Possible exploit in the wild
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: dveditz, Unassigned)
References
Details
Attachments
(4 files)
I don't know yet if this is a Firefox exploit, but it's clearly an exploit attempt and possibly targeted. I received an unconvincing spam text:
(Amount received 21.2 btc)
https://bit.ly/2mSe0RV+ (coinbase)
[Note: the '+' was not in the original. I added that to make it easy for people to see the bitly preview, and also so people don't accidentally open up the exploit.] The sender was not a phone number, but an email address <superlongnumber>@gestiumlex.com. All that shows in the text UI is the beginning of the long number so maybe it's supposed to look like a wallet address?
The bit.ly link has gotten 152 clicks with the bulk around the time I got the text and the following few hours. It goes to http: ar-xny.store/?id=4576734 which immediately redirects to the exploit at warning coinbase.pro-xao.com warning. That site contains only the script, which I have not run. Clearly it's an exploit: no visible content on the page, obfuscated script (not merely minimized). May or may not be a Firefox exploit. Sent to a small number of folks (based on number of clicks) which might indicate targeting. On the other hand an unsolicited text saying I just received $168,000 in bitcoin takes a gullible target which is not a typical trait for security folks. Then again, I was curious.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•6 years ago
|
||
|
||
Comment 3•6 years ago
|
||
|
|
||
Comment 4•6 years ago
|
||
We've been poking at this for a bit; we haven't learned too much.
'exploit page' redirects us to hyjtrslukjdtshre which redirects us a coinbase phishing website. The phishing website is tagged with a safebrowsing deceptive site warning.
The first two pages have a neat trick where they can detect if you have devtools open; and if you do it sends you into an infinite loop. To get around that, find new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}'); and ensure the test returns 'true' instead of false'.
I opened the page (in a VM) in Firefox ASAN Nightly and 69.0.1 on Windows x64 and did not observe anything unusual while watching process explorer (no process crashes, no subprocesses spawned.)
Our guess at this point is that if there is an exploit, it's using one or both of the first two pages to detect what you're running so it can serve it to you; and if you aren't running the specific thing; kick you to the phishing page.
|
||
Comment 5•6 years ago
|
||
The pages are heavily obfuscated through multiple layers. After deobfuscating some of them, I found that a fair amount of dead code seems to be deliberately included to make the process even harder. So far I suspect that the pages really don't do a whole lot, even though it looks like a lot of code. I would be surprised if there even was a sophisticated OS/browser detection in there. So far I only found the redirect that Tom already mentioned and some cookie setting code.
|
|
Reporter | |
Comment 6•6 years ago
|
||
Comment from an external researcher:
The browser / plugin fingerprinting code comes from Sift, which Coinbase uses.
I didn't see anything else that pointed to this being a browser exploit, and I'm relatively confident this is a heavily obfuscated phishing site.
The site now appears to be on the SafeBrowsing list. If there's no Firefox exploit I think we're done here. Objections?
|
||
Comment 7•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #6)
The site now appears to be on the SafeBrowsing list. If there's no Firefox exploit I think we're done here. Objections?
I agree.
|
|
Reporter | |
Updated•5 years ago
|
Description
•