Earlier this year, NVISO identified an active cluster of domains likely tied to social engineering. Upon analysis, the domains masqueraded themselves as CAPTCHA verification pages, requesting visitors to press a button to verify they’re human.
While seasoned professionals may immediately recognize the page as fraudulent, less alert users might inadvertently provide their consent to notifications. Shortly after giving consent, the end-user would continuously receive browser-delivered phishing notifications.
As the hunt’s hypothesis assumed breach, we further hunted for traces of both successful social engineering and follow-on abuse. In the following sections we will present which forensic Chromium evidence can be found for initial social engineering (i.e., granted permissions) and follow-on interactions (i.e., delivered notifications, user interactions). Finally, we will cover how this hunt can be performed enterprise-wide through our contributed Velociraptor artifact and provide enterprise hardening recommendations to prevent such abuse.
This article focuses on Chromium-based web-browsers (e.g., Google Chrome, Microsoft Edge) as available telemetry scoped potential victims down to these browsers.
In this section we will cover which evidence allowed us to answer if a user had allowed websites to send notifications, had subsequently received notifications and, finally, interacted with the received notifications.
The Chromium user preferences is a JSON file titled Preferences
located within the user’s data directory. The file contains a flurry of settings, of which some pertaining to the notifications. For the two most prominent enterprise Chromium browsers (Google Chrome & Microsoft Edge), the locations are as follows:
Operating System | Standard Google Chrome Path |
Windows | *:\Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences |
MacOS | /Users/*/Library/Application Support/Google/Chrome/*/Preferences |
Linux | /home/*/.config/google-chrome/*/Preferences |
Operating System | Standard Microsoft Edge Path |
Windows | *:\Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences |
MacOS | /Users/*/Library/Application Support/Microsoft/Edge/*/Preferences |
Linux | /home/*/.config/microsoft-edge/*/Preferences |
The $.profile.content_settings.exceptions.notifications
dictionary contains the notification permissions attributed to websites. Each website with non-default permissions has its own entry with a last_modified
and setting
property.
{
"https://bestclevercaptcha.azurewebsites.net:443,*": {
"last_modified": "13349960779269787",
"setting": 1
}
}
JSON (Beatified)
The last_modified
value is a variation of the Windows’ FILETIME
. It represents the number of microsecond intervals since January 1, 1601 UTC (as opposed to Windows’ 100-nanosecond). Conversion to the more common Linux-like timestamp can be achieved through the (last_modified/1000000)-11644473600
formula (i.e., convert last_modified
into seconds and remove the number of seconds between Linux’s 1970
and Windows’ 1601
epoch).
The setting
property can be mapped to Chromium’s ContentSetting
enum. In our case, a setting
of value 1
indicates the website has the CONTENT_SETTING_ALLOW
permission for notifications.
enum ContentSetting {
CONTENT_SETTING_DEFAULT = 0, // 0
CONTENT_SETTING_ALLOW, // 1
CONTENT_SETTING_BLOCK, // 2
CONTENT_SETTING_ASK, // 3
CONTENT_SETTING_SESSION_ONLY, // 4
CONTENT_SETTING_DETECT_IMPORTANT_CONTENT, // 5
CONTENT_SETTING_NUM_SETTINGS
};
C
The $.profile.content_settings.exceptions.notifications
object hence provides preliminary evidence on whether a user has set specific website notification permissions, and when this occurred. The object however represents the current permission state; If a user revoked/changed the assigned permissions, the previous states are not available.
The $.profile.content_settings.exceptions.notification_interactions
dictionary contains metrics on issued and interacted notifications. As soon as a notification is issued or interacted with, the daily metrics are updated.
As was the case for the previously covered notifications
object, the notification_interactions
object contains per-URL keys as well as a last_modified
property. The setting
property is however a dictionary where the keys represent Linux-like timestamps (rounded to the day) and the display_count
alongside click_count
properties provide daily counters on the respective amount of displayed notifications and optional user-interacted notifications.
{
"https://bestclevercaptcha.azurewebsites.net:443,*": {
"last_modified": "13349960822063286",
"setting": {
"1704672000": {
"click_count": 1,
"display_count": 3
},
"1705449600": {
"display_count": 1
}
}
}
}
JSON (Beatified)
Together, the notifications
and notification_interactions
preferences provide sufficient visibility to identify:
The above visibility enables threat hunters to identify which users are likely to have been socially engineered and at which frequency. However, for affected users, these artifacts do not permit to scope the incident’s post-notification activity.
While the Chromium user preferences provide insights into the current permissions and associated metrics, the Chromium Platform Notifications database provides visibility into the issued notifications. The Chromium Platform Notifications
folder is located alongside the Preferences
file and leverages the LevelDB format.
Within this LevelDB store, keys are encoded and values serialized using Protocol Buffers. Commercial forensic tooling such as Axiom supports its parsing out of the box. Alternatively, open source solutions such as LevelDBDumper can assist in recovering the Protocol Buffer data which can, in theory, be de-serialized through ProtoBufEditor if provided with the definitions.
Alternatively, any regular editor is sufficient to extract IoCs (Indicators of Compromise). As shown below, the Platform Notifications\*.log
log file contains
Endpoint security solutions rarely provide visibility into application-level settings. To empower organizations to hunt for potential traces of browser notification abuse, we extended Velociraptor’s SQLiteHunter. Through the forensic collector’s Generic.Forensic.SQLiteHunter
artifact, investigators can now collect and parse notification-related settings on Chromium browsers.
Abusing browser notifications is not a new technique, which luckily also means that preemptive security controls do exist. Organizations are recommended to enforce and harden web browser settings. Specific to this attack pattern, organizations can leverage Chromium’s DefaultNotificationsSetting
and NotificationsAllowedForUrls
settings as well as FireFox’s Permissions policy to deny notification requests while having organization-approved exceptions.
Maxime Thiebaut
Maxime Thiebaut is a GCFA-certified Incident Response & Digital Forensics Analyst within NVISO CSIRT. He spends most of his time performing defensive research and responding to incidents. Previously, Maxime worked on the SANS SEC699 course. Besides his coding capabilities, Maxime enjoys reverse engineering samples observed in the wild.