List of compromised websites and scope of damage, by Nano Adblocker and Defender

[wadawada]

Checklist for everyone affected

• Login sessions between 10/15 and 10/16 are most likely to be affected
• Check your Instagram for random likes, even if you didn't visit it for a long time, you might be still affected
• Check other websites you visited in the past 10 days for a suspicious activity
• Check your accounts for suspicious login attempts
• If suspicious activity found, report below

Countermeasures

• Your passwords are probably fine so far. This is actually confirmed by the reports of failed logins by some, as some websites are smart enough not to allow suspicious usage of stolen cookies, which is good. However, it can be compromised if you visited a website with poor security practices (which store passwords in cookies, for example).
• DO NOT simply delete cookies from your browser. Cookies on the server-side need to be refreshed, which cannot be done by deleting cookies on the client-side
• You need to logout ALL sessions of websites that you visited in the past 10 days. Find the option in settings to "Terminate all sessions", which will invalidate all previously issued cookies at all locations. If there is no option to terminate all sessions, you can contact support for assistance in terminating all of your sessions due to possible cookie theft.
• Login again to refresh session cookies
• As a last resort, changing password should (although it might not) invalidate all previous cookies. (https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-712724272)

Please READ the following web page for help and a detailed explanation of what happened https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-713028839 https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-712599645 https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/

other info: https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712448295 info in session cookies

If you want to rant, you can go to https://github.com/jspenguin2017/Snippets/issues/4 For other issues, you can also go to https://github.com/jspenguin2017/Snippets/issues/3 or https://github.com/jspenguin2017/Snippets/issues/2 You may have one or more or none accounts affected

If one or more of your accounts of some websites/apps has suspicious activities recently, you can use the following format to help report/confirm being compromised,

1 website: www.something.com
2 saved passwords on chrome? YES if password was saved/ NO if password was typed
3 suspicious activity on login session page (if provided): YES (eg failed logins) /NO 
4 unauthorized activity on website/app: describe what happened

Websites already confirmed to be compromised

Instagram You can check suspicious activities by On Instagram Mobile, Settings > Security > Login Activity On Instagram Website, Settings > Login Activity On Instagram Mobile, Settings > Account > Posts You've Liked to see if you have unauthorized likes Question: need a way to remove unauthorized likes A solution: https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-713626427

Websites that may be compromised, needs confirmation if it is related to this incident

Github: check the security log to see if there are failed attempts to login recently https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712522905 (2 confirmed suspicious activity with failed login) https://github.com/settings/security-log

Microsoft/Outlook account (2 confirmed suspicious activity with failed login) https://support.microsoft.com/en-us/account-billing/check-the-recent-sign-in-activity-for-your-microsoft-account-5b3cfb8e-70b3-2bd6-9a56-a50177863357

Twitch (Question: maybe no way to check login sessions?) https://help.twitch.tv/s/article/account-hacked?language=en_US

[tweedge]

If I read correct they are probably also involved into the User-Agent-Switcher malware.

The similarities are too big to ignore, and at this point I am "pretty confident" it's the same threat actor. The whole control structure is copied 1:1 and even conversing with eSolutions Nordic a party presenting similarly to the Nano Adblocker/Nano Defender buyer was involved.

[paperclip-dayo]

Just to confirm, this only affected users who installed Nano extensions from the Chrome store, right? Edge/Microsoft store listing as well as Firefox one were safe from this?

[Optoz]

I was affected on firefox I think as far as I know, I have not logged into instagram on my laptop in months where I use chrome and my instagram was affected wher I do use it on firefox

[tweedge]

Hey all I have written a post instructing users on how to respond to this infection. If you feel it helped you understand the scope of the infection and what to do to respond, you are welcome to distribute it.

https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/

[kefremov]

Hey all I have written a post instructing users on how to respond to this infection. If you feel it helped you understand the scope of the infection and what to do to respond, you are welcome to distribute it.

https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/

it gives a 404

[tweedge]

it gives a 404

I'm going absolutely bonkers trying to fix that, terribly sorry. It was working, pushed a minor change, now 404 city...

