image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 186. While My Vidar Gently Weeps

Coming up this week on Breaking Badness: Spoof There It Is, A Pirate’s Life For Me, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

Spoof There It Is

  • We’re talking about a recent investigation we completed looking into spoofed domains targeting the American Girl Doll brand 
  • Why should brands be proactive in protecting their intellectual property (IP)?
    • Monitoring your intellectual property ensures you can ensure a market differentiation and maintain a competitive advantage
      • Helps attract investors and partners which can lead to international expansion 
    • This helps your company grow and foster new innovations without the fear of easy replication 
    • Helps reduce the chances of bad actors committing fraud or diverting revenue from their target 
    • Too many spoofed domains can erode trust 
  • What was found in this investigation?
    • Even before using any tools, the website itself gave some red flags
      • The website looked like the original American Girl website, but the logo was slightly older
      • There were minor misspellings, odd spacing, and there were mistakes like an ampersand code in the navigation bar 
      • From that alone, I personally wouldn’t feel comfortable giving this website any of my personal information 
      • The Risk Score of USGirlShop was 100, meaning that it has been blocklisted by a reputable block list, but it’s phishing and malware scores were concerning as well (48 and 67) 
      • The domain registration was out of China with a Create Date of August 12, 2022
        • As opposed to which is registered to American Girl, LLC with the US as the country of origin. Its Create Date is March 25, 1997, which makes sense 
      • The user who registered USGirlShop also has a few other potentially spoofed brands
        • Two shoe stores
        • Two women’s clothing boutiques 
      • The SSL certificate changed frequently
        • Changing it every three months would be more common
        • But in this instance, it would change about every other day 
        • Could be to avoid fingerprinting or maybe one registrar took the site down and they needed to move to another
        • Not indicative of anything by itself, but still odd
      • Finally, USGirlShop used Cloudflare for obfuscation from the beginning 
  • Why is this specifically important for the American Girl brand?
    • American Girl is owned by Mattel, which also owns Barbie 
    • Mattel is going to make more movies within their IP after the success of the Barbie movie
    • Kali’s hypothesis is that things like this will become more rampant as we get closer to the releases of those movies with people rekindling their interest in discontinued and hard-to-find merchandise

A Pirate’s Life For Me

  • Proofpoint identified multiple YouTube channels distributing malware by promoting cracked and pirated video games and related content
  • This bad actor (or actors) is going after home users, but isn’t it more lucrative to go after enterprises?
    • Going after home users is where the low hanging fruit is 
    • Home users are typically less protected than enterprise ones, without endpoint protection beyond Microsoft Defender
    • Defender’s come a long way from what it used to be, but even then it’s still an arms race between defenders and attackers.
    • There’s a second point to consider here though – the massive differences in risk perception between an adult at work and an adult or child at home playing games
      • There’s not as much pressure because livelihood doesn’t come into play, internal posture goes from professional to “leave me alone i wanna be a wizard for a while.” 
      • And gaming as a context primes users to be more “nudge-able” – their behavior is more malleable through known means like dark patterns and incentives to do things or allow access they may not think reasonable otherwise
      • Behavioral Economics and modern marketing are a hell of a team-up, and threat actors have noticed it, picked it up, and run with it
    • Operating in the cognitive frame of “gaming” even if you’re technically sophisticated you’re much less likely to understand in the moment that you’re suddenly downloading someone else’s unverified code and running it on your device, or giving permissions to something you shouldn’t – the cognitive frame is built around the game and the goals you want to accomplish there without the accompanying risk profiling because the cognitive frame applies to a virtual environment
    • In short – less protection, less user awareness and concern, and an incredible array of tricks and techniques to nudge user behavior where it might not ordinarily go
  • What are the indicators that an account in this scenario is compromised?
    • Long periods of dormancy followed by a flurry of activity is the first tell. The second, in this case, is a difference in language for the content – Thai to English. The third tell here is a change in the content itself, whether it’s format or theme – and this case seemed to involve a change in both
  • This example gets even more malicious in the instructions provided in the video descriptions
    • This habit goes back ages – they go into how to disable Windows Defender or other antivirus prior to launching the file
    • This in particular is something gamers are groomed for from previous experience – things like game trainers or cheats, money injectors, the entire family of software, they often involve accessing things that it’s unsafe for regular users to have access to – system-level processes, memory, and more
    • So it’s not uncommon for even a legitimate trainer to cause a false-positive from antivirus just because that’s how they have to operate to affect the gameplay experience
    • “The file is clean, dude, I promise! Just disable antivirus…” has a long history in the gaming community, most of it not great
  • Proofpoint identified multiple videos purporting to distribute Empress video game cracks
    • Empress is a persona – something we’re very familiar with in threat intel, right? But from most perspectives, not a bad-actor persona
    • Empress identifies as a her, and Russian, and is a well-known and well-skilled cracker on a level with few others. Her stated motivations are removing DRM so the game can keep running once the publisher ends support for it, and because DRM often causes performance issues in games – and Ian kind of agrees with her on both
    • However, she also tends to leave pretty harmful rants, which isn’t great
  • In sandbox detonation it was discovered that the payload is Vidar
    • Vidar stealer is infostealer malware available under the malware-as-a-service model on the darknet, usually targeting passwords, cryptocurrency wallets, and similar secrets
    • long with Racoon and Redline it’s probably in the top three most popular infostealers
    • Some circumstantial evidence points to Russian origins, but that’s still up for debate
    • It’s an offshoot of the Arkei trojan family, and more often delivered via email, but there’s also a pretty solid history of it being bundled in pirated software, game hacks, or even software posing as the legitimate article, being downloaded thanks to things like homoglyph attack domains or other social engineering
  • How has YouTube responded to this and how can end users protect themselves?
    • YouTube responded quickly to Proofpoint as far as taking down the accounts in question, but appears to have provided no more information to help defenders, which is disappointing but not surprising
    • Unfortunately that means that the trail goes cold, and Google is probably as incentivized to make something like this harder for defenders to detect and request takedowns on as they are to take it down themselves to protect folks
    • The first thing an end-user can do to protect herself is realize that her demographic, as a gamer, is regularly targeted by bad actors in many different ways, between this attack, bad domains, malvertising, and more
    • Sit back and integrate that into the threat profile so that you’re more likely to remember when sitting down for a gaming session that, well, you’re a target, and not everything that happens in the context of your gaming session is virtual or fictional
    • Assess things like game mods or hacks very very closely, remember that you’re very explicitly executing someone else’s code on your computer, and there can be consequences to that

This Week’s Hoodie Scale

Spoof There It Is

[Kali]: 3/10 Hoodies
[Ian]: 3/10 Hoodies

A Pirate’s Life For Me

[Tim]: 4/10 Hoodies
[Ian]: 4/10 Hoodies

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!