That is a new one: Iranian hackers occur as a modeling agency to try to steal user data
- Advertisement -
- Advertisement -
- Unit 42 found a website that Spooft a well -known German model agency
- The site bears obscended JavaScript that system information exfiltrates
- In the future it can host malware or steal login details
Iranian hackers turned out to be a German modeling agency in an attempt to collect more information about the devices of their goals.
This is according to one New report From the unit 42 of Palo Alto Networks, who also claims that the full functionality of the campaign, including malware delivery or harvest of references, has not yet been achieved.
Unit 42 says that when monitoring infrastructure, according to them, Iranian threat factors are probably connected, the researchers have found the domain ‘MegaModelstudio[.]com ”. After breathing through the site a bit, they determined that it was a falsified version of megaModelagency.comA legitimate modeling agency based in Hamburg, Germany.
Selective targeting
The two websites are apparently identical, but there are a few important differences. The malignant, for example, bears a obscended JavaScript that is designed to record detailed visitor information.
Unit 42 says that the script takes information about browser languages and plug -in, screen resolution information, as well as time marks, with which the attackers can follow the location and environment of a visitor.
The script also unveils the local and public IP address of the user, uses canvas fingerprints and uses SHA-256 to produce a Hash device unique. Finally, it structures the collected data as JSON and delivers it to the end point /advertisements /track via a mail request.
“The likely purpose of the code is to enable selective targeting by determining sufficient device and network-specific details about visitors,” said Unit 42.
“This Naming Convention suggests an attempt to hide the collection as benign advertising traffic instead of saving and processing potential goalkeeping prints.”
Another important difference is that one of profile pages of different models is fake. That page is currently not operational, but unit 42 speculates that it can be used in the future for more destructive attacks, fall malware Or stealing login details.
The researchers concluded, “with great confidence,” the Iranians are behind the attack. They are a little less confident about the exact group behind it and speculate that it might be the work of Agent Serpens, also known as charming kitten or APT35.
Maybe you like it too
- Advertisement -