Podcasts
Research Saturday
Ep 333
Research Saturday 6.8.24
Ep 333 | 6.8.24

Riding the hype for new Arc browser.

Show Notes
Transcript

David Bittner: Hello everyone and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Jérôme Segura: I'm keeping my eye on, in particular, what's trending through Google searches, and I noticed, I actually have not heard of the Arc Browser before, although I know it's been available for the Mac for almost a year, I think. So this is kind of how I came across it, and I thought it was interesting to see that threat actors were, you know, hijacking that brand pretty quickly.

David Bittner: That's Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes. The research we're discussing today is titled "Threat Actors Ride the Hype for Newly Released Arc Browser." [ Music ] Well, I mean, let's walk through it here together. I mean, suppose I'm a Windows user, and I decide that the Arc Browser is something that I want to check out and I go online to search for it. What might happen?

Jérôme Segura: So, yeah, most people are going to look, do a search, probably in Google being the most popular search engine. So you go to Google, you search for Arc Browser. And, you know, depending on your location and other factors, you may or may not see one or multiple ads. But, you know, in this case, I was able to reproduce this attack time and time again. So I think it was pretty widespread. So as a user, what you'll see is the search results. At the top, you'll see something called sponsored, which means it's an ad. It's a result that was paid for by an advertiser, and those usually appear before the organic search results. By organic, we mean those websites that have been crawled and indexed by Google. So, yeah, the ad appears at the top, and the ad could be from any advertiser out there. Most other times we see -- actually, it's funny because a lot of the time when users will do a search for a browser, they'll see a competitor in an ad. So if you go to Bing, for example, you search for Chrome, you're going to see an ad for Edge, and if you go to Google, you search for a browser other than Chrome, you might see an ad for Chrome. But what, you know, in this case, so you look for the Arc Browser, and the ad that was shown, and there are several variations of that ad, looked entirely legitimate. By that, I mean, you're looking at a couple of indicators. One is the logo, so the logo in the ad actually matches the brand for Arc. And then you look, perhaps the more important one, you look at the URL that's shown on the ad, and it is arc.net, which happens to be the official website for Arc Browser.

David Bittner: Wow. All right. So I see this ad, and I'm trying to be careful. So I'm checking for that URL, and that seems legit to me. And I think to myself, okay, well, this is it. I click through. What happens next?

Jérôme Segura: So when you click on the ad, you know, I mean, the majority of users will not see what happens behind the scenes. But what's happening is a series of redirects. So the click on the ad URL itself will send you to another URL that will check for a few things. Most of the time, what we see is threat actors, like legitimate advertisers, will use click tracking services. So these are marketing tools that, you know, the goal is to collect analytics on clicks, but also to make sure that the clicks are from real people. So anything like a bot or a crawler will be discarded. So the bad actors will use those, you know, generally to actually avoid crawlers like Google, which is kind of smart. But if you are a legitimate user, it proceeds with the chain of redirects, and eventually, what you see on your screen is the homepage for Arc, which is pretty much a replica of the official one. In this case, the domain name was different, though. So if you did pay attention to your URL in the browser, you will see a very small difference in the domain name, but it's subtle enough that you may actually not notice it. This is a type of attack that we call typosquatting. So you change a letter in the domain name, or maybe if it contains an I, you use an L, something that looks similar. And so, yeah, you have that page, and you have the big download button. And that's where most people are going to click on to install what they think is the Arc Browser, but it's actually not.

David Bittner: And looking through your research here, I mean, these typosquatted pages, I mean, they look like the real thing. There's nothing that jumps out at me that there'd be anything amiss here.

Jérôme Segura: Exactly. And, you know, I think it's -- attackers have been creative over the years. I've seen attacks that were really clever, actually, where they use something we call international domain names. So think about the fonts that you can use, and certain fonts for different alphabets have special characters. And so an A from the English alphabet is an A, but maybe in Cyrillic, an A with a little dot on it has a different meaning, but visually it will look the same. So they can use certain things like that, which, again, makes it very difficult for users to spot. And I think also, you know, one piece of advice that has been given over the years, over and over again, which I think we need to kind of debunk now, is that if there's a padlock or if it's HTTPS, that means it's secure. Well, the site is secure, all right. I mean, the connection is secure, but you are on a malicious site. So it's malicious and secure at the same time, but it has nothing to do with the site being legitimate or not.

