Adult sites at a risk of Malsmoked

Shady attracts shady! Lately, cybercriminals have been found manipulating adult website visitors and redirecting victims to malicious websites serving up malware.

What & Why

Researchers discovered an Malsmoke campaign that appears to have begun mid-October.

  • The threat actors, who have been active throughout 2020, are pushing adult site users to download a fake Java update in their malvertising attacks.
  • Sites such as bravoporn[.]com and xhamster[.]com with hundreds of millions of users are, reportedly, at the risk of downloading Zloader, a banking malware.
  • The reason to go after high traffic adult portals can be set straight; the more the visitors higher the number of infected systems.

How does it work?

The new campaign works across all major web browsers, including Google Chrome.

  • When a user clicks to play a video clip, a new browser containing a grainy video pops up. 
  • In the background, however, victims are redirected to malicious pages such as landingmonster[.]online until they land on a “decoy” porn site.
  • The movies play for a few seconds and suddenly an overlay message surfaces saying the Java Plug-in 8.0 was not found.
  • The fake Java update is, in fact, a digitally signed Microsoft installer, loaded with a number of libraries and executables—that final payload is Zloader.

Activity review of malsmoke actors

The name malsmoke campaign came from Smoke Loader malware that the group drops via the Fallout exploit kit.

  • Since the beginning of the year, malsmoke operators have been running successful exploit kit campaigns, until they decided to pick a new trick involving social engineering.
  • The hacker group launched attacks on the systems of porn surfers running older versions of Adobe Flash Player and Internet Explorer, infecting most of the adult networks with malware on the web.

Stay safe

Atmost care at your own risk

Chrome to block NAT Slipstream @first

Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol.

In Chrome 87, we have new APIs and updates to Chrome’s built-in Developer Tools, such as:

Support for the new Cookie Store API;

New features to allow easier modification of web fonts via CSS;

A new feature to let websites enumerate all the locally installed fonts;

Support for pan, tilt, and zoom controls on webcam streams; and,

Support for debugging WebAuthn operations via the Chrome DevTools.

NAT Slipstream attack fixes

This technique allows attackers to bypass firewalls and make connections to internal networks by tricking users into accessing malicious sites — effectively turning Chrome into a proxy for attackers.

Chrome 87 will be the first browser to block NAT Slipstream attacks by blocking access to ports 5060 and 5061, which the attack uses to bypass firewalls and network address translation (NAT) schemes.

Similar efforts are also underway at Apple and Mozilla, with fixes planned for future versions of Safari and Firefox.

FTP deprecation

Google is also following through on its plans to remove FTP support from Chrome. This process started last year, and was initially planned for Chrome 81 but due to Covid this got delayed

The FTP deprecation was rescheduled for the fall and began last month with the release of Chrome 86 when Google removed support for FTP links for 1% of Chrome’s userbase.

Google will now remove FTP support for half of Chrome’s userbase, and the browser maker plans to disable support for FTP links altogether next year, in January, with the release of Chrome 88.

Mozilla has already removed support for FTP links in Firefox earlier this year in June, with the release of Firefox 77.

Google 0 Day patched

Google has addressed two zero-day vulnerabilities, actively exploited in the wild, addresses in the release of Chrome version 86.0.4240.198.

Tracked as CVE-2020-16013 and CVE-2020-16017, were reported by anonymous sources. Google experts did not disclose the way the flaws have been exploited in the attacks.

The CVE-2020-16013 flaw is an inappropriate implementation in V8 Chrome component.

The CVE-2020-16017 flaw is a use after free memory corruption bug in Site Isolation

It is interesting to note that one of the vulnerabilities was reported to Google the same day the company released the new version of the popular browser.

The other three zero-days patched by Google in the last weeks were:

  • CVE-2020-15999 – The flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases.
  • CVE-2020-16009 – is a Heap buffer overflow in Freetype in Google Chrome.
  • CVE-2020-16010 – affects the browser’s user interface (UI) component in Chrome for Android.

It’s mind boggling to update chrome day after week after months to get protection against Exploit

Google Successive 0 Day

Google has just released a fix for the second actively exploited Chrome zero-day security flaw in two weeks. CVE-2020-16009 is a v8 bug used for remote code execution,The fix applies to Windows, macOS and Linux.

“Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild,” The Chromium bug entry with more details is locked to all but Chrome developers, as you might expect with a flaw that’s not totally been fixed.

Google fixed a previous, technically unrelated, zero-day flaw two weeks ago (Oct. 20), and related browsers quickly followed suit.

Google revealed a Windows zero-day flaw that was being used in combination with the first Chrome flaw to hijack PCs via malicious websites. It’s not clear if yesterday’s new flaw has anything to do with those attacks.

Most installations of Chrome and Chromium variants will update themselves if you close the browser and then relaunch it again, although not all Chromium variants may yet have released new versions to patch this flaw.

You want to update to version 86.0.4240.183 in Chrome . Although the latter doesn’t have that version ready yet. In Edge, the latest version is 86.0.622.61.