Threat actor in a shhing skull mask

Unknown hackers uploaded 144,294 phishing-related packages to open-source package repositories, including NPM, PyPi, and NuGet.

The large-scale attack resulted from automation, as the packages were downloaded from accounts using a particular naming scheme, had similar descriptions, and led to the same cluster of 90 domains that hosted over 65,000 pages of phishing.

The campaign supported by this operation promotes fake apps, award-winning surveys, gift cards, giveaways, and more. In some cases, they take victims to AliExpress via referral links.

A massive operation

This phishing campaign was discovered by analysts from checkmarx and Illustria, who worked together to discover and map the infection impacting the open source software ecosystem.

NuGet had the largest share of malicious package downloads, counting 136,258, PyPI had 7,894 infections, and NPM had just 212.

Phishing packages were downloaded in droves within days, which is usually a sign of malicious activity.

Diagram of malicious package downloads
Diagram of malicious package downloads (Checkmarx)

The phishing sites URL was implanted in the package description, in the hope that the repositories links would increase the SEO of their phishing sites.

These package descriptions also tricked users into clicking on links to get more information about alleged gift card codes, apps, hacking tools, and more.

Description of malicious package
Description of malicious package (Checkmarx)

In some cases, threat actors promote fake Steam gift card generators, Play Station Network e-gift card codes, Play Store credits, Instagram followers generator, YouTube subscribers etc. .

Almost all of these sites require visitors to enter their email address, username and account passwords, which is where the phishing step takes place.

Example of malicious websites
Example of malicious websites (Checkmarx)

Fake sites feature a feature that looks like the promised free generator but fails when visitors try to use it, asking for “human verification”.

This triggers a series of redirects to survey sites, eventually landing on legit e-commerce websites using affiliate links, which is how threat actors generate revenue from countryside.

Final destination of the victim in the countryside
Referral ID on the victim’s final destination in the campaign (Checkmarx)

Of course, stolen game account IDs, emails and social media usernames can also be monetized, as they are usually bundled into collections and sold on hacking forums and darknet marketplaces.

Security researchers who discovered this campaign notified NuGet of the infection and all packages have since been delisted.

However, given the automated method used by threat actors to download such a large number of packages in such a short time, they could reintroduce the threat using new accounts and different package names at any time.

For the full list of URLs used in this campaign, see this IoC text file at GitHub.


Source link