Conceal’s Weekly Threat Reports are highlights of recently detected sites that were deemed suspicious using our AI-powered browser extension, ConcealBrowse.

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

Threat Report Website Feature - 12.18.23

Browser-Based Threat Report: Dec. 18

/in /by

Browser-Based Threat Report

Week of December 18th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs and Browser-Based Threats. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of December 18th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

_____________

SHA-256: c3c3f907fd925366cc657147828696deaf0494bff7d5d9b39d62bb6b5e4e5cf2

weekly threat report 12.18.23 Screenshot of the suspicious webpage

This URL was detected by ConcealBrowse on December 15th, 2023, and assigned a 14% risk score due to suspicion. The URL was first classified by 2 security vendors in September of 2019 as malicious and phishing. This URL has a long history of delivering a compromised and suspicious page and to date has been annotated by 5 vendors as such.

Upon further investigation, there are multiple reasons why this site is continuously flagged. First, the site itself is a WordPress site, which without proper configuration, has numerous vulnerabilities by default, from compromised themes to insecure plugin integrations. That aside, the page is also delivered from an IP address that has historically delivered Trojans (most recently on December 12th) as well as Potentially unwanted Programs (PuPs) and Potentially unwanted Applications (PuAs). This exemplifies the dangers of shared hosting which could lead to the demise of the webpage in question, and further, the endpoints connecting to it.

_____________

SHA-256: 29ee53339a87040fd5b852e2d8542e9498812fb3fd689c25a4b3b4cf492220ce

This URL was detected by ConcealBrowse on December 14th, 2023. The URL in question was first identified December 13th, 2023 as delivering malware and a phishing webpage by 4 security vendors. 6 additional security vendors have since deemed the page as dangerous, totaling 10 vendors to date.

Spoofed websites, like the one delivered by the URL in question, are popular during this time of the year as the adversaries know there will be increased visitors. This site replicates the USPS homepage and even subpages. After a few minutes on the page, it is obviously spoofed with broken links. Conceal’s Sherpa AI engine detected multiple anomalies, identifying this site as malicious. The spoofed site was isolated with ConcealBrowse due to its intention of collecting credit card information from the unassuming, allowing users to add items such as stamps to their cart and proceed to a checkout screen.

weekly threat report 12.18.23 screenshot of spoofed USPS page

_____________

SHA-256: 60d387d2967c2e63a962333387768228a9d2b379829ebc3670ae6d4788f052e0

SHA-256: f248e02fe1c54a766640b8f2257b18d2f496a8642bac1b03ec52e26e2fbc6e93

The URL was detected by ConcealBrowse first on November 4th, and subsequently on December 14th, 2023. It was first submitted to various CTI feeds January 15th, 2022, with its final URL just recently submitted December 19th, 2023. The original URL and final URL have been classified as malicious and phishing by 5 total security vendors. This highlights the domain’s ability to continuously circumvent traditional security mechanisms.

The URL above has multiple final URL’s that have been used in malvertisement campaigns historically. As seen below, once a user clicks on the malicious advertisement, their browser displays warning messages, stating they have outdated drivers. This tactic is used to scare end users into downloading malicious drivers to their endpoint. Although the URL today leads to a parked domain, meaning the adversaries are no longer using their website, they could easily commence this attack even though the domain is on a few DNS blocklists. They would be successful against those without informed DNS providers, however, would not be successful against those with ConcealBrowse.

weekly threat report 12.18.23 Historical screenshot pictured left, with current status (parked domain) pictured right

 

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.


Browser-Based Threat Report: Dec. 11

/in /by

Browser-Based Threat Report

Week of December 11th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of December 11th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

_____________

SHA-256: 891574723688afb245340844f42b5036facf02c090d9a6bb1886762753595122

This URL was detected by ConcealBrowse on December 6th, 2023, and assigned a 14% risk score due to suspicion. The URL was first submitted and identified by 2 security vendors on December 5th, 2023. The 2 vendors classified the delivered page as malware and malicious.

