In today’s episode, we dive into the sophisticated DNS activities of the China-linked threat actor known as Muddling Meerkat, who manipulates internet traffic and abuse DNS open resolvers. This cyber espionage endeavor has global implications as explained by Infoblox in an article at The Hacker News (https://thehackernews.com/2024/04/china-linked-muddling-meerkat-hijacks.html). Also, we discuss the FBI’s warning about fake verification schemes targeting dating app users, uncovering the scam processes and providing tips to safeguard against such fraudulent activities as detailed in the BleepingComputer article (https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-verification-schemes-targeting-dating-app-users/#google_vignette). Lastly, we explore Google’s efforts to enhance mobile security by preventing over 2 million malicious apps from entering the Play Store, highlighting their proactive measures and collaborations to safeguard user privacy. Read more about this at The Hacker News (https://thehackernews.com/2024/04/google-prevented-228-million-malicious.html).
00:00 Introduction
02:36 Dating App Scams
04:12 Google’s Security Enhancements
06:47 Muddling Meerkat’s DNS Manipulation
Generate single use credit card numbers: https://app.privacy.com/join/GL3U7
Tags: Muddling Meerkat, DNS activities, reconnaissance, China, fake verification schemes, dating app users, FBI warning, fraudsters, Google, Play Store, security, review process
Search Phrases:
- Muddling Meerkat DNS activities
- China Muddling Meerkat reconnaissance
- Fake verification schemes dating apps
- FBI warning fraudsters
- Protect from fake verification schemes
- Unauthorized credit card charges prevention
- Google Play Store security measures
- Prevent sensitive data access
- Google app review process
- Infiltration prevention in Play Store
Apr30
The FBI is warning that dating app users are being targeted by fake verification scams that are leading to costly recurring subscription charges, as well as theft and misuse of personal information.
How can users protect themselves while using dating apps?
Google blocked over 2 million policy violating apps
from the Play Store in 2023. In a proactive security measure that also saw over 790,000 apps guarded against sensitive data access.
How has Google improved its security features and review process to prevent these malicious apps from infiltrating the Play Store?
And finally, a China linked threat named Muddling Meerkat has been caught manipulating DNS activities globally to evade security measures. They’ve been conducting reconnaissance since 2019. What are these unique DNS activities that Muddling Meerkat are undertaking, and what is their end goal?
You’re listening to The Daily Decrypt.
So the FBI is warning of a new scam that’s targeting dating app users,
which can lead to fraudulent recurring subscription charges and even identity theft.
So basically, the scammers will develop a romantic connection with you on the dating app of your choice, whether that’s Tinder or Bumble or Hinge or whatever you choose, then they’re going to ask to move this conversation to a safer platform to verify that you are in fact a human. Well, we’re all on dating apps to try to find someone, so of course I’m going to verify that I’m human.
It’s a valid request.
Well, the only way to verify that you’re human now is to provide a credit card number and some information. Can’t do anything without that.
And that’s where they’re going to get you. This is going to lead to maybe small, maybe large, but seemingly anonymous charges on your credit card bill. And if you’re not paying close attention to that, you might miss them.
So this attack, at its core, is not very complex, but it is remarkably effective, because remember, there are a few different situations that
we put ourselves in where we’re a little more desperate and a little less careful. than we normally are. For example, dating apps. You’re really on there to look for connection. Also when you’re applying for a job, you’re pretty desperate for a job. And sometimes when you need groceries or when you’re hungry and you need DoorDash, you might be a little more susceptible to this type of attack.
It’s no secret what everyone’s looking for on a dating app. It’s all pretty similar. And so it might not be that hard to convince.
Someone that they’re having a genuine romantic connection.
So, the FBI has some advice. They advise you not to open any attachments from anybody.
And to keep the conversations on the dating platform.
As well as reporting any suspicious profiles. Now, an additional tip from the Daily Decrypt, I myself just signed up the other day for a service called privacy. com that is a free service at its core creates new credit card numbers for you to use with different services. So when you sign up for Netflix, this site will create a credit card number for you.
You can set a spending limit on it and You can cancel it at any time. So if you’re signing up Netflix and thats for 20 dollars a month, you limit that card to $20 a month. Now, if Netflix decides they want to upcharge you, it won’t go through. You’re good to go. And so in the case of this specific attack, if you were to give them one of these generated credit card numbers and you set the limit for 1, which is what it usually costs to verify your ID, even though you’ll get it returned, And say, no recurring charges allowed.
the attacker will have this dummy credit card number and won’t be able to get anything out of you.
I’d highly recommend using this for any subscription. It makes the process of canceling so much easier. And especially with the boom in subscription services, like, everything has a subscription, so Some of them might be less secure than others. And if for some reason that site is breached, they get the credit card numbers.
They’re only gonna have this dummy credit card. And you’ve already set limits on it, so Attackers who come into ownership of this credit card number can’t make extra purchases besides the subscription charges you’ve allocated.
Google has revealed that in 2023 they prevented 2. 28 million policy violating apps from being published on the Play Store by leveraging new security features, policy updates, and advanced machine learning processes.
So that’s a lot of apps. Apple Store is known for having pretty stringent requirements for apps, even though in recent news they’ve had some pretty big slip ups with LastPass. Imitation app that was harvesting all the credentials stored in your LastPass account,
all the way down to fake crypto apps that will take your credentials for your crypto and
drain your accounts. But this is a big deal because of how easy it is for fraudulent apps to take over your entire life. Like those examples I just mentioned, if you happen to download a fake banking app for Bank of America, it
Then the attackers would have your credentials to log into your Bank of America account.
And I haven’t been on the Google Play Store in a while, but I’m sure you can buy ad space there, and you know how we feel about Google Ads on this podcast. Don’t click them. But it is very easy to spend 30 bucks and get any website up to the top of your Google search results. So just stay away from Google ads and any ads you may see on the app store. And you’ll seriously reduce the likelihood of clicking a bad link or downloading a bad app. But Google has blocked 333, 000 bad accounts in 2023 from attempting to distribute malware or violating policies on the Play Store.
Google has partnered with SDK providers to restrict sensitive data access and sharing, as well as strengthen developer onboarding and review processes, mandating additional identity verification steps to prevent bad actors from exploiting the system to propagate malicious apps.
Google’s efforts to secure the Android ecosystem include real time scanning at the code level to combat new Android malware threats and the introduction of independent security review badge for VPN apps that have undergone a mobile application security assessment.
So I know some of you out there are Apple haters, but I have no intention of ever switching away from Apple. Mostly because, up until this point, they seem to be the provider that cares about app security. Whether or not that’s true, I don’t know, but that’s how it appears. But this step from Google is one in the right direction towards winning over Apple fanboys like myself.
So keep up the good work Google, and hey, who knows, maybe I’ll switch back.
So, recently, a new cyber threat named Muddling Meerkat has been identified conducting sophisticated DNS activities globally since October 2019. And this specific threat is likely linked to China and is capable of manipulating, quote, the Great Firewall.
So how does it work? Muddling Meerkat exploits OpenDNS resolvers to send queries from Chinese IP spaces demonstrating a high level of DNS expertise uncommon amongst most threat actors.
The threat actor triggers DNS queries for various record types to domains not owned by them under popular top level domains like com and org, using fake DNS MX records to probe the target domain.
Infoblox detected over 20 domains targeted by muddling meerkat. Receiving anomalous DNS MX record requests from customer devices, indicating a unique and unprecedented attack method.
The purpose behind Muddling Meerkat’s prolonged DNS operations remains unclear, but is suggesting potential motives such as internet mapping or undisclosed research efforts. And a quote from Dr. Rene Burton, Vice President of Threat Intelligence for Infoblox, Muddling Meerkat elicits a special kind of fake DNS MX record from the Great Firewall, which has never been seen before. For this to happen, Muddling Meerkat must have a relationship with the Great Firewall operators.
And for those of you like me who aren’t unfamiliar with the Great Firewall, Just pulling up their Wikipedia page and reading from it, it says it’s the combination of legislative actions and technologies enforced by the People’s Republic of China to regulate the internet domestically. So it’s a critical role in internet censorship in China.
And be sure to check the show notes for this episode for the domains that you might see DNS MX records from, and other IOCs of this type of scanning.
I’m anticipating there to be more news to come on this topic.
This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don’t forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.
Leave a Reply