Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Seems as though Firefox is now being targeted by phishers  (Read 5203 times)

0 Members and 1 Guest are viewing this topic.

DaveLembke

    Topic Starter


    Sage
  • Thanked: 662
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Seems as though Firefox is now being targeted by phishers
« on: July 03, 2016, 07:10:26 AM »
Just sharing this here to bring to the attention of all. I suspect the attachment has a payload to it to infect Firefox or the system as a whole, notice the URL and patch are not from Mozilla but instead eekumyoutube ( dot ) org. I was at Wowhead looking up a Reins of the swift Spectral Tiger Mount when all of a sudden one of the ads in the corner of wowhead took over and brought me to what you see in this screenshot. This is the first time ever i have seen Firefox targeted to try to trick someone into running a so called "patch". System I am on has no infections. AVG is clean and Malwarebytes shows clean to, so thats why I am thinking there is a rogue ad associated with wowheads website that trying to get people to click and infect themselves if on firefox. Perhaps this phishing is using the browser detection script in which depending on browser they have a number of different payloads to infect you with.

I took a break from programming in C++ and checked out facebook and then saw this that caught my attention and then the ultra rare mount I decided to look up and then thats when I got hit with this redirect from wowhead. This link here is the article that I was checking out which was kind of interesting. http://www.gamespot.com/gallery/15-crazy-world-of-warcraft-facts-that-will-impress/2900-678/?ftag=ACQa2186e3&vndid=1852765721&ttag=gs-fb-834&nan_pid=1852765721

Decided to go back to this URL path to see if I can look further into it and its now hidden as if its a 1 time shot, dynamic URL path link, 1 time try to infect and then kill the path possibly to hide its rogue intentions of this website. Interesting!  ;D Second screenshot shows me trying to get back to it to poke around and its gone.




[attachment deleted by admin to conserve space]

BC_Programmer


    Mastermind
  • Typing is no substitute for thinking.
  • Thanked: 1140
    • Yes
    • Yes
    • BC-Programming.com
  • Certifications: List
  • Computer: Specs
  • Experience: Beginner
  • OS: Windows 11
Re: Seems as though Firefox is now being targeted by phishers
« Reply #1 on: July 03, 2016, 01:15:49 PM »
This is the type of stuff that IMO makes using adblock/uBlock worth violating the implicit social contracts of website advertisements.
I was trying to dereference Null Pointers before it was cool.

DaveLembke

    Topic Starter


    Sage
  • Thanked: 662
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Seems as though Firefox is now being targeted by phishers
« Reply #2 on: July 04, 2016, 03:53:19 PM »
Another attempt to infect me. This came thru from facebook. This time I wanted to see what the payload was and so I agreed to download it, but I didnt run it. I then ran virus scan with AVG on it as well as malwarebytes and it says the file is safe. NICE!!! Not going to run that EXE because I know better, but its flying under the radar of antivirus as well as malwarebytes in patch EXE form. Perhaps once it infects it would then detect it. Not going to run it to find out.

More screenshots and different site with same type of emergency patch junk. This time I viewer the HTML source to see what additional is going on with it. A browser detect is present as seen in source to page.

Note: File size 338k from other site and 482k from this one...

[attachment deleted by admin to conserve space]

DaveLembke

    Topic Starter


    Sage
  • Thanked: 662
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Seems as though Firefox is now being targeted by phishers
« Reply #3 on: July 04, 2016, 04:40:08 PM »
Opened up the EXE in a hex editor to see whats inside without running using FlexHex.

Screenshots of some of its intent. If anyone wants the Hex dump to dig into I have a 15MB PDF of it too. Just saying in case anyone out that is interested in this sort of thing.

[attachment deleted by admin to conserve space]

DaveLembke

    Topic Starter


    Sage
  • Thanked: 662
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Seems as though Firefox is now being targeted by phishers
« Reply #4 on: July 04, 2016, 04:40:50 PM »
pic 2 of hex

[attachment deleted by admin to conserve space]

DaveLembke

    Topic Starter


    Sage
  • Thanked: 662
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Seems as though Firefox is now being targeted by phishers
« Reply #5 on: July 04, 2016, 04:41:32 PM »
last pic of section of hex that caught my attention.

[attachment deleted by admin to conserve space]

BC_Programmer


    Mastermind
  • Typing is no substitute for thinking.
  • Thanked: 1140
    • Yes
    • Yes
    • BC-Programming.com
  • Certifications: List
  • Computer: Specs
  • Experience: Beginner
  • OS: Windows 11
Re: Seems as though Firefox is now being targeted by phishers
« Reply #6 on: July 04, 2016, 05:24:23 PM »
putting in the same URLs, I can't get the page to load at all. First site is gone now entirely and the second one is only a blank page.