The inactive site hosts a media download application, that allows users to download and convert videos from sites such as YouTube and TikTok. These kind of tools are popular as they are free, however, as with most free online services, are riddled with advertisements and suspicious links. Furthermore, converter sites have notoriously added additional scripts within their converted, downloadable files, which have historically introduced malware (predominantly trojans and ransomware) and potentially unwanted programs to the endpoint. The site in question asks the end user to allow notifications and when “allow” is clicked, additional tabs are opened, all of which display ads that can lead to additional script execution.

_____________

SHA-256: 2529f43fb390342be8a394c198533e0446a7553e9a17ebf8e569059a3db99afc

This URL was detected by ConcealBrowse on December 5th, 2023. The URL was first analyzed by 3 security vendors on December 6th, 2023, further classifying the page as malicious, suspicious, and as a deliverer of spam and malware. Using our SherpaAI, we identified the threat an entire day before reputable security vendors and CTI feeds.

This highlights the importance of real time analysis. The URL leads to a spam ridden sports page that is full of advertisements and popups. This, coupled with hidden URLs and JavaScript found within the page, increases the possibility of an end user triggering a drive-by download or downloading one of the 11 suspicious embedded JavaScript files. Due to the suspicious HTML code, the site has triggered various AV and security software detection criteria. Additionally, the domain hosting this page has a 3-month domain certificate, which is highly suspicious as it makes tracking the certificate and the associated threats challenging.

_____________

SHA-256: bf2e5eb4aaa5c4fbe33f58a7777afe7cccd97fc0b73b1848ef9a73b3ed8d1351

This URL was detected by ConcealBrowse on December 11th, 2023. It was first submitted to various CTI feeds December 12th, 2023 and has since only been identified by 6 security vendors to date. This domain was registered on December 8th, 2023, demonstrating how quickly the threat environment evolves, and how important it is to have real time analysis enabled by ConcealBrowse.

The delivered webpage seems benign at first glance as it loads a blank page. However, after further analysis, the website was seen downloading various suspicious HTML and JavaScript files.. One such HTML file was seen modifying the registry keys of Internet Explorer on the endpoint. Although the affected application is rarely used, this activity is suspicious, as this vector may be used to modify other applications on the endpoint. This webpage has since been added to block lists from notable security vendors.

 

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.


Browser-Based Threat Report: Dec. 4

/in /by

Browser-Based Threat Report

Week of December 4th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs and Browser-Based Threats. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of December 4th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

_____________

SHA-256: : d7ac58e21dd05f2309e09e96c4deac274fa3bfe753d45af29d205f49262f80e2

Browser-Based Threat

This URL was detected by ConcealBrowse on December 4th, 2023 and 4 additional security vendors the same day. This highlights Conceal’s ability to remain on the leading edge of threat prevention through real-time analysis.

The URL redirects to a medical news outlet that once engaged by clicking on the “Watch Now” button, opens additional tabs that load various medical ads and hoaxes. More importantly, the source HTML has embedded JavaScript that delivers a temp file to the endpoint. This file specifically matched numerous YARA and Sigma rules after dynamic analysis since it is obfuscated, lays dormant (long-sleeps), and executes wscript/cscript. ConcealBrowse prevents the page from loading, assigning it a 14% risk score due to suspicion, and numerous identical links with different labels.

_____________

SHA-256: f3c75ad42c932bff7e498e90745f7a4b0d85da444f7fbfa3960e8ffbe41c6561

This URL was detected by ConcealBrowse on December 1st, 2023. The URL was first detected on August 26th, 2023, by 7 reputable security vendors. To date, 17 vendors have flagged the URL, further categorizing it as phishing, malicious, and malware. Using this information and real time analysis conducted by our Sherpa AI Engine, ConcealBrowse assigned a 29% risk score and isolated the URL 3 times in a row, combatting and protecting against end-user persistence.

Without ConcealBrowse, the end user would have introduced an HTML file to their endpoint, that subsequently reaches out to a “.cc” domain. This Australian domain, due to its cost effectiveness, is used by spammers and nefarious actors worldwide. It is hard to extrapolate the intent of the file, however, the action of introducing suspicious files to the endpoint raises concern. Additionally, the page is harvesting crypto wallet addresses to locate wallets, and potentially use the downloaded HTML file for follow on data exfiltration.

