Indelible discovers new malfeasant push notification rapidly growing

Jan. 15, 2021
PushBug bypasses many security controls missed by typical detective and preventive measures

Portland, OR - January 13, 2021 - Indelible LLC, a leading cybersecurity firm helping clients solve some of the most complex IT security challenges, announced the company has gathered significant information on a malfeasant push notification campaign operating across more than 100 domains. The “PushBug” campaign is a highly resilient operation, spread across numerous domains and installing browser-based activity that is difficult to detect.

Users browsing certain websites including “free” movie websites, get presented with a message to “Allow” notifications from the website to view the content, however that is not what happens on the system. Once the user clicks “Allow” the website installs a service worker in the user’s browser which begins to interact with malfeasant domains involved in tracking user activity and giving the malfeasant operators the ability to create social engineering pop-up notification attacks at will. For more information, please download PushBug: Uncovering a Large Scale RFC 8030 API Abuse Campaign at https://bit.ly/2Xy4FgT.

Detection to date has been most fruitful from Threat Hunting by the Indelible mSOC™ (Managed Security Operations Center) team, recognizing suspicious activity using human and machine learning techniques. Indelible has collected enough tracking and telemetry evidence to be concerned that systems impacted by PushBug can be identified through their external IP, unique identifiers, and user agents. 

In investigating this activity, new forensic techniques were developed by the Indelible mSOC™ team. “While we have some of the most accomplished and experienced individuals in the cybersecurity field, once this was detected we were unified in our desire to solve this— a real credit to the collaboration of our team,” said David Bell, Senior Vice President of Business Development.

In addition, the research shows that the operation is growing in size, designed to thwart blocking of domain names, and remains undetected through legitimate RFC/API abuse. The notifications pushed to a user’s browser include fake antivirus infection messages, dating notices, uranium investment notices, and links that contain multiple redirectors. 

“The potential for using this technique for purposes beyond what is happening now presents a level of risk for further social engineering,” said Frank Angiolelli, Vice President of Security at Indelible. “To date, Google’s Chrome appears to be the only browser impacted, where the preferences file is modified to include new entries. We have notified Google and their response has been to take our report seriously and investigate.”

About Indelible 

Indelible LLC provides advanced cybersecurity services to both advise on, and directly manage security posture and active cyber threats. Combining strategic and tactical guidance on capability and program alongside a highly competitive Cyber Incident Response (IR) offering, Indelible can help with asserting control over the impact of a cyber incident or raise the chances of avoiding a high-impact incident altogether. For more information about Indelible and its products visit: www.Indelible.global.