0

One of our clients called after getting hit by a popup and being asked to call a number. This scam tatic has been growing faster and faster in terms of calls that we get.

I was curious how they knew so much about the client's system, down to processes and anti-virus running.

I did a quick look at saw something like this: https://stackoverflow.com/questions/10179114/execute-powershell-script-from-node-js

So my question is this. Is this a security threat to the machine or just certain browsers?

Right now my way of protecting clients is to have them run ad blocking software since it looks like rogue ads are the lead cause of this.

Community
  • 1
Jason
  • 3,086
  • 4
  • 20
  • 24
  • 2
    It's not possible to execute powershell from JS on a client (without exploting a vulnerability in the browser but in that case the game is over). The link from SO you provided is nodejs, this run on server side. – r00t Sep 21 '16 at 18:28

2 Answers2

1

Node.js is a server-sided javascript implementation. It runs on a webserver, not in a browser. If anything, it can be used to open a powershell session on the server it is installed on.

So unless your client runs a webserver AND has node.js installed on that webserver AND has a script on it which uses the method described in the stackoverflow answer to have it run a powershell child-process AND has a vulnerability in that script which allows an attacker to inject arbitrary code into powershell, that's a quite unlikely attack vector.

For how the attacker learned the information you mentioned about your client's system: You aren't providing enough information to make a guess in that direction.

Philipp
  • 48,867
  • 8
  • 127
  • 157
1

As others have said, the threat is not from PowerShell via JavaScript. It is most likely either a browser hijack - either from a rogue advert or a malicious web link (maybe via spam email) or malware from an infected document that has been opened by the user (again usually via spam email).

The apparent knowledge may be smoke and mirrors much like many scams or may come from malware.

Given that you mention a popup, I'm guessing that this is probably a browser hijack. Generally triggered via rogue adverts which we are seeing a lot more of or via spam with links that the user has clicked.

You are absolutely right to implement ad-blocking. I strongly recommend both client-side (browser) blocks and network level blocking.

Most organisations (with some few exceptions) really don't need to see any adverts, they simply pose another risk along-side those posed by spam email.

Julian Knight
  • 7,092
  • 17
  • 23