Browser-Based Threat

_____________

SHA-256: 195aad5302702e9159617c0ed2023a05116bd663324998e333d4cb9a60bb93f2

This URL was detected by ConcealBrowse on December 4th, 2023. It was first submitted to various CTI feeds August 8th, 2023 and has since only been identified by 3 security vendors as malicious demonstrating the unreliability and lengthy time necessary to populate feeds.

With real-time analysis, ConcealBrowse was able to identify and isolate this URL with a 14% risk due to various reasons such as the lack of basic metadata. Although the URL delivers a blank webpage, the page does drop files on the endpoint that have exhibited various MITRE ATT&CK techniques used by malicious actors. Dynamic analysis shows that the dropped files do create registry run keys to survive reboot, which can also lead to privilege escalation depending on who logs into the system. Further, the URL in question has a high-risk reputation score, short duration domain certificate, and is even sinkholed by 2 DNS providers.

Browser-Based Threat

 

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.


Browser-Based Threat Report: Nov. 27

/in /by

Browser-Based Threat Report

Week of November 27th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of November 20th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

_____________

SHA-256: : f18313bd258045a0c134467990ca54423ad6c9427d57e921b9769bb4105a6e26

This URL was detected by ConcealBrowse first on November 15th, 2023 and continued to isolate on subsequent visits on November 16th and 21st. It was first identified by 3 security vendors on November 21st, 2023 and has since dropped to 2 vendors, showing remediation attempts by the domain owners. Due to this, the domain, which was sinkholed November 21st, has been removed from sinkhole rules by various DNS providers. This points out the dynamic nature of webpages and the threat domain, highlighting the importance of real-time analysis (provided by ConcealBrowse).

Upon historical analysis, the page was seen downloading a suspicious JavaScript file which was flagged by 2 vendors as suspicious. ConcealBrowse continues to intervene to date, isolating the page with a 14% risk score due to the history of the webpage and the abundance of empty and void links.

_____________

SHA-256: b5b3e43c5b74bdc9fc35fa3708a17a34394006d51b34c1efa21685be1629ede1

This URL was detected by ConcealBrowse on November 20th, 2023. The URL was first detected on November 27th, 2023, by 6 reputable security vendors. By analyzing sites in real time, ConcealBrowse protected the endpoint one week before intelligence sources could report its nefarious activity.

The URL leads victims to a malicious shopping page that is poorly designed. Indicators of nefarious activity include the irrational sizing chart when purchasing a vehicle, which further, was listed for sale at $14. Although it is apparent the site is suspicious, end users can initiate downloads with a simple click or even fall victim to drive-by download attacks that require no end user interaction. Supporting this is the fact that this page was shown to download an HTML file that was deemed suspicious by two additional security vendors. ConcealBrowse intervened additionally due to identified anomalies, such as the webpage’s malicious top-level domain.

_____________

SHA-256: 7122c4952c0e428874187a684e6cf72937fccf96033240a9077a6ed245da604b

After analyzing the URL in question, it was found to be flagged as malicious by several other threat intelligence feeds. The primary reason for their reporting this domain as malicious was due to it being associated with phishing/credential theft attacks.

Upon engaging the link, users are prompted with a captcha to verify they are human. Afterwards they are directed to a spoofed Microsoft login page.

Deeper analysis shows that this site, which is no longer live, was registered through Russia on August 30th of 2023 and was blocklisted by several providers due to its association with the Storm1575 threat group operating out of Russia. This group is known to use Dadsec, a phishing-as-a-service platform, with the goal of stealing Microsoft O365 credentials.

It is important to note that the site appears to have been taken down.

_____________

This URL was detected by ConcealBrowse during an INTERNAL TESTING session of our new SHERPA AI decision engine. The URL was brought to us by a customer who was concerned about this type of attack. The web page opens up and warns the visitor that their computer is infected and that they need to call Windows support. There is even an audible message warning the user to call immediately or risk serious damage. However, just like a BEC attack, there is nothing “malicious” tied to the webpage. The damage occurs when the victim calls the number and falls for the scam.