David Bittner: Right. Everything between you and the bad guys is properly encrypted.

Jérôme Segura: Exactly.

David Bittner: Yeah. So I go ahead, and I click this download button. Where does that leave me next?

Jérôme Segura: So it will download an installer on your machine in the Downloads folder. You know, the installer, people will run the installer. It has a nice little trick where it will actually retrieve the real installer from Arc Browser while also loading malicious code. So the victim actually will get the impression that they are installing the proper program, but there is something more nefarious that's happening in the background. And you're not really seeing anything. It's very well done. And it happens, you know, the payload will be downloaded from a remote website, and then I describe in the research, you know, a bit more information about the payload and actually seen a few variations as well. But it's a payload that, you know, very similar to what we've seen for a long time, which is a type of stealer. So something that will, you know, rob all your credentials, anything that's on your machine, like cookies from your browsers and things like that.

David Bittner: How stealthy are they trying to be here, you know, when they're loading the legit browser, but then also their own info stealer behind the scenes? Are they being intentional about trying to avoid things like antivirus?

Jérôme Segura: Yeah, they usually are, and I think the way that, you know, that installer itself, what we've seen time and time again is they use digital signatures. So they sign a file with a legitimate or rather valid signature from one of the certification authorities, which means that the file will be trusted by the operating system. It doesn't mean that the file is clean. It's just because it has a certificate, it is trusted. And unfortunately, it's not that hard for malicious actors to sign their malware binaries with, you know, certificates. They can do that either by stealing the account of a legitimate developer or simply creating a new account with a fake identity and then signing those files. So, you know, the chances of the file being undetected are pretty high, especially when the attack has just happened, you know, in the next few hours. And then what we see typically is at some point, security products will start, you know, picking up the detection. But by then, you know, probably hundreds of people have already been infected. [ Music ]

David Bittner: We'll be right back. [ Music ] Help me understand an element of this here. Going back to the initial ad that runs on Google, the fact that that ad has the actual URL for the legitimate Arc web browser. Is that just a matter that the bad guys can put in whatever they want into that particular field?

Jérôme Segura: Yes, that's actually, for me, it's one of the most interesting things and perhaps one area where Google could do better, and I've researched it a little bit, you know, how is this possible? Research it to the point where, you know, I tried to reproduce it myself. Essentially, you create an account with, you know, your AdSense, Google AdSense, and then there's a couple of fields that you have to fill in. One of them is what they call the display URL. So the display URL is what you see on the ad, and that display URL can be anything, but there is a condition where if you're going to use a display URL, so for example, here, Arc.net, what Google calls the final URL, which is what happens after you click on the ad, they must match, they must have the same domain, otherwise Google will not allow you to do that. So based on that, you're like, okay, how, if I want to impersonate a brand, I have to use the same final URL as the one that's displayed to users. So how can I sort of, you know, reroute traffic in a way that, you know, Google will not see?

David Bittner: Right.

Jérôme Segura: And there is yet another feature part of Google Ads, which is called a tracking template, and this is what I was mentioning earlier. It's essentially marketing analytics. So you are allowed to use tracking templates where right after somebody clicks on the ad, they will be redirected to that service. And there's dozens and dozens of companies that provide this kind of service, you know, and the majority of these companies are legitimate. They just, you know, they provide you click data, where your users are from, you know, they're able to detect bot traffic, VPNs, things like that. So it's a legit service. But there is a feature in that service that allows you to then choose where you're sending users next. And that's where the malicious action happens is threat actors essentially will point the analytics URL to another domain, that domain they control. And usually they're smart enough not to make that domain malicious yet. It's just a sort of intermediary, but they control that domain. Both Google and the tracking analytics service, actually Google has already lost visibility. The tracking service only sees that next domain, and then what happens is the attacker from that domain can then place another redirect, which this time will be to their malicious web page. So I know it's hard to describe it with words, but essentially, to kind of summarize it, when you click on the ad, you will never reach your final destination. You will never reach the legitimate website thanks to a tracking template that is able to reroute traffic, and Google actually supports this as a full feature, and it's being abused extensively, and I think that's a huge problem. And for me, the biggest problem, I guess, is because of this feature, anybody, including myself, you, can create an ad for a brand or popular brand and get away with it, even though you don't actually own the brand. And that's just, you know, for users, that's just really, really misleading. You know, if the ad was for the same Arc Browser ad but had a completely different URL that was not the legitimate website, I would say, okay, you know, Google let an ad slip through that was malicious, but at least, you know, the URL that users see is not the official one. But in all these cases, it is the official URL. So really, there is no chance for users to not fall for it.

