Lopende campagnefoofs Walmart, dating, filmsitesaugustus 7, 2019
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
A new investigation detects more than 540 domain names linked to the Walmart brand and camouflaged as career, dating, and entertainment websites.
A newly discovered spoofing campaign has been discovered mimicking the Walmart brand and several career, dating, and movie and TV websites, with more than 540 domains detected so far.
Corin Imai, senior security adviser for DomainTools, was alerted to the activity about two weeks ago when the term “Walmart” was found spoofed in multiple domains. The flagged domain walmartcareers[.]us prompted her to research related terms and other suspicious domains.
Imai’s analysis led to the discovery of an email address linked to 184 other potentially risky domains with an average age of 190 days. Further investigation into these domains led to the discovery of a much broader campaign spoofing a range of websites related and unrelated to the Walmart brand. Of the 540-plus domains identified, only 181 have appeared on blacklists. Others have a high risk score, which Imai says indicates they’ll likely be blacklisted in the future.
The initial intent of this investigation was to analyze spoofing campaigns targeting Fortune 500 companies, she says, but researchers’ findings took them down an unexpected path. “Generally with phishing domains, we see things escalate between 24 and 48 hours,” Imai explains. Within two days of their analysis, researchers saw more of these suspicious websites being blacklisted.
Of the domains found so far, many appear to target job hunters and people using online dating and entertainment websites. It seems the attackers’ intent is to exploit this interest by creating fake sites designed to capture users credentials, going step-by-step to set up a credential page so they can verify they are who they claim to be, while at the same time scraping login data.
As of now, it seems the actor or group behind this campaign is solely after credentials; however, some of the spoofed pages seem to be spam. “It’s kind of an odd cross-section,” Imat says, pointing to the combination of spoofed career, dating, and movie and television websites. Other fake sites include cashgiftcards[.]us, captainmarvelmovie[.]us, and mcdonaldcareer[.]us.
Most of the IP country codes for detected domains are in the United States, Imai found, but registrant details indicate an address in Pakistan. “Right now it looks like the same actor,” she says. “There’s nothing pointing to it being multiple actors, based on historical information.”
While spoofing is not a new threat, Imai says the number of domains in this campaign, coupled with the attackers’ ability to mimic the look and feel of target websites, signifies a group with both the resources and sophistication to launch a large campaign. There is sufficient traffic to these sites to warrant a further investigation into how many people are submitting their data. Security pros may be likely to check the domain of a suspicious- page, but consumers may not.
Imai plans to continue this investigation, which will include sandboxing suspicious websites to see whether they’re after more than credentials and further researching the campaign’s full scope and intent. She plans to publish ongoing updates to her blog post.
DomainTools’ team isn’t the only group to unearth a recent spoofing campaign targeting a major retailer. Security company Segasec monitored Amazon in the days before and after Prime Day to watch for suspicious activity; researchers found 4,000 potential attacks between July 10 to 21. In one campaign, attackers used Amazon-related domains in a phishing scam targeting PayPal customers.
Imai advises businesses to seek domains that may be attempting to mimic their brands. Many of these malicious domains haven’t been blacklisted, meaning customers can still be affected. Organizations should also consider their takedown processes and see whether they can be accelerated.
For consumers, she recommends checking a website’s legitimacy by taking a peek at the URL to ensure it’s not suspicious before entering personal information or payment data.
- How to Create Smarter Risk Assessments
- Mimecast Rejected Over 67 Billion Emails. Here’s What It Learned
- Destructive Malware Attacks Up 200% in 2019
- 8 Head-Turning Ransomware Attacks to Hit City Governments
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio
From DHS/US-CERT’s National Vulnerability Database CVE-2019-14698
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. In a CGI program running under the HTTPD web server, a buffer overflow in the param parameter leads to remote code execution in the context of the nobody account.
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can exploit OS Command Injection in the filename parameter for remote code execution as root. This occurs in the Mainproc executable file, which can be run from the HTTPD web server.
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. There is disclosure of the existence of arbitrary files via Path Traversal in HTTPD. This occurs because the filename specified in the TZ parameter is accessed with a substantial delay if that file exists.
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can trigger read operations on an arbitrary file via Path Traversal in the TZ parameter, but cannot retrieve the data that is read. This causes a denial of service if the filename is, for example, …
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. SQL injection vulnerabilities exist in 13 forms that are reachable through HTTPD. An attacker can, for example, create an admin account.