Today while I was scanning diet spam on Pinterest, I followed one link which redirected to pinteresf.org offering a “Pinterest Tool”:
I downloaded the browser plug-in (with wget – not with browser!) and after a short review of the code, submitted the package to F-Secure’s Sample Analysis System. The suspicious part of the code is below. It simply reads possible user name and password from visited websites and sends them to the attacker’s server.
F-Secure analyzed the sample and found it to be malicious. It will be detected as “Trojan.PWS.ZAQ“. Latest database updates and other tools can be found from here.
I’m certain there are other similar attack tools. If you see similar kind of “tool” offer, just close the browser window. Selecting “no thanks” most likely leads to plug-in installation.
Big thanks to [ Gunther ] for helping with the initial code analysis.
Update 9th of July:
I was informed about similar “Pinterest tool” from 2012. The tool and the malicious pins are still in place. I submitted the links and one sample to F-Secure. This tool is also malware, but behaves differently. Analysis is not yet complete.
The following domains are now rated as malicious: pinteresf(.)org, pintsrest(.)org, pintrerets(.)com and com-online(.)us. Do not visit these domains or any links pointing to them. Today I have submitted 16 additional suspected domains to F-Secure.
I have checked many pins redirecting user to one of the “Pinterest Tool” – sites. Observations:
- There are at least 15-20 different redirect domains such as com-online(.)us
- Redirect URLs have the following format: malicious-domain.tld?url-to-the-picture/
- Pin pictures appears to be normal originating from legitimate sites and do not have any clear pattern (like spam pins).
- Majority of the pins originate from normal Pinterest users as opposed to bot accounts
- Board naming does not follow any pattern. Pins can be found in the middle of a normal board having hundreds of other pins. Board name can be “Cooking” or for example “Zamknięte w słoiku” (a Polish board name)
- Pinning of malicious links is clearly automated
Here is my current theory: affected users are infected by some browser malware (possibly one of these Pinterest Tools plug-ins) which adds the malicious redirect part to some pins on the fly. Meaning: user goes to normal-site.com and decides to pin picture X -> http://normal-site.com/pics/X. Malware jumps in and modifies the link: “http://maldomain.tld?normal-site.com/pics/X“, but otherwise pin looks normal.
Please share your (conspiracy) theories.
Update 10th of July
Chrisjwilson has analyzed how the second malicious plug-in works (see the Google document link above). This analysis confirms my theory from yesterday: malware modifies pin links on the fly. There are hundreds – if not thousands – of affected users. This is hard to estimate due to large amount of pins. I have submitted all samples and links to F-Secure and to Pinterest support hoping this malware could be stopped and removed.
This malware gets the website specific payload from a remote server. Currently it seems to be limited to Pinterest, but I cannot be sure. Malware logs every webpage user visits and sends that information to the remote “control server”. Therefore the malware could be extended to cover any service: it could try to target e-mail services, Facebook, Twitter, Tumblr etc.
I’m surprised that apparently there has been no actions against these attacks. The other plug-in was spotted already in 2012, but it is still up and running. Possible actions to stop this attack in effective manner: send abuse letter to Linode concerning two IP – addresses. If the servers are taken down, the attack would at least be paused. Domain names could be “abused” as well: they are used to spread malware. And most importantly: inform affected users about the infection with removal instructions.
Note that there are two malicious plug-ins: 1st one attempts to send your user names and passwords to attacker’s server. The second one modifies pin links on the fly. According to F-Secure, this plug-in will be detected as Memscan:Trojan.Generic.8758457. These two are most likely related.
This part should be easy: remove the browser plug-in using name “Pinterest Tool” – below is a picture of the Firefox version. As far as I know, there are different versions for Chrome and Internet Explorer.
Chrome plug-ins have been removed from the Web Store, but there could be new ones.
Because I have not received any feedback from Pinterest support and I have not seen any warnings or counter-actions, I decided to publish a list of domain names used by the malware changing pin links on the fly.
If you see a pin that links to any of these domains, report the pin as spam (there is no option to report malware) - do not click on the link, do not “repin” or “like”:
- com-read.net, com-read.org
- pintrest1.com, pintrest2.com, pintrest4.com, pintrest5.com, pintrest6.com
- com-2012a.us, com-2012b.us, com-2012c.us, com-2012d.us, com-2012e.us, com-2012f.us
This list may not be complete or fully accurate.
Please spread this message. If you happen to be on Pinterest, please repin/like my warning. Thank you!