Browser Add-On Goes Phishing

Monday, December 3, 2012 @ 04:12 PM gHale


There is now a program designed to mimic the URL of a popular e-commerce destination in order to lure their victims to a malicious website.

Once at the site, visitors download a malicious add-on that will guide users to phishing sites, even when they type legitimate URLs into their browser’s address bar.

RELATED STORIES
Phishing Ends in DNS Record Catch
DNS Records Hacked
Malware Uses Social Media
Facebook Adds Layer of Defense

The campaign’s primary motive is financial, according to a report written by Symantec’s Matthew Maniyara.

The potential success of this attack is reliant on the consent of its victims. The malicious site can only prompt users to install the add-on. Visitors to the site will see a dialogue box informing them their browser has prevented installation.

In the case that Maniyara examined, the dialogue box even warns the user about only installing add-ons from trusted sources and that malicious software can damage computers.

This attack utilizes some different approaches. First, when users navigate to the malicious site, it determines their browser before prompting them to install the malicious add-on that will work with that browser.

If a user allows the installation, the add-on goes into the Windows System32 directory and alters the hosts file. The hosts file assigns domain names to IP addresses, Maniyara said. When a user enters a URL into their browser’s address bar, he said, the browser checks the local DNS information, located in the hosts file, before sending the DNS query.

An un-altered host file translates human language (domain names and URLs) into language the computer understands (IP addresses). In this case, however, the hosts file ends up modified by the add-on so the domain names of recognizable brands get new IP addresses associated with phishing sites. In this way, when a user attempts to navigate to a benign website, they end up at the malicious phishing site associated with it.

Symantec said the initial infection site that prompts users to download the malicious add-on is now currently inactive.



Leave a Reply

You must be logged in to post a comment.