It has been reported that security researchers have uncovered a sophisticated phishing campaign using tens of thousands of malicious domains to spread malware and generate advertising revenue. Dubbed “Fangxiao,” the group directs unsuspecting users to the domains via WhatsApp messages telling them they’ve won a prize, according to security vendor Cyjax. The phishing site landing pages apparently impersonate hundreds of well-known brands including Emirates, Unilever, Coca-Cola, McDonald’s and Knorr.
This campaign combines two cybercrimes into one: phishing and ad fraud. Victims are tricked into clicking on a malicious link, while advertising platforms are tricked into thinking those impressions and click rates are genuine. The advertising platforms pay out money to the criminals as a result. In some cases, users are led to sites hosting malware or fake login pages where their passwords and other info are stolen. Avoiding this scam is easy enough: never click on links or attachments in unsolicited messages! Don’t trust random links posted in WhatsApp groups.
This compromise of a certificate authority (CA) highlights the importance of managing all machine identities in an enterprise. If the compromised were to be the root CA, then the attacker can potentially gain full control over the entire PKI infrastructure and compromise the trust in the system. Revocation of all the certificates issued by this CA must be revoked and replaced. This certainly comes at a high-cost effort – and in most cases, credibility of the organization.
This can be even more catastrophic as organizations create subordinate CAs that are used for signing workloads in cloud native environments for managing pod or mesh identities. The sheer volume of these identities and the need to revoke all subordinates, recreate them and issue identities for workloads is a huge effort.
Protecting and managing all the machine identities, irrespective of where and how it’s used, is critical for creating an enterprise security posture. Manual processes need to be eliminated, and all machine identity management should be 100% automated with security teams having the right kind of observability.