Since this is an attack that occurs in the browser, Conceal felt it necessary to detect and prevent these threats. With the new SHERPA AI engine, we are able to analyze a potential threat deeper than URL reputation and even deeper than patterns in how the web page behaves. We look at the patterns in the content of the website and what the intent of that content is. When we see an anomaly in the patterns in the behavior, patterns in the structure, or patterns in the content of a webpage, we treat it as suspicious and intervene to protect the end user. In the case of this webpage, there are several elements that a true warning from a reputable technology company such as Microsoft would never include. Based on this, our browser extension warned the end user of the dangers ahead, something that’ solutions relying on full-time browser isolation are not capable of doing.

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.


Browser-Based Threat Report: Nov. 20

/in /by

Browser-Based Threat Report

Week of November 20th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of November 20th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

_____________

SHA-256: fb9182a611e6c357d3d7876f898ce7246ad777e69367d983042a04bb93d8bd29

This URL was detected by ConcealBrowse on November 14th, 2023. It was first identified by various CTI feeds on November 15th, 2023. This showcases the importance of real-time analysis which is enabled by ConcealBrowse. To date, only 3 other security vendors have identified this URL.

The page was highlighted by vendors due to its poor creation. The site is missing many common elements of safe sites, such as author and copyright meta tags, favicons, and includes a high number of embedded images. In addition to third party vendor suspicion, ConcealBrowse intervened due to the abundance of null and void links found on the page. Poorly crafted and maintained websites are often targeted and used to propagate spam and malware.

_____________

SHA-256: 2c3f85699de22827b33ef601739924844e913db62198ef8acfd64c66c5c434a3

This URL was detected by ConcealBrowse on November 15th, 2023. The URL was first identified by 3 security vendors on October 13th, 2023. Today, 5 vendors have categorized it as suspicious, phishing, and even malware.

The delivered page asks users to enable notifications. Once enabled, multiple notifications appear on the screen (see below) that inform users that their computer is infected. Mimicking a trusted security vendor, the adversary convinces users to engage with the popups, which then initiates an HTML file download. This file conducts the following MITRE ATT&CK techniques; Persistence and Privilege Escalation through registry run key creation, Defense Evasion via masquerading, Discovery via Simple Service Discovery Protocol broadcast queries, and Command and Control through encrypted HTTPS channel.

_____________

SHA-256: 31cf2c5502691f5f875cb1f65f3e19458009ecacfaabd007e07d5475348ad042

This web page was detected by ConcealBrowse on November 16th, 2023 and was first identified as malicious October 10, 2022. As of November 16th, the URL has been annotated as

malicious, malware, and suspicious by 4 security vendors in total. This shows the dynamic reputation of webpages, thus emphasizing the importance of real time URL analysis; which is enabled with Conceal Browse.

Further analysis of this web site shows that there are several files that are flagged as malicious including two JavaScript files and a .ico file. These JavaScript files are shown to match a YARA rule that detect the presence of a Base64_Encoded_URL which is a common theme among recent examples where ConcealBrowse has intervened to protect the endpoint.

It is important to note that the site appears to have been taken down.

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.


Browser-Based Threat Report: Nov. 13

/in /by

Browser-Based Threat Report

Week of November 13th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs and Browser-Based Threats. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of November 13th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

_____________

SHA-256: 02f7c0e429b7388692f75d54bfde7e6bc2f1f68160efa434e306bd7d352f41c0

This URL was detected by ConcealBrowse on November 8th, 2023. It was first identified by various CTI feeds on October 5th, 2023, and resubmitted on November 9th, 2023, highlighting the continued nefarious activity of the domain. To date, 16 security vendors have annotated the URL as malicious.

This page takes advantage of typosquatting, in which end users accidentally type in the wrong web address, which then leads them to a page that mimics their intended destination. This specific instance mimics a popular shopping page and seems harmless. The intent of the majority of these spoofed sites is to obtain sensitive information from the end user, such as credit card information and address, during the checkout process.

_____________

SHA-256: f84a8fa0bc3dd592124b7a14a1bb64cb4fe8b40626c58d5c0341a3d590975500

This URL was detected by ConcealBrowse on November 6th, 2023. The URL was first detected by 2 security vendors on November 4th and by 18 security vendors to date. The URL has been classified as malicious and subsequently as a delivery vector for malware and spam.