David Bittner: Wow. It's really frustrating, isn't it? I mean, it makes me wonder how much of this kind of falls on Google's responsibility here to do a better job. And I know, you know, a company of their size will say, well, this is hard to handle at scale, and I get that. But then maybe you shouldn't do this at scale, right?

Jérôme Segura: Well, yeah, I think, you know, I've reported hundreds of malicious ads over the past few years, and I guess the thing that I'm always surprised is how -- and it's not just me, I think it's really anybody could, if you know what you're looking for, you could just go out there, do a search, and have a very high chance of finding a malicious ad. In fact, somebody earlier was messaging me about an application thinking, I think they were seeing some of their customers that had downloaded a malicious installer for that application, and they believed that it was from an ad. And I looked at the name of the application, which actually was a new one for me. I went on Google. I did a search. The first search, the first try, top result, sponsored malicious ad. So that to me, you know, if it's that easy to find, and Google is not, you know, identifying those, we have a problem.

David Bittner: Yeah.

Jérôme Segura: Right?

David Bittner: Sure. Yeah. Well, what are your recommendations here? I mean, let's suppose I'm somebody who's, you know, leading an organization when it comes to security. How do I put the word out to the folks in my organization to best protect themselves against this sort of thing?

Jérôme Segura: Well, there's different mitigation strategies you can do. I think one of them is looking at the behavior for your users. Do you really want your users to be Googling software to download on their, you know, work machines? Probably not. You know, not just because of potential malicious ads, but also there's other dangers. There's a lot of sites that rank high in search results page. Using things like SEO poisoning attacks. And there's a bunch of, you know, affiliates and other, there's just so many potential dangerous, you know, avenues to go through that way. So my recommendation is that you provide your users a safe repository of the apps that they will need. So things like Zoom, WebEx, Notepad, you know, all of that kept up to date in a repo so that users don't have to go and search for them. So that's number one, and number two is, you know, look at your risk surface. I guess the level of risk with malicious ads, you know, in general, not just related to software downloads. Is there a way that you can mitigate those? So, you know, for home users, typically we think of -- we have ad blockers, things like, you know, browser extensions that we can use. In the enterprise world, it's a little bit different. I don't think the adoption of ad blockers is the same, and it may not be the ideal solution either because you're trusting, you know, an extension that could be compromised. So, you know, if you're running a large network of, you know, endpoints, you may not want to install just any extension. So there are other solutions that you can do. For example, use DNS filtering. That also has the benefit of not having to install anything in the browser, so on each endpoint. And I think that's a pretty powerful solution if you, because most companies already have some kind of DNS filtering. If you add domains that are serving ads, you know, whether it's Google or Bing or, you know, what have you, you can really cut on a number of attacks doing that blocking just through network traffic. [ Music ]

David Bittner: Our thanks to Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes for joining us. The research is titled "Threat Actors Ride the Hype for Newly Released Arc Browser." We'll have a link in the show notes. [ Music ] And that's Research Saturday, brought to you by N2K CyberWire. Our thanks to Jérôme Segura from Malwarebytes for joining us. The research is titled "Threat Actors Ride the Hype for Newly Released Arc Browser." We'll have a link in the show notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilfey is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: CyberWire, Inc.