Edit: Got it back, thanks y'all. Was related to a Cloudflare incident -> https://www.cloudflarestatus.com/incidents/yq4dq06f5g00

[ferdevos]

regarding claims that Outlook accounts were compromised due to unauthorised syncs (IMAP/POP3) - I did a review of my account and can confirm that there were unauthorised syncs but am quite certain that they are unrelated to this exploit from nano extensions. Why? 1.) the unauthorised syncs were based on my email aliases that were prone to lots of spam already. my outlook login is based on a different email alias that did not show up under the list of unauthorised syncs. These unauth syncs are most likely spam/phishing bots trying to access harvested email addresses from an unrelated leak 2.) unauthorised syncs already happened from before september (way back)

[wickles]

connection.zip Can you look this file? I don't know so much about JS

Turkish user with personal fork of instagram-bomber uploading random zip file attachments. Yeah that's not suspicious at all.

[kefremov]

After logging out and logging back to instagram, removing all likes that were made, resetting the password, deleting all instagram cookies and logging back in, I'm noticing other newly made likes (1 at a time, in ~3 hours) popping up.

Can you guys check as well?

[Krit789]

After logging out and logging back to instagram, removing all likes that were made, resetting the password, deleting all instagram cookies and logging back in, I'm noticing other newly made likes (1 at a time, in ~3 hours) popping up.

Can you guys check as well?

I can confirmed that this happen too. But after resetting the password for the second time and logging out of all devices I haven't seen it does that again.

[pavolstibranyi]

After logging out and logging back to instagram, removing all likes that were made, resetting the password, deleting all instagram cookies and logging back in, I'm noticing other newly made likes (1 at a time, in ~3 hours) popping up.

Can you guys check as well?

Did you log out and back to facebook too?

[kefremov]

After logging out and logging back to instagram, removing all likes that were made, resetting the password, deleting all instagram cookies and logging back in, I'm noticing other newly made likes (1 at a time, in ~3 hours) popping up. Can you guys check as well?

Did you log out and back to facebook too?

yeah I did

[ethansky]

@kefremov I noticed the same thing when I woke up this morning. I logged out on Instagram on both my devices, changed the password, and cleaned up all the botted likes last night. I wake up this morning and see two images liked that were not done by me. I'm not sure if it is just Instagram/Facebook being slow/bad, or if the attacker still has access to my account.

[andrerahardjo97]

On Instagram Mobile, Settings > Security > Login Activity Or using Instagram Website, Settings > Login Activity Don't forget to make other device log out

[nadeem49]

If we use cookie auto delete that deletes cookies after very tab closure and use passwords from bitwarden and set browser to delete history and cookies and site data to delete everything after browser close, do we still have a problem???

[tweedge]

If we use cookie auto delete that deletes cookies after very tab closure and use passwords from bitwarden and set browser to delete history and cookies and site data to delete everything after browser close, do we still have a problem???

Yes. Deleting cookies doesn't terminate your session, you need to explicitly log out os use the site's session management tools to do that.

[wickles]

I found one new Like today but the post is from 3 days ago so it may just be instagram being glitchy, either mistakenly not showing it before or forgetting that I had unliked it.

[subsoap]

Instagram only shows you a few liked posts at a time so you have to manually go back and clear more. It's fascinating seeing all of the kind of people people vain enough to buy likes for fake social proof.

[tweedge]

Instagram only shows you a few liked posts at a time so you have to manually go back and clear more. It's fascinating seeing all of the kind of people people vain enough to buy likes for fake social proof.

From a separate study of this, it's a lot of brand (selling directly) and influencer pages (selling by exposure). Influencers can rake in $1k+/post even when they have just moderate influence... cash rules everything around me.

[kefremov]

Is there any way to find out which specific urls they were targeting?

[jc-ss]

Is it safe to safe that these people that received our likes are using some sort of program to "buy" likes? I can't think of a reason to why they would be receiving our likes if not that one.

[ferdevos]

thanks to the instagram API, there is a marketplace of scripts/bots that do exactly that. "instagram mass follow/like bot script followliker etc etc etc "

Is it safe to safe that these people that received our likes are using some sort of program to "buy" likes? I can't think of a reason to why they would be receiving our likes if not that one.

[CharmCityCrab]

Just to confirm, this only affected users who installed Nano extensions from the Chrome store, right? Edge/Microsoft store listing as well as Firefox one were safe from this?

People are saying that the Mozilla Firefox AMO (store) and Microsoft Edge store did not get the first update containing malware. So, you're probably alright (Though I am not sure who controls the Edge store listing, so depending on the answer to that, something bad could still be pushed from there in the form of an update. Firefox we at least know who controls the listing and it's not anyone involved with the malware.).