The top-level domain used by the page is notorious for hosting malicious and risky web pages. Further, research indicates that nearly half of the registered domains using “.top” are used for nefarious activity such as spam and malware distribution. This specific URL directed users to a page that hosted various malware from Arkei, Privateloader, and Vidar. Their purpose is to steal information from the endpoints they infect, including saved passwords, credit card information, and the latest being 2-factor authentication tokens.

_____________

SHA-256: 82cf0044f474bbef6e896f0e741f0795fe6c2abcc7facec854e5967a17b89ea5

This web page was detected by ConcealBrowse on November 9th, 2023, and was first identified as malicious on September 28th, 2022. As of November 14th, the URL has been annotated as malicious, malware, and suspicious by 6 security vendors in total. This shows the dynamic reputation of webpages, thus emphasizing the importance of real-time URL analysis, which is enabled with Conceal Browse.

The web page is hosted by a web server that has historically hosted other malicious sites. In addition, the URL has recently been seen downloading two files of unknown content and has several embedded JavaScript files. After further static and dynamic analysis, the embedded JS files appear to modify the DOM of the parent URL. Due to this behavior, the URL has been identified by security vendors and has even been sinkholed by various DNS providers.

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.


Browser-Based Threat Report: Nov. 6

/in /by

Browser-Based Threat Report

Week of November 6th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs and Browser-Based Threats. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of November 6th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

_____________

SHA-256: e487be0271aa1047e6dd76c59aa6b04094c99113188f9fa139c39497097228c7

This URL was detected by ConcealBrowse on November 3rd, 2023, with it first being submitted to a various CTI feeds November 4th, showcasing how Conceal Browse protects users from the unknown.

When visiting the page, users encounter various pop-ups that state the workstation is infected with malware. This common tech support scam then prompts the end user to call the number listed in the pop-up to remedy the infection. Often, the scammers attempt to elicit payment from users, or entice them to download some sort of remote access software from the page, thus granting access to the endpoint. The Remote Access Trojan, if downloaded, grants persistent access with registry keys, gains elevated privileges and even bypasses file scanning and monitoring tools using various masquerading tactics.

_____________

SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

This web page was detected by ConcealBrowse on November 3rd, 2023 with it first being identified by CTI feeds the same day. To date, only 4 security vendors have identified this

threat. This highlights the ability of Conceal Browse to identify current adversary techniques and delivery methods.

The original URL in question has various redirects that lead the end user to a spoofed McAfee home page. The final page, seen below, is very interactive, meaning the spoofed page has been well crafted to increase its legitimacy. The spoofed page, which is hosted across numerous Russian based web servers, was dynamically creating help and feedback buttons, hoping users would engage. It was discovered that the domain was seen delivering backdoors via this technique in previous campaigns.

_____________

SHA-256: cba292db6c58d7028353ca98ee27dc334640987670b15cb83f2b419686596996

This currently active URL was detected by ConcealBrowse on November 2nd, 2023, with variations of the malicious pathname (intentionally removed above) identified throughout the first week of November 2023. The URL prevented by Conceal Browse has since been identified by 10 security vendors, who have classified the delivered webpage as malicious, suspicious, phishing, and even malware. The domain has been identified as a known infection source from reputable CTI feeds, indicating that nefarious content is continuously delivered.

The webpage is a blog that has various referrer headers that request resources from legitimate domains such as Google and Youtube. The page, however, does request resources from a known malicious domain that has was seen downloading suspicious HTML files just a week ago. Since the page is requesting resources from a known malicious domain, the page should be avoided.

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community that’s committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.


Browser-Based Threat Report: Oct. 30

/in /by

Browser-Based Threat Report

Week of October 30th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs and Browser-Based Threats. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of October 30th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

_____________

SHA-256: 95bd5672de917dd113b5a48f4347931661dced296f6b83d2e76c002f3847e926

Browser-Based Threat Report

This URL was detected by ConcealBrowse on October 27th, 2023, with it first being submitted to a various CTI feeds October 13th and most recently October 25th, 2023.

