fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious Firefox Extension Allowed Hackers To Hijack Gmail Accounts

Malicious Firefox Extension Allowed Hackers To Hijack Gmail Accounts

Several Tibetan organizations were targeted in a cyber-espionage campaign by a state-backed hacking group using a malicious Firefox extension designed to hijack Gmail accounts and infect victims with malware.

The attacks coordinated by the TA413 Chinese-linked APT group started in January and continued throughout February, according to a Proofpoint report published on Thursday.

The Chinese state hackers also infected victims with the Scanbox malware reconnaissance framework, which allowed them to harvest their targets’ data and log their keystrokes.

“Scanbox has been used in numerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests,” Proofpoint said.

Also Read: The Importance Of DPIA And Its 3 Types Of Processing

“The tool is capable of tracking visitors to specific websites, performing keylogging, and collecting user data that can be leveraged in future intrusion attempts.” 

TA413 attack flow (Proofpoint)

The malicious FriarFox browser extension

Phishing emails delivered by the TA413 attackers to their targets’ mailboxes redirected them to the attacker-controlled you-tube[.]tv domain that displays a fake Adobe Flash Player Update landing page.

JavaScript profiling scripts executed from this domain would automatically prompt the targets to install a malicious add-on named FriarFox if they were using the Firefox web browser and logged into their Gmail account.

If the potential victim used any other web browser, they would get redirected to the legitimate YouTube login page. If they were using Firefox but weren’t logged into a Gmail account, they’d be asked to add a corrupt FriarFox add-on to the browser, which would fail to install.

The FriarFox malicious extension is based on the open-source Gmail Notifier (restartless) Firefox add-on by changing its icon and metadata description to mimic a Flash update process.

They also added malicious JavaScripts designed to hijack the victims’ Gmail accounts and infect their systems with the Scanbox malware.

Once the victims get tricked into installing the FriarFox extension, TA413 operators take over the users’ Gmail account and Firefox browser to perform the following malicious actions:

Hijacked Gmail account:

  • Search emails  
  • Archive emails  
  • Receive Gmail notifications  
  • Read emails  
  • Alter Firefox browser audio and visual alert features for the FriarFox extension  
  • Label emails  
  • Marks emails as spam  
  • Delete messages  
  • Refresh inbox  
  • Forward emails  
  • Perform function searches  
  • Delete messages from Gmail trash  
  • Send mail from the compromised account

Firefox (based on browser permissions):

  • Access user data for all websites.  
  • Display notifications  
  • Read and modify privacy settings  
  • Access browser tabs.

“The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities,” Proofpoint concluded.

“These communities have a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques.”

Also Read: Data Storage Security Standards: What Storage Professionals Need To Know

Further technical details and indicators of compromise (IOCs), including infrastructure and malware sample hashes used in this campaign, are available at the end of Proofpoint’s report.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us