However, it's possible (Just as a generalization, I don't know that this is correct in this case) that the pre-existing programs before the updates adding the malware may have been contacting servers for normal operational stuff that could just be part of the program from when it was doing regular non-malware stuff. If that is the case, then it could be at least slightly problematical for regular users because those servers could have been part of the sale, and thus the extensions would still be contacting servers in control of cyber criminals.

I would hope that with what is partially a security extension, contact with the company's servers would be limited both in frequency and in scope, or would not occur at all, but I haven't seen anyone say anything about that one way or the other yet. So, just as a precaution, I would remove the extensions (In Firefox, "Tools>Add-Ons>Hamburger menu next to the specific add-on>Remove") from your installation. You're probably okay if you're a Firefox user and not a Chrome user, but do you want to be probably okay or definitely okay? In your shoes, I'd want to be definitely okay. I might or might not start changing all my passwords and whatnot if I had the extensions installed from the Firefox store, whereas I definitely would if they were installed from the Chrome store, but I would at least remove the extensions if I had them from the FIrefox store.

If you're really a die-hard enthusiast of these extensions, I suppose you could just disable the one (Nano Defender) that the Firefox maintainer, who was just porting the extension and not working for the original developer or the new developers, is planning to rename and re-launch as her own fork eventually, instead of removing it, as sort of a reminder to bring it back when she gets things sorted out (That's better than just leaving it enabled- but, really, you should remove it). However, it seems to me that removing it and bookmarking the site page in the Mozilla AMO, writing yourself a note (physically, through a notetaking app, or on your device in a text file- whatever) would be the safer course unless you have a ton of custom settings (And even then it is still the safer course, it's just that you'd lose the settings).

I don't know why anyone would continue to take chances with these extensions in any form at this point. Maybe down the line when the Firefox thing is truly forked away from all the old servers and stuff, if it does something you find really important.... but for now, there's really no good enough reason not to uninstall IMO.

Get rid of them, and install UBlock Origin, which what Nano Blocker forked from originally and is very similar, and much more trustworthy. That just be the easiest and most trustworthy replacement for someone used to Nano, from what I've read.

[Head]

I've checked my DNS logfiles and found some suspicious requests...

update: thanks to @KaceAlpha a bit below to check my requests. Seem to not be connected with this hack.

Google has this handy page to double check your browsing history https://myactivity.google.com/myactivity and some pages seem to fire a lot of really strange requests. like pinterest and shopify... Still investigating my pihole logs in more detail.

[d0gkiller87]

I built a simple script to help me identify logged in sessions, I think it might help someone else as well. repo: CookieValidater Assume that you have the same cookies stored in the Chrome as the leaked one, this script can help you validate the session tokens that stored in the cookies. The websites highlighted with green in the screenshot means that the account can be accessed by the leaked cookies.

It requires Python 3.6 or above with requests and tldextract modules, and the cookies (.json) exported by Cookiebro. Instructions and details are written in the repo readme. *Note that use the cookie editor/exporter (Cookiebro) with caution.* Also remember to remove the json file of exported cookies after using.

[shakyr]

I've a quick question, is there a way to check when/if a previously installed extension was disabled?

To my knowledge I've had the Nano Defender extension disabled months/years ago, and my Instagram does not appear to be compromised.

I'd be interested in this too, though I don't hold any hope of it being possible.

I had Nano Defender installed months ago, while I was attempting to circumvent video ads, but I found a better way to do it. I think I disabled the addon afterwards, but I'm not quite sure. Chrome automatically deleted the addon when I loaded my browser a few days ago (I can't even remember what day it was, as I thought nothing of it at the time), so I can't check my addon listings.

I've done a check of GitHub/Facebook/Google/Microsoft/Twitter accounts, didn't see any issues. Twitch/Payal doesn't seem to have any login history. Bank accounts I don't stay logged in with.

Did a regular wipe of cookies/history back on Oct 12, so I only have my history from back then.

[KaceAlpha]

Maybe someone else has a DNS logfile like pihole running ...

I have a DNS logfile, I checked the log after the first occurence of time:1602756556 host:::1 message:def.dev-nano.com type:A return:PASS cached:0 duration:41

I was browsing at the time, so there's a lot of random log But the most notable sites are: ( i don't open them at the time )

• instagram As confirmed, my instagram random liked
• twitter
• facebook nothing happened to my twitter or facebook

Other notable sites, but probably not caused by nano: (I checked, no suspicious activity)

• google (probably gmail/chrome)
• github (not sure/remember if I opened)
• dropbox (not sure/remember if I opened)
• live / microsoft (probably Windows)

... and can double check those?

