Ongoing massive phishing software attacks

Software supply chain attacks are a hot topic. We have previously warned about wire fraud scams and that those attacks are on the rise. Developers should be aware of recent massive phishing software attacks that target the security of open-source package repositories. Bleepingcoputer.com informs of one such attack that targeted NPM, PyPi, and NuGet implanting nearly 145k fake libraries. Codenotary Trustcenter and TrueSBOM are the answer.

Software supply chain attacks are a hot topic

Anatomy of this software supply chain attack

Hackers conducted an automated attack and uploaded the packages from accounts using a specific naming scheme and featuring similar descriptions. The libraries led to a cluster of 90 domains that hosted over 65,000 phishing pages.

The phishing campaign promotes fake apps, prize-winning surveys, and gift cards and sometimes takes victims to AliExpress via referral links. It was the analysts at Checkmarx and Illustria, who discovered the attack. They worked together to uncover and map the infection.

NuGet had the largest share of malicious package uploads (around 140k), while PyPI had 8k infections. Hackers uploaded the libraries in large quantities within a couple of days, which is a common sign of malicious activity. The URL to the phishing sites was implanted in the package description. The goal was to increase the SEO of the phishing sites through links from repositories.

These sites almost always request visitors to enter their email, username, and account passwords, which is where the phishing step takes place. The fake sites feature an element that resembles the promised free generator. When visitors try to use it, asking for “human verification”, it fails. This initiates a series of re-directions to legitimate e-commerce websites using affiliate links, which is how the threat actors generate revenue from the campaign.

The security researchers who discovered the campaign informed NuGet of the infection. In consequence, all packages have since been delisted. The threat actors used an automated method to upload a large number of libraries in such a short time. They could re-introduce the threat using new accounts and different package names at any time.

Is it so difficult to conduct an attack?

This attack isn’t the only one in recent times. TrendMicro notes a 600% increase in the number of attacks. Other reports find even over 700% increase.

It is worth remembering how easy it is to conduct such attacks. as a report on dependency confusion from an independent security software analyst shows. He has successfully exploited the supply chain of multiple companies by uploading malicious code to public code repositories. He uploaded “malicious” Node packages to the npm registry under unclaimed names, which would “phone home” from each computer. The code inside the packages collected basic information about machines and sent it back to the hacker via DNS exfiltration. The hacker targeted several companies, including PayPal, and was able to get bug bounties from some of them.

Solution for software supply chain attacks

In conclusion, software developers should be aware of such a hot topic as software supply chain attacks. The risk of phishing attacks through open-source package repositories. They need to take steps to protect themselves and their organizations. This includes being cautious when clicking on links, verifying the authenticity of websites and apps, and using strong, unique passwords for all accounts.

This type of supply chain attack highlights the need to ensure that their internal and external dependencies are secure. You can accomplish this by following the best software security practices outlined in frameworks such as SSDF. You can also gain ongoing visibility into components of your software using tools such as Trustcenter and TrueSBOM.

RELATED ARTICLES

Save energy without reducing VM performance in your VMware vSphere cluster
16 August 2022
Over the last couple of decades energy consumption went up massively in every data center and while the…
Dennis
Metrics & Logs support for IoT - Bringing Secure Monitoring and Logging to the Edge
7 July 2022
Simple uptime monitoring for Internet-of-Things (IoT) is well-known and requires knowing if the devices are up and running.…
Dennis
Monitoring Azure SQL Managed Instance with Opvizor Metrics & Logs
17 January 2022
When you have critical applications and business processes that rely on Azure resources, it's critical to keep an…
Dennis

White Paper — Registration

You will receive the research paper by mail.

Codenotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on Codenotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.

Subscribe to our newsletter