Researchers at the threat intelligence firm Cyble discovered a new wave of phishing attacks targeting multiple organizations that are abusing the ngrok platform, a secure and introspectable tunnel to the localhost.
ngrok is a cross-platform application used to expose a local development server to the Internet, the server appears to be hosted on a subdomain of ngrok (e.g., 4f421deb219c[.]ngrok[.]io) by creating a long-lived TCP tunnel to the localhost. The experts pointed out that ngrok server software runs on a VPS or a dedicated server and can bypass NAT mapping and Firewall restriction.
Threat actors are abusing the protocol for multiple malicious purposes.
“Multiple threat actors have abused the ngrok platform to gain unauthorized access to the target for delivering the additional payload, exfiltrating financial data such as credit/debit card information, and carrying out targeted phishing attacks.” reads the post published by Cyble.
Experts pointed out that attacks abusing the ngrok platform are hard to detect because connections to subdomains of ngrok.com are not filtered by security measures.
The experts reported multiple malware strains and phishing campaigns abusing ngrok tunnelling, including
Some of the new strains of malware/phishing campaign using ngrok tunneling are:
Cyble focuses on threat actors abusing ngrok.io to deliver phishing attacks.
“Interestingly, we found multiple ngrok.io links used in darkweb markets/leaks and cybercrime forums by different threat actors such as BIN CARDERS, Telegram- carder data, and linlogpass.” continues Cybler.
Cyble also spotted a phishing tool kit, named “KingFish3 (Social master), advertised on a cybercrime forum. The experts discovered that a threat actor shared on the forum a Github link to the tool, which also abuses ngrok tunnels to carry out the attack.
Below the steps identified by the experts to abuse the ngrok tunnels and carry out phishing attacks:
The post includes a partial list of ngrok based phishing Indicators of Compromise (IOCs).
Below, Cyble experts’ recommendations:
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, phishing)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.