Topic: [PSA] A NEW KIND OF PHISHING (HOSTJACKING) (Read 309 times)

Trust me, it is relatively easy to create a reverse shell without triggering any AV software's static or behavior analysis.

Sure, editing one file is easier to implement, but you'd need to set up multiple phishing sites (e.g. online banking, multiple exchanges, etc.. ).
When considering the cost vs efficiency, you gain much more from simply setting up a reverse shell and extracting login details saved in a browser + recording keystrokes. With this, you gain access to every website the victim is registered with.

I am just saying, if a malicious party was able to compromise your system, you shouldn't worry about phishing attempts anymore.

The idea behind malware like this is that its much more difficult to detect, both by observation and by antivirus software, hostjacking require modifies one OS file, it doesn't need to constantly run in the background, it doesn't need to launch on startup, it can literally edit the hosts file and then delete itself and the damage is already done.

Why make things simple when you can make them complicated..

If your device already is compromised, there is no reason to additionally set up a phishing site.
You could just steal all credentials when they are being typed in.

I wouldn't afraid of this kind of phishing. If he already compromised your system, he already has access to all of the data stored on your PC and to everything you type in (i.e. login information / 2FA codes).


If your device is already compromised, you already lost. Caring about phishing in that case is the last thing you should do..

Just to add, this also applies to android, the host file can be changed if you have root access. Another reason, why you shouldn't root your device.

If you want to open the hosts file using the cmd command, use the following command line:


This command will open the hosts file with notepad.

Was aware of this and was originally planning to add this however I felt that using a commandline interface text editor would be slightly too complex for some users so I opted to go the simple route of just manually changing it though, but for anyone else do note that this is a completely viable method of deleting host strings and you are free to use this if you wish

If I may add, for MacBook users, another option is:

After finding the suspicious link on your etc/hosts file, you can type the following command:

1. sudo nano /etc/hosts and press Return. (Nano is a built -in MacBook text editor).
2. Enter your password
3. Remove suspicious link
4. Press Ctrl-O to save

Alas, the presence of an SSL certificate does not really guarantee anything nowadays, and although it’s absence may lead you to give it a second glance, its presence does not, unfortunately, guarantee much more that a false sense of safety:

Edited in to the OP that people should check your reply rather than doing the method I posted, thanks!

don't work using cmd


it's work in computer folder, paste command into search box then select notepad to execute.

Greetings!
Recently, I have stumbled upon this concept, I have not seen any other threads warning people on this forum of this specific branch of malware and I feel that this is most certainly something everybody should be very aware of. To my knowledge there is no widespread infection from these viruses as there was for the clipboard jacker malware last year, but this is still something should know exists & how to prepare for. As with all my posts, if you have any other information regarding this, please leave a comment with it and I will append it to the original post.


What is Hostjacking?
Hostjacking is when a malicious program overwrites a critical system file known as the "Hosts" that is present on all operating systems to redirect traffic from one website to the malicious attacker's clone of that website to intercept logins and steal sensitive data. To understand how this is performed, we must first understand what the hosts file is, what it's primary functions are, and how hackers manipulate the data present in this file.

What is a host file?
A host file is a file that is present on Mac, Windows and Linux operating system file that maps hostnames to IP addresses, the standard function of these that we would see applied in less malicious circumstances are web administrators (such as at a school or university) using the hosts file to restrict access to certain websites, by making said websites redirect to 127.0.0.1 (Localhost IP address), meaning that it would be inaccessible.
An example of such mapping is as follows:
To put it in layman's terms, this line of code in hosts redirects all traffic when you access instagram.com to localhost, meaning you will be unable to access the original IP address for Instagram.

How do hackers access it?
The hosts file is a file of the operating system, meaning more often than not it requires that whichever program attempts to make changes to it have administrative rights, I will not detail the methodologies that people use to acquire administrative access from a user, all that is required to be known is that it is a plaintext file that hackers gain administrator privileges to overwrite with their own malicious code.


The Attack Vector
As for how this can be exploited, do remember that the IP address doesn't have to be localhost, the attack vector in this is that a malicious attacker can map a different site (lets say, binance.com) and redirect it to their own server's IP, which would contain a phishing page that imitates Binance. And rather than requiring kernel level access to evade antivirus, the malicious program used to deliver the payload would need essentially 0 complexity. The only thing that a malicious actor would need to do once you've opened a piece of their malware is to write over plaintext file, and they would instantly be able to redirect all your traffic to one site to their own malicious site. This does not even require lots of obfuscation to subvert detection by any antivirus software, the "program" could literally be a batch file that writes over the hosts file, if the user enters their admin password or provides the application with administrative access, which most installer wizards request anyway, they have full access to the hosts file, meaning they have full control over your network and where your traffic is headed towards.

I have went ahead and demonstrated this in video form by redirecting the Binance.com website to a generic DataCamp server IP address, the video is not of the best quality and you will have to put up with my insufferable keyboard sounds (I forgot to mute my microphone) until the video is fully processed and my keyboard sounds are replaced with an even more insufferable Royalty free audio track.
> DEMONSTRATION HERE <
As is visible in the video, the search bar still retained the "Binance.com" address while displaying the content of the page we set it to, since it is very difficult to tell at a glance, this becomes a very deadly attack to users who are unfamiliar with other detection methods, which I will be detailing in the next section of this post.


How to Detect Hostjack Phishing (And how to prevent it)

Checking your hosts file

If you find any suspicious entries on your hosts file:


If you locate any suspicious entries on your host file, deleting them might not be enough, if you are absolutely certain that you didn't write the entries on to the host file, then it is very likely that your system has been compromised by a piece of malware, use a tool such as MalwareBytes to scan your system for any malware. If all scans turn up empty on multiple antivirus softwares and the host file keeps being edited to display a spoofed/separate page, it is advisable to back up your important files on a USB and factory reset your machine.


Checking the SSL certificate of the website.
If you believe that you are being hostjacked, it never hurts to check the SSL certificate of the website you believe may have been compromised. Most websites belonging to large companies such as Binance will have an SSL certificate which can be viewed by clicking the lock on the left side of the URL in your browser's navigation bar:
A Valid Certificate
You should not enter any sensitive data on any website if it does not have a valid SSL certificate, most phishing websites will display as "Not Secure" when you click the lock icon, and Hostjacked phishing sites are no exception.