Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 10 MINUTES AGO.
You are here: Home / Network Security / Malware in Britney Spears' Instagram
Malware Hiding in Britney Spears' Instagram and Where Else?
Malware Hiding in Britney Spears' Instagram and Where Else?
By Jef Cozza / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JUNE
09
2017
The Turla hacker group is up to its old tricks, but with an interesting new twist. Now, the group is using Britney Spears' Instagram account to cover its tracks.

The new tactic could make it more difficult for organizations to defend themselves against such attacks and for investigators to collect evidence after the fact.

Watering Hole Attack

The Turla group has been around for years, using a collection of hacking tools that are thought to have been developed by Russian intelligence agencies. The group mostly focuses on attacking governments, government officials, and diplomats, often using a technique known as a "watering hole" attack.

In a watering hole attack, the hacker doesn't attack the primary target directly. Instead, the technique relies on compromising a Web site that the target is likely to visit, similar to the way a lion might stalk a watering hole waiting for its prey to arrive. Turla is primarily interested in staking out embassy Web sites to trap its targets.

Once the intended victim accesses the compromised Web site, the hacker then attempts to redirect the individual to the hacker’s own command and control (C&C) infrastructure.

Turla has been doing this by inserting a snippet of JavaScript code into the watering hole Web site. Now, however, the group is using a technique that masks what the code is doing by making it appear as though the code is part of a legitimate service, such as Clicky, which provides real-time Web analytics.

But instead of accessing the tool mentioned in the code, it redirects the user to a C&C server, which then installs a fingerprinting script on the victim’s machine. A fingerprinting script is used to gather system information and send it back to the attacker’s C&C. It may also install a "super cookie" on the victim's machine to continue gathering information on the user's activities.

Turla Hits Firefox One More Time

The technique is being monitored by ESET, a software security company. ESET said in one of the examples of the watering hole attack that it was monitoring, researchers discovered that Turla appeared to have updated an old Firefox extension it had used previously to attack its victims.

The extension connects to its C&C using a bit.ly URL. However, the URL for the C&C is not included anywhere in the extension itself. Instead, the extension is designed to look at an Instagram post. In the example reviewed by ESET, the extension visited a post on Britney Spears’ official Instagram account.

Once it accesses the account, it scans through the comments on the post, looking for a specific comment that contains a bit.ly URL hidden within it. Once the URL is decoded, it takes the extension to a compromised server that Turla is known to use as a C&C.

ESET said the link it investigated has so far only been accessed a few times, leading the company to believe that the current attack is only a test run for something Turla has planned for later.

Image credit: iStock.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN NETWORK SECURITY
ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.