Time:2024-03-07 Click:81
作者: 姚
活动背景
近日,慢雾安全团队和Rabby Wallet团队发现了一种利用谷歌广告进行钓鱼的攻击方式。 随后,慢雾安全团队联合Rabby钱包团队对该攻击方式进行了深入分析。
据Rabby Wallet团队描述,团队没有购买任何谷歌广告。 然而,这个假广告却跳到了真正的官网。 难道钓鱼团伙花钱宣传真钱包?
从谷歌搜索关键词来看,排名前两位的搜索结果均为钓鱼广告。 然而第一个广告的链接却很不正常。 上面清晰地显示了Rabby钱包的官网地址https://rabby。 io,钓鱼团伙为什么要这么做?
通过跟踪发现,钓鱼广告有时会跳转到真实的官方地址https://rabby.io。 多次更换不同地区的代理后,就会跳转到钓鱼地址http://rebby.io,并且这个钓鱼地址会更新、改变。 在撰写本文时,该链接指向钓鱼地址 https://robby.page[.]link/Zi7X/?url=https://rabby.io?gad_source=1。
技术分析
我们先来说说302是什么。 302 是一个 HTTP 状态代码,表示临时重定向(Found)。 服务器收到客户端的请求后,如果需要暂时将请求的资源转移到另一个位置,则会返回 302 状态码,并在响应头中包含一个 Location 字段,以指示客户端应重定向到的新位置。 此重定向是临时的。
经过分析发现,该钓鱼广告的链接会发生多次302跳转,如下图所示。 使用curl命令来请求链接。 第一次会以302.com跳转到钓鱼地址https://rabby.iopost.ivsquarestudio,然而第二次302跳转时出现了两种情况:
1、当我们使用curl命令请求上述Location地址https://rabby.iopost.ivsquarestudio.com时,会出现一个302跳转到真正的官方地址https://rabby.io。
2.然而,当我们使用curl命令模拟普通浏览器请求上述Location地址https://rabby.iopost.ivsquarestudio.com(携带请求头包括User-Agent、Accept、Referer、Accept-Encoding等字段时) ,它会跳转到新的 Location 地址 https://dnovomedia.com?uid=087aa42d-724b-4a1e-bae7-f1f700ce71e6。
可见,钓鱼链接会在第二次302跳转时做出判断。 当检测到异常浏览器请求时,将重定向至官方地址; 当检测到正常的浏览器请求行为且区域合理时,则重定向到钓鱼地址。
We tracked and found that the last redirected phishing address was https://rabbyo.com/index.php?uid=087aa42d-724b-4a1e-bae7-f1f700ce71e6.
Opening the phishing link, I found that the phishing page almost cloned most of the content of the real official website:
By tracking 302 redirects, we found the following phishing link addresses:
https://robby.page.link/Zi7X
https://rabby.iopost.ivsquarestudio.com
https://dnovomedia.com?uid=087aa42d-724b-4a1e-bae7-f1f700ce71e6
https://rabbyo.com
https://rebby.io
The two phishing domain names rebby.io and rabbyo.com were queried through the threat intelligence platform and it was found that they were both registered in January 2024.
Looking at the code, we see that the attacker is using Russian:
The phishing deployment background program uses Fastpanel (Fastpanel is a virtual host management panel developed by hosting providers in Russian-speaking areas):
Then the source code of the phishing webpage was reviewed and it was found that clicking to download the desktop version will perform a client verification:
If the check finds that the current environment is a Mac computer, it will jump to the download address https://brandsrocket.com/data/rabby-wallet-desktop-installer-x64-latest.dmg.
It can be found that the storage space occupied by this Trojan is very small, only 1.1 MB:
The Trojan was uploaded to an online threat analysis website for analysis and it was found that the Trojan sample had been analyzed 19 days before writing this article and was identified as a Trojan backdoor by multiple anti-virus engines.
(https://www.virustotal.com/gui/file/ce6169ae0efe851473a189add9c88f96fdebe1ff3f549c457339e25d9e6feca8/detection)
It can be seen that from advertising to phishing website production to Trojan horse production, the phishing group operates smoothly. What is confusing is why the advertising information on Google search shows the official address? And why did it go through multiple 302 jumps? The analysis found that the key operation was that the phishing group used the 302 jump of Google's own Firebase short link service to deceive Google's display.
In order to make this process clearer, we also need to first understand the delivery mechanism of Google ads (as long as you have a Google account, you can log in to Google's ad management site https://ads.google.com to set up promotions):
1. First, you need to create a new campaign on the advertising management site with the goal of website traffic and the type of search.
2. After setting the price and frequency of advertising, select the region and language for advertising. This also explains why ads may not necessarily appear when searching for keywords in different regions or different language environments.
3. Now comes the crucial step, setting up the tracking template. Tracking templates are an advanced feature of Google Ads that allow third parties to track ad links.
We noticed that the first jump link domain name used by the phishing page is page.link. This is actually a short address service of Google's Firebase. This service allows binding any redirect address to a subdomain name of page.link. .
Since the third-party tracking link needs to be an address certified by Google, and page.link happens to be Google’s own domain name, the phishing gang bypassed this restriction.
4. After the ad is placed, since Google will not check whether the 302 jump link has changed in real time, nor will it modify the ad information in real time, the phishing gang will modify the redirection to the phishing URL after the ad is placed for a period of time.
Similar phishing routines also appear on various chat software. Take Telegram, a chat software, as an example. When you send a URL link during a chat, the Telegram background will capture the URL link domain name, title, and icon for preview display.
(This picture is for demonstration only)
However, Telegram does not prevent 302 redirects when crawling preview information. Therefore, if the user only judges based on the information on the page and then clicks on the link, he may jump to the preset phishing address.
Users are requested to look for the official address of Rabby wallet https://rabby.io, and do not trust any advertising address displayed in search results; if you are unfortunately caught, please transfer wallet funds as soon as possible and perform a comprehensive anti-virus on your personal computer. Check; always be suspicious before clicking on website links; for more security knowledge, it is recommended to read the "Blockchain Dark Forest Self-Rescue Manual" produced by the Slowmist Security Team: https://github.com/slowmist/Blockchain-dark -forest-selfguard-handbook/blob/main/README_CN.md.