Alan Pope, former Engineering and Community Manager at Canonical, has noticed a new wave of attacks targeting Snap Store app catalog users. Instead of registering new accounts, attackers have begun buying expired domains listed in the email addresses of registered Snap developers. After purchasing the domain, the attackers redirect email traffic to their server and, having gained control of the email address, initiate a forgotten password recovery process to access the account.
By gaining control of an existing account, attackers can deploy malicious updates to previously published, trusted apps, bypassing the enhanced checks applied to new users and avoiding the addition of warning labels for new projects. Alan Pope has identified at least two domains (enstorewise.tech and vagueentertainment.com) purchased by attackers to hijack accounts, but it is believed there are many more such cases.
In the past, attackers limited themselves to registering their own accounts and publishing malicious packages that impersonated official builds of popular software or used names similar to existing packages (typosquatting). In response, Canonical introduced manual verification of new package names posted to the Snap Store for the first time. Since then, malware distributors have focused primarily on posting original packages, promoting them on social media, and eventually publishing a malicious update that attempts to bypass the Snap Store's automated checks and filters.
Now the attack vector has shifted towards repurchasing expired domains, as the Snap Store repository did not implement a relevancy check. domain names, used in email addresses. Last year, the PyPI (Python Package Index) repository encountered a similar problem, automatically marking email addresses with expired domains as unverified. More than 1800 such email addresses were blocked on PyPI.
Source: opennet.ru
