PayPal, Netflix, and TikTok users targeted in Matrix Push C2 phishing campaign

PayPal, Netflix, and TikTok users have become a new phishing target for hackers using a new tool called Matrix Push C2.

According to reports, the tool is accessible as a web-based dashboard. This allows hackers to send notifications, track each victim in real-time, determine which notifications the victims interacted with, and create shortened links using a built-in URL shortening service. Additionally, they track installed browser extensions, including cryptocurrency wallets.

In a report, Blackfog researcher Brenda Robb said, “The core of the attack is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximize the credibility of its fake messages […] Attackers can easily theme their phishing notifications and landing pages to impersonate well-known companies and services.”

Other well-known brands that support notification verification templates are MetaMask and Cloudflare. The platform also includes an “Analytics & Reports” section that allows its customers to measure the effectiveness of their campaigns and refine them as required.

The attack plays out via the web browser as a cross-platform threat

When the scammer gets the victim to receive notifications from the site, the attackers take advantage of the web push notification mechanism built into the web browser. They use it to send alerts that appear to have been sent by the operating system or the browser itself. This leverages trusted branding, familiar logos, and convincing language to maintain the ruse.

These include alerts about, say, suspicious logins or browser updates, along with a handy “Verify” or “Update” button that, when clicked, takes the victim to a bogus site.

With this attack, the entire process takes place through the browser without the need to first infect the victim’s system through another means. In a way, the attack is similar to ClickFix in that users are lured into following specific instructions to compromise their own systems, thereby bypassing traditional security controls.

Additionally, because the attack occurs via the web browser, it’s also a cross-platform threat. This effectively turns any browser application on any platform that subscribes to the malicious notifications into a client enlisted in the pool of clients, giving adversaries a persistent communication channel.

Matrix Push was first observed at the beginning of October and has been active since then. However, there’s no evidence of older versions, earlier branding, or long-standing infrastructure. Everything indicates this is a newly launched kit.

Telegram comes to play in the scammers’ business

Matrix Push C2 is sold as a malware-as-a-service (MaaS) kit to other threat actors. It is sold directly through crimeware channels, mostly on Telegram and cybercrime forums. There are different subscription levels: about $150 per month, $405 for three months, $765 for six months, and $1,500 for a full year.

Additionally, according to Dr. Darren Williams, founder and CEO of BlackFog,  “Payments are accepted in cryptocurrency, and buyers communicate directly with the operator for access.” Even Europol warned that the use of crypto assets for criminal activities has become more sophisticated.

Telegram founder Pavel Durov has been held personally liable for some of the illicit activities on the messaging platform. Durov was first arrested in Paris as part of a formal investigation for alleged involvement in criminal activities on Telegram.

French investigators accuse the company of being used for illegal trading, child sexual abuse material, and other illicit exchanges, and of failing to cooperate with law enforcement requests. Telegram continues to be proven as a criminals’ marketplace.

Cryptopolitan reported that France revoked the travel ban on Pavel Durov so he can now travel freely. However, a criminal probe into his messaging platform continues.

Recently, X  uncovered and dismantled a bribery network run by suspended users and crypto scammers who allegedly paid “middlemen” to bribe employees in exchange for account reinstatements.

Get up to $30,050 in trading rewards when you join Bybit today