have been compromised, as subsequent attempts to reach the real domain resulted in different varieties of this phishing scam being presented, and in being redirected to a number of various IPs and domains.

 

MSIP’s Threat Details

Screenshot at Jul 12 09-33-59

 

Since the detection, the compromised servers have now been updated and appear to no longer be redirecting users to malicious domains.

 

 

MSIP Intervention

Users of MSIP are isolated from these attacks as MSIP only allows the JavaScript download bomb to execute within our Disposable Virtual Container. This prevents the client from locking up, defeating the attempt to confuse the user and significantly reducing the risk that they will fall for the scam. Furthermore, all file downloads are analyzed and only allowed to reach the client machine if they meet the client’s corporate policy and are identified as benign. Malicious content is prevented from reaching the end user’s device.

 

Importantly, as a result of our Isolate-All approach to the internet, despite one of the domains serving malicious content belonging to a reputable company and as a result being identified as a reputable domain, Isolate-All protects the end user.

 

 

Final Thoughts

In one instance, this phishing content was served from a website belonging to one of the 20 largest companies in India, with a turnover in excess of $18 Billion, even noting that one of their key business areas is cybersecurity. This highlights that, no matter the size of the company, no website is safe from attack, and potentially even a bigger target due to the reputation that can be leveraged from hijacking a global brand’s domain. The situation is likely to be compounded, as it appears the servers themselves are running outdated software with known CVEs. Overall, an “Isolate-All” strategy is the best form of protection, as despite the reputation of the website being positive, an end user would still be protected, and with MSIP, was.

 

 

Appendix

Domains identified:

Outright Phishing

  • - http<colon>//assistance4thecomputer<dot>com/index<dot>php

    • - Since this investigation the domain has been removed.

 

Other compromised / Masquerading domains

  • - https<colon>//www<dot>skilleducators<dot>com

  • - https<colon>//www<dot>adamlookout<dot>com

  • - http<colon>//accentsonasheville<dot>com

  • - http<colon>//www<dot>drugalert<dot>org/prozac

 

 

Related articles:

https://malwaretips.com/threads/scammers-use-download-bombs-to-freeze-chrome-browsers-on-shady-sites.79651/

https://arstechnica.com/information-technology/2018/07/tech-support-scammers-revive-bug-that-sends-chrome-users-into-a-panic/

https://www.bleepingcomputer.com/news/security/scammers-use-download-bombs-to-freeze-chrome-browsers-on-shady-sites/

 

Tags: malware, phishing, javascript, compromised websites, isolation, download bomb

Connect with us

Lists by Topic

see all

Recent Posts

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.