I don't have the sites you listed @Head

Hope this helps

[ghost]

For me it's a strange situation.

I've got NanoDefender malware active and logged in on Instagram and lot of sites. Browsing like a normal day. Out of curiosity i went to check my pihole logs for some breaking content, and found 6394 hits of def.dev-nano.com in the Blocked domain list. And 3 hits in the Allowed ones. Googled a bit and found this mess. Removed the extension yesterday and from that time i'm checking my accounts for suspicious activity, but nothing. Nothing on Instagram so far. I'm probably safe because the extension cannot resolve to the malicious server?

[Head]

For me it's a strange situation.

I've got NanoDefender malware active and logged in on Instagram and lot of sites. Browsing like a normal day. Out of curiosity i went to check my pihole logs for some breaking content, and found 6394 hits of def.dev-nano.com in the Blocked domain list. And 3 hits in the Allowed ones. Googled a bit and found this mess. Removed the extension yesterday and from that time i'm checking my accounts for suspicious activity, but nothing. Nothing on Instagram so far. I'm probably safe because the extension cannot resolve to the malicious server?

Sounds good. Can you see what adlist was def.dev-nano.com on? Also check for www.dev-nano.com

[ghost]

Sounds good. Can you see what adlist was def.dev-nano.com on? Also check for www.dev-nano.com

Keep in mind that i've updated all my lists ~8 hours ago but i think that the domain was still blocked way before that time.

Exact matches for def.dev-nano.com found in: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://someonewhocares.org/hosts/zero/hosts https://dbl.oisd.nl/ https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt https://raw.githubusercontent.com/mkb2091/blockconvert/master/output/domains.txt https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

Exact matches for www.dev-nano.com found in: https://raw.githubusercontent.com/mkb2091/blockconvert/master/output/domains.txt https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

Edit: Also i remember editing my dns to google ones for a brief period for troubleshooting purpouse. So it's strange that the malware didn't touch my accounts. Also i'm blocking all third parties cookies. For sure something stopped the malware before acting.

[ioantsaf]

I developed a script that detects suspicious Instagram likes, and lets you remove them: https://github.com/ioantsaf/hacked_insta_unliker

Here you can find the Windows release, if you do not have access to a Python Interpreter: https://github.com/ioantsaf/hacked_insta_unliker/releases/latest

[fabiank0]

I developed a script that detects suspicious Instagram likes, and lets you remove them: https://github.com/ioantsaf/hacked_insta_unliker

Here you can find the Windows release, if you do not have access to a Python Interpreter: https://github.com/ioantsaf/hacked_insta_unliker/releases/tag/v1.0.0

Be careful with running scripts on Instagram, they are known to 'shadowban' you or outright close your account for stuff like this.

[d0gkiller87]

The attackers already run their bot scripts at least once on the infected accounts before though.

[fabiank0]

The attackers already run their bot scripts at least once on the infected accounts before though.

I'm aware. My account has been shadowbanned since then (No impressions through hashtags). Might be correlation, but it's not something that has ever happened before to me.

[nathanctech]

Can confirm, a bunch of unknown likes on my instagram even though I barely use it. No suspicious logins at all and I just use Facebook to sign in, so no idea how that even happened.

[ferdevos]

I developed a script that detects suspicious Instagram likes, and lets you remove them: https://github.com/ioantsaf/hacked_insta_unliker

Here you can find the Windows release, if you do not have access to a Python Interpreter: https://github.com/ioantsaf/hacked_insta_unliker/releases/latest

hmm im getting this ERROR: Could not find a version that satisfies the requirement certifi==2020.6.20 (from -r requirements.txt (line 1)) (from versions: none) ERROR: No matching distribution found for certifi==2020.6.20 (from -r requirements.txt (line 1))

[ioantsaf]

I developed a script that detects suspicious Instagram likes, and lets you remove them: https://github.com/ioantsaf/hacked_insta_unliker Here you can find the Windows release, if you do not have access to a Python Interpreter: https://github.com/ioantsaf/hacked_insta_unliker/releases/latest

hmm im getting this ERROR: Could not find a version that satisfies the requirement certifi==2020.6.20 (from -r requirements.txt (line 1)) (from versions: none) ERROR: No matching distribution found for certifi==2020.6.20 (from -r requirements.txt (line 1))

Which version of python and pip are you using? Python 3.6+ is required.

