Quack, quack, ANOTHER cyber-attack

Sep 06 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that gives cybercriminals all the love that this UK summer gave to school kids on holiday. Upside: town and city centres are safe once more ๐Ÿ˜‚ #BackToSchool #Gutted #Heatwave

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿฆ† Quack, quack, ANOTHER cyber-attack. Ducktail: how it works ๐Ÿ’ก

  • ๐Ÿ‘ฎ Facebook โ€˜em boys! Meta closes 1000s of Chinese, Russian disinfo accts ๐ŸŽญ

  • โš ๏ธ Beware! Chrome extensions can steal plaintext passwords from websites ๐Ÿค๐Ÿ‘€

Ducktails never fails ๐Ÿ’€

๐Ÿšจ๐Ÿ’ผ Inside the Ducktail Threat Actor's Money-Making Scheme ๐Ÿฆ†๐Ÿ’ฐ

Afternoon, chaps and chapettes! ๐Ÿ˜Ž Ever wondered how cybercriminals profit from hijacked business and ad accounts on platforms like TikTok, Facebook, LinkedIn, and Google? Meet Ducktail, the notorious threat actor from Vietnam specialising in just that! ๐Ÿ’ป๐ŸŒ

Ding-$DONG, the (advertising) Pitch is Dead ๐Ÿ™ˆ

๐Ÿ’ธ Profit Game

Ducktail has turned account hijacking into a money-making operation! They sell "low-grade" accounts for around 350,000 Vietnamese dong ($15 USD) and valuable ones for about 8,000,000 Vietnamese dong ($340 USD), according to Zscaler researchers. ๐Ÿ’ฐ๐Ÿ’ผ

๐ŸŽฏ Targets & Tactics

Ducktail's main focus? Digital marketing and advertising professionals with access to business and ad accounts. ๐ŸŽฏ๐Ÿ“ˆ They use sneaky social engineering, compromising LinkedIn accounts with fake job listings and email-borne malware. ๐Ÿ˜ˆ๐Ÿ“ง

๐Ÿ“ฆ Sneaky Payloads

Ducktail's malware comes in various forms, including Excel add-ins and browser extensions. They hide these malicious gems on cloud platforms like iCloud, Google Drive, Dropbox, Transfer.sh, OneDrive, and even Trello. ๐Ÿ˜ฑโ˜๏ธ

๐Ÿคซ Selling Secrets

The bad actors use platforms like Telegram, Facebook, and Zalo to sell hijacked accounts. Buyers look for specific properties like account type, budget, verification status, and age. Facebook, though, fights back by flagging suspicious accounts. ๐Ÿ•ต๏ธโ€โ™‚๏ธ๐Ÿ’ผ

๐Ÿ”’ Staying Stealthy

Ducktail uses residential proxy services to hide their tracks and keep their geolocation on point. ๐ŸŒ๐Ÿ•ต๏ธโ€โ™€๏ธ So, beware of Ducktail and their cyber antics! Stay safe online, folks! ๐Ÿšซ๐Ÿฆ†๐Ÿ”’

I came across ZZZ money club during the crypto market bull run when everyoneโ€™s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

China & Russia: Whatโ€™s the Meta with these accounts?! ๐Ÿ‘€

๐Ÿ“ข Meta Takes Down Major Covert Influence Ops! ๐Ÿšซ๐ŸŒ

๐Ÿ“ฑ๐ŸŒ Big news from Meta – they've busted two massive covert influence operations from China and Russia, shutting down thousands of accounts and pages across their platforms! ๐Ÿšซ๐Ÿค–

๐Ÿ‰ Chinese Disinfo Blitz

Meta revealed that China's disinformation group targeted over 50 apps, including Facebook, Instagram, Twitter (now X), YouTube, TikTok, and more. ๐ŸŽฏ The network, with 7,704 Facebook accounts and 954 Pages, spread content about China, Xinjiang, criticism of the U.S, and more. ๐Ÿ—ฃ๏ธ

๐ŸŒ Spammy Links and "Spamouflage"

The operation's core involved sharing spammy links, and Meta traced them back to a group known as Spamouflage (aka DRAGONBRIDGE). ๐Ÿ˜ฌ They even found links to individuals linked to Chinese law enforcement. But despite the scale, the network didn't gain much real engagement. ๐Ÿ“‰

โœ‚๏ธ ๐Ÿ“‹ย Russian Doppelganger

Meta also blocked Russian operation Doppelganger, focused on mimicking news websites and spreading fake articles to weaken support for Ukraine. ๐Ÿ‡บ๐Ÿ‡ฆ This operation expanded to target France, Germany, Ukraine, the U.S., and Israel. ๐Ÿ“ฐ

๐Ÿค– Fox8 Botnet Alert

In other news, researchers found a botnet called Fox8 on Twitter (now X), promoting blockchain content and counterfeit cryptocurrencies using generative AI models. ๐Ÿคฏ

China has called for action against disinformation, while Meta hailed Doppelganger as the most persistent Russian operation dismantled since 2017. ๐Ÿ›ก๏ธ

Stay vigilant online, and don't fall for fake news! ๐Ÿง๐Ÿ›ก๏ธ

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • โœˆ๏ธ ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.

  • ๐ŸŒย Leadership in Tech: A weekly newsletter for CTOs, engineering managers and senior engineers to become better leaders.

  • ๐Ÿง ย Big Brain: Trending AI news, jobs and tools delivered in 3 minutes per day.

Let us know what you think!

Itโ€™s dฬถaฬถyฬถlฬถiฬถgฬถhฬถtฬถ plaintext robbery!! ๐Ÿ˜ฌ

๐Ÿ”๐ŸŒ Chrome Extension Security Alert!

Researchers from the University of Wisconsin-Madison have discovered a major vulnerability in Chrome extensions, allowing them to steal plaintext passwords from website source code. ๐Ÿ˜ฑ๐Ÿ’ป

๐Ÿšซ Coarse-Grained Permissions

The issue lies in Chrome's extension permission model, giving extensions unrestricted access to a site's DOM tree, including sensitive elements like user input fields. ๐ŸŒฒ๐Ÿ”“

๐ŸŒ Vulnerable Websites

Shockingly, some high-traffic websites, including Gmail, Cloudflare, Facebook, Citibank, and more, store passwords and sensitive data in plain text within their HTML source code, making them prime targets. ๐Ÿคฏ

โœ… Manifest V3

Google's recent security protocol, Manifest V3, attempts to limit API abuse, but it doesn't establish a proper security boundary between extensions and web pages, leaving the vulnerability intact. ๐Ÿ›ก๏ธ

๐Ÿšซ Sneaky PoC

The researchers created a Chrome extension disguised as a harmless GPT-based assistant, capable of capturing passwords using regex, CSS selectors, and element substitution. The extension passed Google's review process, highlighting the security loophole. ๐Ÿ•ต๏ธโ€โ™‚๏ธ๐Ÿ”

๐Ÿ“ˆ Exploitation Potential

Approximately 17,300 Chrome extensions (12.5% of the Chrome Web Store) possess the permissions needed to extract sensitive information from websites. Some extensions with millions of users might already be exploiting this gap. ๐Ÿ˜จ๐Ÿšจ

๐Ÿ“ข Response from Amazon and Google

Amazon emphasised customer security and encouraged best practices, while Google is investigating the matter and considers access to password fields acceptable with proper permissions. โš™๏ธ๐Ÿ‘€

Stay cautious online, and be mindful of your password security! Change passwords regularly and consider using a password manager for added protection. ๐Ÿ”’๐Ÿ”

So long and thanks for reading all the phish!

Recent articles