The page was last seen delivering an innocent seeming HTML file that has encoded Javascript. The file dynamically reconstructs new HTML code as it opens in the browser and presents to the end user, a spoofed Microsoft login page, as seen above. Fortunately, Conceal Browse identified anomalies associated with the page and prevented the HTML smuggling

attack occurring in the first place, subsequently stopping the credential theft attempt.

This attack type is becoming increasingly popular due to it’s stealthiness. The drive by downloaded HTML file is not only being delivered by a reputable source (in this case, CloudFlare’s development platform) but is also encoded, then decoded and reconstructed locally to bypass web proxies and email gateways.

_____________

SHA-256: fc93937220e51c05c4c2273fe7ae0d8f50b0faafb1c1f02659bb3c0652f5b421

This web page was detected by ConcealBrowse on October 30th, 2023 with it first being submitted to CTI feeds on October 31st, 2023. This showcases Conceal’s ability to identify risky webpages in real time, even before CTI feeds report on them. This type of attack has been seen in several of Conceal’s customer environments.

The delivered page mimics the Yahoo home page by pulling legitimate assets such as images, an iFrame and even a script from Yahoo.com, which is not common practice. Any assets pulled from legitimate sites are mainly through their content delivery network. The adversaries spent a decent amount of time on crafting the page, which included 168 legitimate links leading to Yahoo. However, the page did have a high amount of empty and void links, which is indicative of phishing sites. Threat actors often do not have the time or ability to fully mimic web page functionality. With that, the site has been subsequently identified by 5 security vendors as a phishing site.

Browser-Based Threat Report

_____________

SHA-256:da9bb3966753582f1ad63eb91315ce3207b33bec9b166adc7048ddcc70258a40

This currently active URL was detected by ConcealBrowse on October 25th, 2023. Although the webpage was first submitted to various CTI feeds October 31st, 2021, it was resubmitted the morning of October 31st, 2023, meaning the page continues to deliver suspicious content.

The webpage is a login page to a commoditized Phishing-as-a-Service (PhaaS) provider based out of Russia that has been operating since June 2021. As a purchasable nefarious phishing service, the page should not be trusted.

Browser-Based Threat Report

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community that’s committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.

 


Browser-Based Threat Report: Oct. 23

/in /by

Browser-Based Threat Report

Week of October 23rd, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs and Browser-Based Threats. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of October 23rd, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

One of which, ConcealBrowse was able to identify one of these threats seven days before the other threat feeds.

_____________

SHA-256: 0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2

This URL was detected by ConcealBrowse on October 17th, 2023, with it first being submitted to a handful of CTI feeds on October 15th, 2023. The webpage has since been taken down. This 17-day lapse between domain registration and page deletion is a long time given today’s threat environment. This highlights the importance of real-time analysis, which Conceal Browse enables. In this gap, only 8 security vendors, including Conceal Browse, flagged the page as suspicious.

The webpage the URL led its victims to was seen downloading an HTML file that has a historically bad reputation for various actions such as C2 node callouts.

The serving IP address continues to host malicious domains and has been flagged as malicious by two security vendors. Other webpages hosted on the server have been featured in Conceal’s weekly threat report previously.

_____________

SHA-256: d772f4ce3ff3a63d73da19acb3864fa4b3cf01807ac6c9322db27d60e2f4e7fa

This web page was detected by ConcealBrowse on October 12th, 2023, with it first being submitted to CTI feeds on October 19th, 2023. This showcases Conceal’s ability to identify risky webpages in real-time, even before CTI feeds report on them.

The delivered webpage included a captcha, prompting the end user to click on the “allow” button in the fake notification displayed in the top left (see below). This is a common tactic in which attackers present iFrames or transparent overlays on top of seemingly innocuous and common user interactive dialogue boxes. The transparent iFrame is clicked by the user because it is common. However, the overlay executes script that often initiates a download or even displays a login screen for credentials to be captured. This specific webpage is no longer active; however, users should be cautious when they see this tactic in the wild.