I'd be surprised of the program wasn't a .NET Executable. It seems oddly common to use a .NET program for this sort of thing.

It's actually quite common to post such programs as "tools" or "utilities" on game forums. It's common for Minecraft, for example, a user will post tools claiming to give the person full admin access to any server, for example, then steal private information. The fun part is that since they are .NET they are fairly easy to decompile; and while the more clever ones will encrypt the password it's dead-simple to just remove the decryptor and run it separate from the malicious software to get things like E-mail passwords, as they need to have SMTP passwords in the file to send their sweet sweet private info to. In one case the user had even used their own personal E-mail, (connected to paypal, amazon, Steam, Facebook, etc.) so I went ahead and E-mailed his family members from his account confessing some rather questionable feelings. Let's just say things must have been VERY awkward between himself and his sister for a while.
I was trying to dereference Null Pointers before it was cool.

DaveLembke

    Topic Starter


    Sage
  • Thanked: 662
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Seems as though Firefox is now being targeted by phishers
« Reply #7 on: July 05, 2016, 01:40:29 PM »
Quote
In one case the user had even used their own personal E-mail, (connected to paypal, amazon, Steam, Facebook, etc.) so I went ahead and E-mailed his family members from his account confessing some rather questionable feelings.

Laughing so hard, but yes in order to authenticate the info would be in the source. Shaking my head why they didnt just use an alias to stay hidden. Although to have an alias paypal  I suppose they would have had to have had a stolen identity or some means of creating a alias that appears to be a real person with the rabbit hole going deeper into someone opening an account with a bank with fake id / stolen identity etc.

Does .Net hide better against antimalware and antivirus's?

Maybe I'm wrong, but I thought the basis of .Net was to make for better healthier programs that wont BSOD systems etc. Memory managements and tighter execution layer controls etc. So I always thought that if you want to make a program that is going to be naughty it was best to code it up in something that wasnt based around .Net that more readily would allow for you to target memory addresses outside of where the program should be operating etc and overflow conditions etc.

BC_Programmer


    Mastermind
  • Typing is no substitute for thinking.
  • Thanked: 1140
    • Yes
    • Yes
    • BC-Programming.com
  • Certifications: List
  • Computer: Specs
  • Experience: Beginner
  • OS: Windows 11
Re: Seems as though Firefox is now being targeted by phishers
« Reply #8 on: July 05, 2016, 04:14:24 PM »
Laughing so hard, but yes in order to authenticate the info would be in the source. Shaking my head why they didnt just use an alias to stay hidden. Although to have an alias paypal  I suppose they would have had to have had a stolen identity or some means of creating a alias that appears to be a real person with the rabbit hole going deeper into someone opening an account with a bank with fake id / stolen identity etc.

For the most part they seem to be teenagers. I'm not certain what their goals are but in terms of Minecraft they were just trying to steal username/passwords. I don't know how those are valuable given that they can just be password reset and the MC username/password doesn't give access to the connected E-mail (or even let you know what that e-mail is).

Quote
Does .Net hide better against antimalware and antivirus's?
The .net framework includes a lot of library functions for features such as encryption. Typically the .NET program will have an encrypted resource which it decrypts, saves as an executable, and runs. Sometimes that inner executable is a straight-up RAT but other times it's another .NET program with the actual payload (eg. trying to read a password file and E-mail it).

Quote
Maybe I'm wrong, but I thought the basis of .Net was to make for better healthier programs that wont BSOD systems etc. Memory managements and tighter execution layer controls etc. So I always thought that if you want to make a program that is going to be naughty it was best to code it up in something that wasnt based around .Net that more readily would allow for you to target memory addresses outside of where the program should be operating etc and overflow conditions etc.
Only driver software can BSOD. Running a .NET Executable doesn't "sandbox" it in any way beyond what would happen for a typical executable. unsafe{} and unchecked{} code blocks can be used to run C# code that uses pointers, pointer arithmetic, unbounded arithmetic operations, unchecked array access, etc. Win32 processes cannot access memory outside of their virtual address space- only driver software can access physical memory directly in that manner.

Those abilities don't really matter except for exploits. If you run an executable it can read any file accessible to your user account which will include things like saved passwords for databases, Internet Explorer, Firefox profiles, Outlook, etc. and it can send an E-mail with that info if it wants. (Software firewall might see the E-mail I suppose).
I was trying to dereference Null Pointers before it was cool.