Quack, quack, ANOTHER cyber-attack

Sep 06 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that gives cybercriminals all the love that this UK summer gave to school kids on holiday. Upside: town and city centres are safe once more ???? #BackToSchool #Gutted #Heatwave

Today’s hottest cybersecurity news stories:

  • ???? Quack, quack, ANOTHER cyber-attack. Ducktail: how it works ????

  • ???? Facebook ‘em boys! Meta closes 1000s of Chinese, Russian disinfo accts ????

  • ⚠️ Beware! Chrome extensions can steal plaintext passwords from websites ????????

Ducktails never fails ????

???????? Inside the Ducktail Threat Actor's Money-Making Scheme ????????

Afternoon, chaps and chapettes! ???? Ever wondered how cybercriminals profit from hijacked business and ad accounts on platforms like TikTok, Facebook, LinkedIn, and Google? Meet Ducktail, the notorious threat actor from Vietnam specialising in just that! ????????

Ding-$DONG, the (advertising) Pitch is Dead ????

???? Profit Game

Ducktail has turned account hijacking into a money-making operation! They sell "low-grade" accounts for around 350,000 Vietnamese dong ($15 USD) and valuable ones for about 8,000,000 Vietnamese dong ($340 USD), according to Zscaler researchers. ????????

???? Targets & Tactics

Ducktail's main focus? Digital marketing and advertising professionals with access to business and ad accounts. ???????? They use sneaky social engineering, compromising LinkedIn accounts with fake job listings and email-borne malware. ????????

???? Sneaky Payloads

Ducktail's malware comes in various forms, including Excel add-ins and browser extensions. They hide these malicious gems on cloud platforms like iCloud, Google Drive, Dropbox, Transfer.sh, OneDrive, and even Trello. ????☁️

???? Selling Secrets

The bad actors use platforms like Telegram, Facebook, and Zalo to sell hijacked accounts. Buyers look for specific properties like account type, budget, verification status, and age. Facebook, though, fights back by flagging suspicious accounts. ????️‍♂️????

???? Staying Stealthy

Ducktail uses residential proxy services to hide their tracks and keep their geolocation on point. ????????️‍♀️ So, beware of Ducktail and their cyber antics! Stay safe online, folks! ????????????

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

China & Russia: What’s the Meta with these accounts?! ????

???? Meta Takes Down Major Covert Influence Ops! ????????

???????? Big news from Meta – they've busted two massive covert influence operations from China and Russia, shutting down thousands of accounts and pages across their platforms! ????????

???? Chinese Disinfo Blitz

Meta revealed that China's disinformation group targeted over 50 apps, including Facebook, Instagram, Twitter (now X), YouTube, TikTok, and more. ???? The network, with 7,704 Facebook accounts and 954 Pages, spread content about China, Xinjiang, criticism of the U.S, and more. ????️

???? Spammy Links and "Spamouflage"

The operation's core involved sharing spammy links, and Meta traced them back to a group known as Spamouflage (aka DRAGONBRIDGE). ???? They even found links to individuals linked to Chinese law enforcement. But despite the scale, the network didn't gain much real engagement. ????

✂️ ???? Russian Doppelganger

Meta also blocked Russian operation Doppelganger, focused on mimicking news websites and spreading fake articles to weaken support for Ukraine. ???????? This operation expanded to target France, Germany, Ukraine, the U.S., and Israel. ????

???? Fox8 Botnet Alert

In other news, researchers found a botnet called Fox8 on Twitter (now X), promoting blockchain content and counterfeit cryptocurrencies using generative AI models. ????

China has called for action against disinformation, while Meta hailed Doppelganger as the most persistent Russian operation dismantled since 2017. ????️

Stay vigilant online, and don't fall for fake news! ????????️

????️ Extra, Extra! Read all about it! ????️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ✈️ ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.

  • ???? Leadership in Tech: A weekly newsletter for CTOs, engineering managers and senior engineers to become better leaders.

  • ???? Big Brain: Trending AI news, jobs and tools delivered in 3 minutes per day.

Let us know what you think!

It’s d̶a̶y̶l̶i̶g̶h̶t̶ plaintext robbery!! ????

???????? Chrome Extension Security Alert!

Researchers from the University of Wisconsin-Madison have discovered a major vulnerability in Chrome extensions, allowing them to steal plaintext passwords from website source code. ????????

???? Coarse-Grained Permissions

The issue lies in Chrome's extension permission model, giving extensions unrestricted access to a site's DOM tree, including sensitive elements like user input fields. ????????

???? Vulnerable Websites

Shockingly, some high-traffic websites, including Gmail, Cloudflare, Facebook, Citibank, and more, store passwords and sensitive data in plain text within their HTML source code, making them prime targets. ????

Manifest V3

Google's recent security protocol, Manifest V3, attempts to limit API abuse, but it doesn't establish a proper security boundary between extensions and web pages, leaving the vulnerability intact. ????️

???? Sneaky PoC

The researchers created a Chrome extension disguised as a harmless GPT-based assistant, capable of capturing passwords using regex, CSS selectors, and element substitution. The extension passed Google's review process, highlighting the security loophole. ????️‍♂️????

???? Exploitation Potential

Approximately 17,300 Chrome extensions (12.5% of the Chrome Web Store) possess the permissions needed to extract sensitive information from websites. Some extensions with millions of users might already be exploiting this gap. ????????

???? Response from Amazon and Google

Amazon emphasised customer security and encouraged best practices, while Google is investigating the matter and considers access to password fields acceptable with proper permissions. ⚙️????

Stay cautious online, and be mindful of your password security! Change passwords regularly and consider using a password manager for added protection. ????????

So long and thanks for reading all the phish!

Recent articles