Merlin Labs Memo -- Week of August 29 - September 1
Widely Used Chrome Extensions Contain Cookie-Stuffing Malware
?“Five imposter extensions for the Google Chrome web browser masquerading as Netflix viewers and others have been found to track users' browsing activity and profit of retail affiliate programs.”?The five popular extensions advertised various features, including “enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website." The malicious browser add-ons, which were available on the Chrome Web Store, were downloaded no less than 1.4 million times. The article continues to discuss some interesting tactics related to the malicious code itself, such as time delay to malicious activity, built in to help avoid or delay detection by many automated detection tools. --Via: The Hacker News
Our Take: While cookie stuffing may sound like something you’d see on a fun video of a pastry chef going to town with an icing bag, bowls of colorful icing and stack of scrumptious, home-made cookies – that’s sadly not the case. The cookie stuffing being addressed in this review involves a malicious individual creating a browser extension – to be installed by na?ve users - that contains code that tracks and records every website visited on the affected browser and leverages browser cookie technologies to spoof e-commerce sites. It sends the user’s browsing information to a server that’s being monitored by the malicious actor(s). Those actors can then manipulate cookie information on targeted e-commerce sites in a way that credits/pays the malicious actors “affiliate payments” for visits or items purchased – as if those visits/purchases were coming from legitimate affiliate websites. So first, let’s address the issue of browser extensions (or any applications downloaded from the Internet). Just because an extension is available on a common marketplace or has a large number of installs does NOT mean it’s safe. What better way for a malicious actor to proliferate their malicious code than by hiding it in a popular application and letting the rest of us do the work for them? So on the topic of browser extensions, a few suggestions:
And because I can’t avoid the broader problem with this story, I’ll point out that while the intention of the cookie stuffing ruse is to allow the malicious actor(s) to receive payments they aren’t really entitled to from unsuspecting e-commerce sites, the fact remains that they are able to do this by collecting troves of private information about each user’s browsing habits. This information could be invaluable in the creation of targeted phishing campaigns – that could pave the way for far more nefarious attacks and greater consequences. ?– Sarah Hensley, MS-SLP
Additional Reading:?
领英推荐
?Log4J is Back –?This Time Actively Used Against SysAid
“A hacking group linked to the Iranian government has been exploiting Log4j 2 vulnerabilities in SysAid, a set of popular IT support and management software applications, according to Microsoft.” -- Via: SC Media
Our Take: Log4J or Log4Shell attack methods are the gifts that simply keep on giving. In this case it is an ITAM tool that would have a wide range of accessibility into an environment both in an on-prem and cloud solution. However, this is also a case where the failure appears to be on the customer rather than the vendor side. SysAid released patches for both the cloud and on-prem versions in January of this year. It appears the version that was leveraged is the on-prem one that has not been patched in the last 6+ months.
Cyber Hygiene, Cyber Hygiene, Cyber Hygiene.
For those that have not yet patched below are the instructions to remediate. – Jeremy Newberry
Additional Reading: