A new criminal platform called “Matrix Push C2” is using browser notifications to launch social engineering attacks, according to researchers at BlackFog.
“This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems,” the researchers write. “It turns web browsers into an attack delivery vehicle: tricking users with fake system notifications, redirecting them to malicious sites, monitoring infected clients in real time, and even scanning for cryptocurrency wallets.”
The platform uses browser notifications to trick users into installing malware or visiting credential-harvesting sites.
“In a nutshell, Matrix Push C2 abuses the web push notification system (a legitimate browser feature) as a command-and-control (C2) channel,” BlackFog explains.
“Attackers first trick users into allowing browser notifications (often via social engineering on malicious or compromised websites), and then, once a user subscribes to the attacker’s notifications, the attacker gains a direct line to that user’s desktop or mobile device via the browser. From that point on, the attacker can push out fake error messages or security alerts at will that look frighteningly real. These messages appear as if they are from the operating system or trusted software, complete with official-sounding titles and icons.”
Since the attack happens within the browser, no malware needs to be initially installed on the system.
“It’s a fileless technique,” the researchers write. “The unsuspecting user simply sees what looks like a normal system pop-up and might follow its instructions, not realizing they’ve stepped right into the attacker’s trap.”
AI-powered security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
BlackFog has the story.
