Overview:
- Phish Tale of the Week
- Researchers Discover QR Codes Exploited to Evade Browser Isolation
- BadBox Botnet Infects Over 190,000 Android Devices, Including High-End Smart TVs
- How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed investment company. They’re sending us a text message, telling us that our account has been “released”, and that it’s imperative that we click the link below. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to fall for this phish:
- The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I do not have an investment account with the alleged investment services company with the provided username and password. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity that would convince me to click on their fake link.
- The second warning signs in this email is the messaging. This message tries to create a sense of urgency in order to get you to click on their link. Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
- The final warning sign for this email is the wording. The grammar is strange and unprofessional, if the actual USPS needed to send you a message they would not include the sentence “Your investment account has been released,” or anything else with poor sounding English. This is a very poor way to get someone to click on your link. All of these different signs point directly to this being a smishing text.
General Recommendations:
A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
- Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
- Do not give out personal or company information over the internet.
- Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
Researchers Discover QR Codes Exploited to Evade Browser Isolation
Mandiant researchers have uncovered a novel approach that bypasses browser isolation technologies by embedding command-and-control (C2) instructions in QR codes. This innovative tactic allows attackers to communicate with compromised systems, exposing gaps in current browser isolation defenses.
Browser isolation is designed to shield local systems from potentially malicious content by executing all browser activities in a remote sandbox or virtualized environment. The rendered output—essentially a “safe” visual of the webpage—is then streamed back to the local browser.
This architecture disrupts traditional C2 communications by intercepting malicious scripts before they reach the user’s device. For attackers relying on HTTP-based C2 channels, isolation technologies have been a significant hurdle.
Mandiant’s method takes advantage of how browser isolation handles visual content. Instead of hiding commands in HTTP responses, which isolation solutions filter, attackers encode their instructions in QR codes displayed on the webpage.
Since visual content isn’t stripped by isolation layers, these QR codes are delivered to the local browser, where pre-installed malware decodes and executes the commands.
Attack Details:
- Mechanism: Tested with Google Chrome, the technique integrates with Cobalt Strike’s External C2 framework.
- Challenges for Attackers:
- QR code size limits each data packet to approximately 2,189 bytes.
- Latency delays reduce data transfer rates to around 438 bytes/second.
- Existing defenses, like URL scanning and domain reputation checks, may detect malicious activity.
While the attack has practical limitations, it highlights evolving adversary tactics and the importance of adapting defenses. SOC teams should focus on several critical areas:
- Visual Content Monitoring: Standard monitoring tools often overlook malicious payloads in rendered visuals. Enhancing detection capabilities to include this vector is crucial.
- Endpoint Protection: Malware that interacts with browser-rendered content, such as QR code interpreters, must be flagged by EDR systems.
- Reassessing Isolation Configurations: Browser isolation policies should be tested regularly against new threats to ensure effectiveness.
- Defense in Depth: Combining browser isolation with heuristic analysis, data loss prevention, and URL filtering adds layers of security against exploitation attempts.
While Mandiant’s QR code-based bypass is unlikely to replace traditional C2 methods due to its limitations, it serves as a valuable case study in adaptive threat techniques. SOC teams must consider this scenario as part of broader defense strategies, prioritizing continuous threat assessment and layered security to address emerging risks.
To read more about this article, click here.
BadBox Botnet Infects Over 190,000 Android Devices, Including High-End Smart TVs
Cybersecurity firm Bitsight has identified a BadBox botnet comprising over 190,000 Android devices, primarily targeting Yandex 4K QLED smart TVs and Hisense T963 smartphones.
Bitsight’s analysis, aided by sinkholing a BadBox domain, revealed that most infected devices are unique models. These include high-end devices such as Yandex 4K QLED smart TVs and Hisense T963 smartphones, with significant impact in Russia, China, India, Belarus, Brazil, and Ukraine.
The BadBox malware, first reported in October 2023, originates from a supply chain compromise and comes pre-installed on the firmware of low-cost Android-based devices like smartphones, TV boxes, and smart TVs.
Previously, in 2023, Human Security uncovered over 70,000 BadBox-infected devices involved in fraud schemes and as residential proxies. Recently, Germany’s cybersecurity agency sinkholed a BadBox C&C server, identifying 30,000 infected devices. Bitsight’s findings now suggest a broader infection, with over 160,000 unique IPs communicating daily with a BadBox command-and-control server.
Notably, 98% of the malicious traffic is linked to Yandex smart TVs and Hisense smartphones, marking the first observed instance of high-end Android devices communicating with BadBox infrastructure.
Bitsight highlights that BadBox exploits infected devices for:
- Residential proxying, turning backdoored devices into exit points for malicious traffic.
- Remote code installation, enabling attackers to deploy additional payloads.
- Account abuse and ad fraud.
“BadBox exploits devices for activities such as residential proxying (using backdoored devices as exit points), remote code installation, account abuse, and ad fraud. One of its most dangerous features is the ability to install additional code/modules without the user’s consent, enabling threat actors to deploy new schemes,” Bitsight explains.
The out-of-the-box nature of the infections raises concerns about potential supply chain involvement. Bitsight warns that:
“The out-of-the-box BadBox infections suggest either that manufacturers could be involved, allowing remote attackers to install malicious code, or that the infection is performed during the development, manufacturing, shipping, and/or sales stages.”
The cybersecurity firm emphasizes that determining whether these infection vectors are interconnected remains uncertain:
“We cannot determine if these vectors are mutually exclusive in the case of BadBox,” Bitsight notes.
To minimize risks, Bitsight advises consumers and enterprises to prioritize trusted brands and partners for their devices and services to ensure better protection for their data and networks.
This incident underscores the critical need for supply chain security and vigilance when selecting Android-based devices.
To read more about this article, click here.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.