Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,357
- Points
- 113
The new version of the framework has learned how to spy and use steganography.
Cybersecurity experts have discovered a new version of the WoofLocker tool used to mask and redirect traffic. The framework allows hackers to pull off fraudulent schemes. For example, by posing as technical support specialists.
WoofLocker was first described by Malwarebytes in January 2020. The framework is written in JavaScript, which is embedded in compromised sites, filtering traffic and redirecting users to "blocking" web pages (so-called browlocks).
"The tactics and methods are still very similar (compared to the original version), but the infrastructure is now more resilient to takedown attempts," said Jerome Segura, threat director at Malwarebytes.
An interesting feature is steganographic methods. They allow you to hide malicious code in a regular PNG image, which makes it difficult to detect fraudulent activity. The code is activated only if the system defines the user as "legitimate" or" interesting", i.e. suitable for the campaign. If the user turns out to be a bot or "inappropriate" traffic is detected, the program displays a fake PNG file without malicious code.
WoofLocker is also known as 404Browlock, because when you try to open the URL directly, without first redirecting or using a one-time session token, the user will see a 404 error page.
Another unique feature of this campaign is the use of the WEBGL_debug_renderer_info API for marking users. WoofLocker collects information about the victim's graphics adapter drivers, separates real browsers from automated scanners and virtual machines, and also stores and sends this information to a remote server. "Thanks to better filtering before redirecting potential victims to malicious sites, attackers keep their infrastructure online for a longer period of time," Segura explained.
Most sites that distribute WoofLocker belong to the "adult" category. The infrastructure uses hosting providers in Bulgaria and Ukraine, which provides additional protection.
As a result of running the framework, the victim cannot close the window or do anything else. The image on the screen seems to freeze. The main purpose of "browser blockers" is to force a person to ask for technical assistance, then get remote access to the computer and issue an invoice for services to solve non — existent problems.
Back in 2020, Segura noted: "The process is controlled by third parties through fraudulent call centers. The attacker responsible for redirecting traffic and blocking it gets paid for each successful lead."
Research shows that websites belonging to US government agencies, universities, and other organizations have been used to distribute fraudulent offers and promotions through infected PDF files for the past five years. Many of these attacks target children-they are offered to download an app or provide personal data in exchange for non-existent rewards in online games such as Fortnite and Roblox.
WoofLocker is a sustainable and low-cost method of fraud, unlike other campaigns that rely on advertising and a cat-and-mouse game with hosting providers and registrars.
There is evidence that preparations for the current campaign have been underway since 2017. It is not yet known who exactly is behind this: a specific person or a group of people.
Cybersecurity experts have discovered a new version of the WoofLocker tool used to mask and redirect traffic. The framework allows hackers to pull off fraudulent schemes. For example, by posing as technical support specialists.
WoofLocker was first described by Malwarebytes in January 2020. The framework is written in JavaScript, which is embedded in compromised sites, filtering traffic and redirecting users to "blocking" web pages (so-called browlocks).
"The tactics and methods are still very similar (compared to the original version), but the infrastructure is now more resilient to takedown attempts," said Jerome Segura, threat director at Malwarebytes.
An interesting feature is steganographic methods. They allow you to hide malicious code in a regular PNG image, which makes it difficult to detect fraudulent activity. The code is activated only if the system defines the user as "legitimate" or" interesting", i.e. suitable for the campaign. If the user turns out to be a bot or "inappropriate" traffic is detected, the program displays a fake PNG file without malicious code.
WoofLocker is also known as 404Browlock, because when you try to open the URL directly, without first redirecting or using a one-time session token, the user will see a 404 error page.
Another unique feature of this campaign is the use of the WEBGL_debug_renderer_info API for marking users. WoofLocker collects information about the victim's graphics adapter drivers, separates real browsers from automated scanners and virtual machines, and also stores and sends this information to a remote server. "Thanks to better filtering before redirecting potential victims to malicious sites, attackers keep their infrastructure online for a longer period of time," Segura explained.
Most sites that distribute WoofLocker belong to the "adult" category. The infrastructure uses hosting providers in Bulgaria and Ukraine, which provides additional protection.
As a result of running the framework, the victim cannot close the window or do anything else. The image on the screen seems to freeze. The main purpose of "browser blockers" is to force a person to ask for technical assistance, then get remote access to the computer and issue an invoice for services to solve non — existent problems.
Back in 2020, Segura noted: "The process is controlled by third parties through fraudulent call centers. The attacker responsible for redirecting traffic and blocking it gets paid for each successful lead."
Research shows that websites belonging to US government agencies, universities, and other organizations have been used to distribute fraudulent offers and promotions through infected PDF files for the past five years. Many of these attacks target children-they are offered to download an app or provide personal data in exchange for non-existent rewards in online games such as Fortnite and Roblox.
WoofLocker is a sustainable and low-cost method of fraud, unlike other campaigns that rely on advertising and a cat-and-mouse game with hosting providers and registrars.
There is evidence that preparations for the current campaign have been underway since 2017. It is not yet known who exactly is behind this: a specific person or a group of people.
