NEW: Social engineering attack method called RFD

social engineering with RFD new method

Users who normally only download files only from trusted websites can now be tricked by a new type of Web vulnerability: this one cons them into downloading reverse payload executable files that are not actually hosted on the website for which they first thought.

This attack has been name reflected file download (RFD) and is similar to reflected cross-site scripting (XSS) attacks where users are tricked into clicking on specifically crafted link to legitimate sites that force their browsers to execute rogue code contained in the URLs themselves

In the case of RFD, the victim’s browser does not execute code, but offers a file for download with an executable extension like .bat or .cmd that contains shell commands or script files like JS, VBS, WSH that will be executed through the Windows-based script host (Wscript.exe). The contents of the file are passed through the attacker-generated URL that the user clicks on, the website reflecting the input back to the browser as a file download.

This enables convincing social engineering attacks because despite it not physically being hosted on the targeted website, the file still appears to originate from it. Users would still have to approve the download and execute the file themselves,however this wouldn’t be hard for the attacker to convince them to do it.

For example, a spoofed email from a bank asking users to download and install a new security product that protects their banking sessions could be very convincing if the included download link pointed back at the bank’s real website — and that’s exactly what RFD vulnerabilities allow for.

According to Trustwave security researcher Oren Hafif, who discovered the problem, a website is vulnerable to this attack if three conditions are met. The vast majority of sites that use JSON (JavaScript Object Notation) or JSONP (JSON with padding) — two very popular Web technologies — meet those criteria. Sites that don’t use JSON can also be vulnerable, he said.

Related posts

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs

Sign1 Malware Targeted Over 2500 WordPress Sites In Recent Campaign

Unsaflok Flaws Allow Unlocking Saflok Door Locks With Forged Cards