Author Topic: Web skimming malware not detected by Avast  (Read 844 times)

0 Members and 1 Guest are viewing this topic.

Offline Mr. Consumer

  • Jr. Member
  • **
  • Posts: 99
Web skimming malware not detected by Avast
« on: June 01, 2022, 11:35:45 AM »
Here are a couple of web skimming malware sample that's not detected by Avast at the moment. I don't have the sample, so I can only give VT link:

https://www.virustotal.com/gui/file/b397e7ad2d00dcef4cf4ba5df363684b1fefcc64c23ab110032a7b2ebb77ab4a
https://www.virustotal.com/gui/file/88e9d5eddd24546ab78ce8db1eb474a20b9694f52d4c7ad976fbfa683b7ce635

Full details about how it works can be found in this Microsoft blog post:
https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33668
  • malware fighter
Re: Web skimming malware not detected by Avast
« Reply #1 on: June 01, 2022, 01:13:45 PM »
Thanks for reporting, abuse at normally whitelisted places may go under the radar or could be missed.

See where this abuse may stem from - https://www.abuseipdb.com/check/17.253.144.10
and also mentioned is this IP: https://www.abuseipdb.com/check/72.21.91.29

So abuse taking place at Apple Inc. and Verizon Business - whitelisted as such -
these same entities sometimes also provide cloud servers and mail services,
which are easily abused.

Pay special attention when trusting or distrusting these IPs.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mr. Consumer

  • Jr. Member
  • **
  • Posts: 99
Re: Web skimming malware not detected by Avast
« Reply #2 on: June 03, 2022, 03:16:39 PM »
Thanks for reporting, abuse at normally whitelisted places may go under the radar or could be missed.

See where this abuse may stem from - https://www.abuseipdb.com/check/17.253.144.10
and also mentioned is this IP: https://www.abuseipdb.com/check/72.21.91.29

So abuse taking place at Apple Inc. and Verizon Business - whitelisted as such -
these same entities sometimes also provide cloud servers and mail services,
which are easily abused.

Pay special attention when trusting or distrusting these IPs.

polonus
Good find. But sadly no detection from Avast yet. They probably didn't check out this thread  :-\

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Web skimming malware not detected by Avast
« Reply #3 on: June 03, 2022, 03:52:22 PM »
Hi, you can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Mr. Consumer

  • Jr. Member
  • **
  • Posts: 99
Re: Web skimming malware not detected by Avast
« Reply #4 on: June 03, 2022, 04:49:01 PM »
Hi, you can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php
As I wrote in my post, I can't, I don't have the files. I sent Bitdefender only VT link for one of these samples, and they added detection. Malware analysts have access to premium VT accounts, which gives them the ability to download malware from VT. The same should apply to Avast's malware analysts also, I assume. That's why I shared the VT links here.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Web skimming malware not detected by Avast
« Reply #5 on: June 03, 2022, 04:52:36 PM »
Hi, you can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php
As I wrote in my post, I can't, I don't have the files.
If you don't have a sample at hand, report the VT-Link(s), should work.
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Mr. Consumer

  • Jr. Member
  • **
  • Posts: 99
Re: Web skimming malware not detected by Avast
« Reply #6 on: June 03, 2022, 05:13:20 PM »
Hi, you can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php
As I wrote in my post, I can't, I don't have the files.
If you don't have a sample at hand, report the VT-Link(s), should work.
You mean I should submit the VT link as malicious website here? Check the screenshot.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Web skimming malware not detected by Avast
« Reply #7 on: June 03, 2022, 05:57:17 PM »
Hi, you can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php
As I wrote in my post, I can't, I don't have the files.
If you don't have a sample at hand, report the VT-Link(s), should work.
You mean I should submit the VT link as malicious website here? Check the screenshot.
Yep.
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33668
  • malware fighter
Re: Web skimming malware not detected by Avast
« Reply #8 on: June 03, 2022, 10:43:20 PM »
Some associated 3rd party marketing solution may have endured a data breach of sorts over time,
which data may have been abused, resulting in such kind of malware.

An unrelated example: https://maltiverse.com/hostname/cs9.wac.phicdn.net

As some can be further classified as FP's, one should wait for a genuine verdicht from avast team,
as they decide what their detection database will consist of.

Cloudbases may complicate matters here. Ad-tracking- & script-blocking may protect the end-user.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!