Attackers are leveraging browser notifications to distribute malicious links via a new cybercrime service called Matrix Push C2, BlackFog reported Thursday.Browser notifications appear on the user’s desktop and can be disguised as system notifications or alerts from other legitimate sites or programs. The Matrix Push C2 framework provides users with a dashboard to easily spoof these notifications, including templates to impersonate companies like Cloudflare or PayPal.The attacker would first need to gain permission to send push notifications through social engineering, after which they can send notifications that may contain links to phishing or malware sites.For example, the attacker could send a notification appearing to come from Google Chrome, claiming an update is required to avoid data loss; the notification could then redirect the victim to a site where a trojanized version of Chrome is installed, BlackFog noted.The Matrix Push C2 dashboard allows users to control the content of the notifications, including logos, texts and links, and send notifications at will to any users who have granted permissions, similar to a “marketing automation dashboard, but for malicious campaigns,” BlackFog said.Attackers can user the dashboard to track their victims, see details such as browser version and online status, and see which victims have clicked on push notification campaigns. BlackFog describes the tactic as a "fileless" way to monitor and manage interactions with targets.
Other features of the service include analytics, such as delivery success rate, a link shortening service and the ability to track other victim details collected such as geographic location, system information and cryptocurrency wallets used.Because the push notification system is browser-based, it can be used to reach users regardless of operating system and bypasses other communication channels, such as email, where malicious links and phishing messages are more likely to be blocked.The ability to collect basic browser telemetry through push notification permissions can also enhance the success of attack campaigns, as attackers may be able to determine when victims are online and more likely to click.While users should exercise caution when granting notification permissions to websites, organizations should also protect their systems in case of a compromise, such as by detecting and blocking suspicious outbound traffic, BlackFog said.
Ransomware, Phishing, Threat Intelligence
Browser notifications abused to spread malicious links
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds