Definition of a Drive By Download:
Google: “A drive-by download refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device. A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw.”
Late last week while traveling I was multi-tasking at a feverish pace. Like most people trying to fit 12 hrs of work into a 10 hr work day I had multiple windows, browsers, and processes running on my laptop. I was doing some research online and bouncing around from website to website in search of the latest information. At this point something phishy happened.
In my haste, I made a simple typo in my Chrome browser (.co instead of .com). This simple typo resulted in a domain park where a Chrome Extension tried to install. Domain parking is a concept where a domain owner will typically try to either sale the domain but more times than not host ads and try to monetize via ad click throughs.
As I’m quickly toggling back and forth one more simple mistake and an unwanted extension would have been installed. In fact if you look at the wording of the popup message “Are you sure you want to cancel free download” could easily cause the users confusion. Bad actors relay on end users to feel nervous which forces mistakes. In this situation if you didn’t read carefully you could have thought “NO” don’t install and had an adverse consequence. At this point I slowed everything down to ensure I didn’t make a mistake. In fact the best recommendation is for the user to close their browser. Any action at this point could cause the extension to install.
I looked up the IP address using the URL typo. I found this by doing a simple DIG (domain information grouper). The results of the dig showed the IP address of 220.127.116.11. This IP address is registered to Bodis, LLC which advertisers itself as a “domain parking platform” and helps “monetize…undeveloped domains”.
Now obviously the .co site wasn’t “real” in the sense that its a legitimate site. Especially not the one I was looking for. I was curious if there are malicious domains associated with Bodis. At this point a quick Google search showed numerous results that were of concern.
To be fair, Bodis in their terms of service state, “Member shall not act, either directly or indirectly, to encourage or require end users, either willingly or unwillingly, to click on search results or advertisements and/or to generate click-throughs by any means that could be reasonably interpreted as coercive, incentivized, misleading, malicious or otherwise fraudulent in nature.”
Mystery of the Drive By:
At this point I wanted to do more security research but I didn’t want to do it on an open machine. In security we prefer to use sandboxes. In my case I have a VM running Kali so all good there. When trying to recreate the typo scenario it took me to a different parked domain that just tried to have me click on ads. Whoever tried to force the original extension to be installed was gone.
In security we see these funny names like social engineering, whaling, Zues, and drive by downloads. True they are funny but there is meaning. A history if we dare say..
So how can I protect myself and how can companies protect their employees?
This extension could record key strokes (steal username / passwords at I type to login), inject .js into a page, or other MiTB (man in the middle) based attacks. For example in 2018 articles such as, “Malicious Chrome extensions infect 100,000-plus users, again” by Ars, and “Data-thieving Chrome extension” by Kaspersky are cases studies showing how malicious extensions can be.
Towards the end of 2018 with the explosion of reports concerning malicious Chrome extension this forced Google to change the rules. In Google’s announcement they stated they will no longer tolerate extensions that ask for powerful permissions for no reason, use external scripts, or obfuscate their code.
It should be noted that these rules changes are more for the end user. For your everyday Chrome users this can be very intimating to make these changes. Visit https://developer.chrome.com/extensions/runtime_host_permissions to learn more about how to change privacy settings for extensions.
When I talk with my clients its common for me to hear that major corporations view this attack surface is a major risk. Rather it’s enterprise user traversing VPNs, partners accessing portals and systems (SSH), and how this effects lateral movement. The common theme is awareness.
It’s a good policy to ensure a yearly compliance check. This could be a 5 min video or document review about internet AUP (acceptable use policy). This is a great time to talk about social awareness especially in the form of phishing scams. This basic exercise saves companies millions in terms of breaches and public trust.
As surely most of us know these types of experiences, URL typos as an example, will always exist. One way to catch them is through recursive DNS. DNS is the naming system of the internet to translate hostname to IP address and more precisely during the recursive phase rDNS. From the end user compute device, public NAT (DHCP), we filter and apply rules. Solutions such as Akamai’s ETP, Info Blox RPZ DNS Firewall and Cisco Umbrella (OpenDNS) provide some level of alerting and actions.
There is no longer a perimeter network. With mobile users, networks, BYOB, policies everything should now be thought of as a Starbucks hot spot. Nothing should be trusted. Devices need to be registered (mutual TLS), and remote wipe mandatory (AirWatch and MDM capabilities). VPN should be reconsidered as employee’s no longer plug in to LAN drops and automatically trusted. Cloud security capabilities should be applied with IAM / CASB and IAP (identity aware proxies). Let’s not forget about anti-virus and DLP. This helps to reduce the overall attack surface.
Be smart at home! Tell your kids to be safe online line and if you want to download anything do it through trusted sources. We are still an Apple family so its the app store for us. At work take extra care when clicking as it just makes sense.
Enterprises will need to continue to spend meaningful budgets, rightfully so, as there are a multitude of fronts to defend against. Rather compliance, business continuity, risk reduction etc. An overall security program is recommended.