_____________

SHA-256: 6f5d8c5bf77786b84d00504f8a8f790a2261f49aef0c11327b611b9e1e91ab6e

This currently active URL was detected by ConcealBrowse on October 23rd, 2023. Although the webpage was first submitted to various CTI feeds on July 17th, 2018, it was resubmitted the morning of October 24th, meaning the page continues to deliver suspicious content.

The webpage has recently been delivering an HTML file that has conducted HTTP requests to various .ru domains. The serving IP address has been annotated in the past as a malicious C2 node and, more recently, has been identified as a cryptomining server by other intelligence services.

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against many sophisticated cyber threats, as recent threat reports exemplify. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber-attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community that’s committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.


Browser-Based Threat Report: Oct. 16

/in /by

Browser-Based Threat Report

Week of October 16th, 2023

ConcealBrowse is leveraged by teams across the world to combat weaponized URLs. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing.

At Conceal, your digital safety is our utmost priority. Our weekly threat report for the week of October 16th, 2023, unveils critical insights into the ever-evolving landscape of online threats.

The following report highlights recently detected sites that were deemed suspicious:

SHA-256 42a439f1d2c94a9d456fc25fd9ae758fd1a55b1061d4a9ba5e90406424f3f39c

This URL was detected by ConcealBrowse on October 16th, 2023, with it first being submitted to a handful of CTI feeds on September 21st, 2023.. The URL in question was recently submitted for new analysis on October 15th, 2023. To date, only 4 security vendors excluding ConcealBrowse have annotated this URL.

The link uses various http (insecure) redirects, which leads to gambling sites, spoofed shopping sites, and a suspicious download. More concerning, it also redirects to a QR code, which entices the end user to scan with their mobile device, which are often less secure than our PC’s and laptops. The QR code leads the user to another suspicious webpage that is being tracked by CTI feeds.

Additionally, the serving IP address annotated above has been seen delivering a W32 trojan variant as recently as October 8th, 2023.

_____________

SHA-256 18358a77382e2475a5dcc8445ef23a859d1d7cb698d6b31808f76104cf30fbfd

This web page was detected by ConcealBrowse on October 16th, 2023 with it first being submitted to CTI feeds on August 3rd, 2019. This site shows a continued trend of seeing compromised websites of smaller businesses go at length without being addressed.

When analyzing this site. It was flagged as malicious by multiple different vendors. Further analysis shows that this site contains several signatures including creating files in the system directory.

Several MITRE ATT&CK techniques are also found on this site at the time of analysis to include: Masquerading, Process Injection, Ingress Tools Transfer, Encrypted Channel, Application Layer Protocol, and Non-Application Layer Protocol.

_____________

SHA-256 18358a77382e2475a5dcc8445ef23a859d1d7cb698d6b31808f76104cf30fbfd

This currently active URL was detected by ConcealBrowse on October 16th, 2023. Although it was first submitted to various CTI feeds August 15th, 2023, it was resubmitted the morning of October 17th, meaning the delivered page has been compromised again.

The URL takes users to seemingly benign page offering a free PDF converter. When clicking “Download Now,” users download the converter and inadvertently, a malicious dropper file. The dropper file is a redline trojan variant.

_____________

Valuable Outcomes

ConcealBrowse offers comprehensive protection against a myriad of sophisticated cyber threats, as exemplified in recent threat reports. Our advanced threat detection capabilities have successfully flagged and quarantined malicious web pages, preventing users from falling victim to various cyber attacks. Conceal remains dedicated to upholding the integrity of online interactions, constantly refining our detection algorithms and threat identification protocols to ensure proactive protection against emerging cyber threats. By integrating cutting-edge technology and a robust security infrastructure, we empower users to navigate the digital landscape with confidence, knowing that their online activities are shielded from potential harm.

Join the Conceal Community and claim your FREE ConcealBrowse licenses!

Join the Conceal Community today and fortify your online security for free! Don’t miss the chance to benefit from our advanced threat protection and stay one step ahead of cybercriminals. Experience peace of mind while browsing the internet, knowing that ConcealBrowse is your shield against the ever-evolving threat landscape. Take the proactive step towards a safer online experience – get your free ConcealBrowse license now and join a community that’s committed to safeguarding your digital world.

Sign up for the Conceal Community and claim your free licenses by completing the form below.