Event background Recently, the slow fog security team and the team found an attack method of fishing by advertising, and then the slow fog security team and the team conducted an in-depth analysis of the attack method. According to the team's description, the team did not buy any advertisements, but this fake advertisement jumped to the real official website Murphy fishing gang to spend money to promote the real wallet. From the search keywords, the top two search results are all fishing advertisements, but the link of the first advertisement is abnormal, and it shows that it is obviously an official. Why do phishing gangs do this? Through tracking, it is found that phishing advertisements sometimes jump to the real official address, but after changing agents to different regions for many times, they will jump to the phishing address, and the phishing address will be updated and changed. At the time of writing this article, the link jumps to the phishing address. Technical analysis, let's first talk about what a status code represents temporary redirection. When the server receives the request from the client, it will temporarily transfer the requested resources to another location if necessary. At the same time, the return status code contains a field in the response header to indicate the new location to which the client should redirect. This redirection is temporary. After analysis, it is found that the link of the phishing advertisement will go through many jumps, as shown in the figure below. When using the command to request the link, it will jump to the phishing address for the first time. However, there are two situations when we use the command to request the above address, it will jump to the real official address, but when we use the command to simulate a normal browser to request the above address. In the case of address, it will jump to a new address with the request header and other fields, so it can be seen that the phishing link will make a judgment when it jumps for the second time. When it detects the request of an abnormal browser, it will be redirected to the official address, and when it detects the request behavior of a normal browser and the area is reasonable, it will be redirected to the phishing address. We tracked and found the phishing address that jumped for the last time. In order to open the phishing link, we found that this phishing page almost cloned most of the contents of the real official website webpage. Following the jump, we found that the following phishing link addresses were queried by the threat intelligence platform and these two phishing domain names, and their registration time was found in the year and month. Trojan horse analysis and code inspection found that the attacker used Russian phishing deployment background program and used the virtual host management panel developed by the host vendor in Russian-speaking areas. Then, the source code of the phishing webpage was reviewed and it was found that clicking to download the desktop version would conduct a client check, and if the current environment was found to be a computer, it would jump to download. The address can be found that the storage space occupied by the Trojan is very small. Only by uploading the Trojan to the online threat analysis website for analysis, it is found that the Trojan sample has been analyzed and recognized as a Trojan backdoor program by several anti-virus engines days before the writing of this article. The technology behind fishing can be seen from advertising to phishing website production to Trojan fishing gang production. What people can't understand is why the advertising information searched by Google shows the official address. Why did the following jump analysis find that the key operation is that the phishing gang used its own short link service to cheat Google's display? In order to make this process more clear, we need to understand the advertising delivery mechanism first. As long as we have a Google account, we can log in to Google's advertising management site for promotion settings. First, we need to create a new target on the advertising management site, and set the advertising price and delivery times information for the advertising series with the website traffic type as search. Choosing the region and language of advertising also explains why searching for keywords in different regions or different language environments does not necessarily lead to advertisements. The key step is to set up a tracking template, which is an advanced function to allow third parties to track advertising links. We noticed that the first jump link domain name used in phishing pages is actually a short url service of Google, which allows binding any redirection address to a subdomain, because third parties track links. What is needed is an address that has been authenticated by Google, but it happens to be Google's own domain name, so the phishing gang bypasses this restriction. After the advertisement is put out, Google will not check whether the jumped link has changed in real time, nor will it modify the advertisement information in real time. Therefore, the phishing gang will modify and redirect to the phishing website after the advertisement is put in for a period of time. Similar phishing routines also appear on various chat software. Take this chat software as an example. When chatting, a link is sent and the background will grab the linked domain name. The title and icon are previewed. This picture is only for demonstration. However, when grabbing the preview information, it does not prevent jumping. Therefore, if the user only judges according to the information on the page and then clicks on the link, he may jump to the preset fishing address to summarize. Please identify the official address of the wallet and do not trust the advertising address displayed in any search results. If you are unfortunately recruited, please transfer the wallet funds at the first time and conduct a comprehensive anti-virus investigation on the personal computer. Usually, you should keep a copy of the safety knowledge that is suspicious before clicking on the website link. It is recommended to read the blockchain dark forest self-help manual produced by the slow fog security team 比特币今日价格行情网_okx交易所app_永续合约_比特币怎么买卖交易_虚拟币交易所平台

注册有任何问题请添加 微信：MVIP619 拉你进入群

文章转载注明 网址：https://netpsp.com/?id=60213