[ferdevos]

I developed a script that detects suspicious Instagram likes, and lets you remove them: https://github.com/ioantsaf/hacked_insta_unliker Here you can find the Windows release, if you do not have access to a Python Interpreter: https://github.com/ioantsaf/hacked_insta_unliker/releases/latest

hmm im getting this ERROR: Could not find a version that satisfies the requirement certifi==2020.6.20 (from -r requirements.txt (line 1)) (from versions: none) ERROR: No matching distribution found for certifi==2020.6.20 (from -r requirements.txt (line 1))

Which version of python and pip are you using? Python 3.6+ is required.

the current one.. 3.9

EDIT: it may just be my connection having difficulty connecting to the repo. nvm

[ioantsaf]

Could not find a version that satisfies the requirement certifi==2020.6.20

Can you try running pip3 install -r requirements.txt?

[savnoob]

I found one new Like today but the post is from 3 days ago so it may just be instagram being glitchy, either mistakenly not showing it before or forgetting that I had unliked it.

Same thing happened to me. I already cleared all the sessions, changed the password twice and removed all the likes from the posts that I could find. But I noticed a new post in my liked posts yesterday and two more posts this morning.

[pascil]

After I changed my password for Instagram I've never had a like not made by me ever again. The only thing that confuses me is that the activity log didn't show a location I didn't know. Either because of the cookie the attackers weren't suspicious or they spoofed the location.

[ferdevos]

Could not find a version that satisfies the requirement certifi==2020.6.20

Can you try running pip3 install -r requirements.txt?

it was my connection - for some reason was timing out to the repo. fixed it and used your script successfully. thanks for this

[exurd]

I developed a script that detects suspicious Instagram likes, and lets you remove them: https://github.com/ioantsaf/hacked_insta_unliker

Here you can find the Windows release, if you do not have access to a Python Interpreter: https://github.com/ioantsaf/hacked_insta_unliker/releases/latest

Tried using it, but got stuck on the checkpoint challenge. The script fails and quits out, meaning you can't continue the challenge.

Pressing 'It was me' does absolutely nothing the next time you open the script. The same error occurs again and again.

Tried contacting the developer. Told me something that sounded like good information, but actually accelerated my anger towards this situation.

This can happen sometimes when using the Instagram private API. Just unlock your account and run the script again.

Tried searching up what unlocking your account means. Nothing came up. Was it a mobile setting only? Nope, not there at all. Did he mean unprivating my account? Tried that, and the error still came up.

I have no idea what the hell "unlocking your account" means and I'm losing my marbles overall. Please, for god's sake, tell me what the hell I'm supposed to do?!

[ioantsaf]

https://github.com/ioantsaf/hacked_insta_unliker/issues/3#issuecomment-714425514

Also, take a look at instagram_private_api's developer answer: https://github.com/ping/instagram_private_api/issues/129#issuecomment-458825725

[NDevTK]

I made a script to prevent this attack https://github.com/NDevTK/DomainProtect

[Mactastic1-5]

I made a script to prevent this attack https://github.com/NDevTK/DomainProtect

Would it be possible to make this into an extension?

[Mactastic1-5]

ioantsaf/hacked_insta_unliker#3 (comment)

Also, take a look at instagram_private_api's developer answer: ping/instagram_private_api#129 (comment)

This doesn't work for me. Maybe it's because I have 2FA enabled.

[ioantsaf]

ioantsaf/hacked_insta_unliker#3 (comment) Also, take a look at instagram_private_api's developer answer: ping/instagram_private_api#129 (comment)

This doesn't work for me. Maybe it's because I have 2FA enabled.

It doesn’t work with 2FA. You’ll have to disable it, run the script to remove the likes, then enable it again.

[paperclip-dayo]

Got a notification mail from Microsoft today about "someone might've accessed your account". Checked my activity and it had successful IMAP syncs on Oct 22 and Oct 7 which occurred pretty much on the same time (one minute difference) from two different countries - Vietnam and Italy. But the thing is, I haven't logged into that MS account in ages (it was pretty much a dummy account). So it looks like Microsoft suspicious activity could be an unfortunate timing possibly unrelated to Nano? Maybe some old Outlook hack or even a bug from MS side?

[ghost]

Reporting yet another Microsoft account with a slew of failed sync attempts from a bunch of different countries.