Stealing Windows credentials using Google Chrome

Security researcher Bosko Stankovic recently published an article explaining how an attacker could use Chrome, the SMB file sharing protocol, and Windows Explorer Shell Command File to steal victims credentials.

The basic elements


Similar attacks have been demonstrated using Internet Explorer and Edge, but being able to do this with a (very popular) third party browser increases the chances of this being used in the wild by a lot. Chrome uses a technique called MIME-sniffing for files with a text or text-like content and downloads files that contain a non-printable character. It downloads these files to the default download folder as specified in the Advanced Settings section of the Chrome Settings.

Download folder

SMB protocol

This file sharing protocol recently gained a lot of fame by being exploited to spread the WanaCrypt ransomware worm. This protocol is what Windows uses to share files, printers, serial ports, and communicate this information between computers. By intention clients make SMB requests and servers make the resources available after successful authentication. But as it turns out, this feature can be (ab)used for a lot more.

SCF files

Windows Explorer Shell Command File are basically shortcuts with a run command. A very noteworthy feature is that this extension is invisible even if you have your extensions set to show.

So you will have to take a really close look at a file that has a double extension like example.txt.scf to see the difference with an actual txt file.


Another thing that makes SCF files dangerous is that they are triggered as soon as the folder they are in is opened. Windows will send a request for the resource the very moment the file is showing in Windows explorer.

The possible attack

The attacker plants an SCF file containing a non-printable character on a website that he knows his victim(s) frequents (watering hole attack). Or if the threat actor is after a bigger audience he can rig a malvertising campaign or use social media.

Chrome users will get the SCF file downloaded to their default downloads folder and the next time they want to look at or move a file from that folder, the SCF file will be triggered as soon as the downloads folder is opened in Windows Explorer.

As explained, SCF files can be configured to contact a server with a request for resources (i.e. a file). There are no restrictions so this can be a remote server under control by the attacker. In order to make the resource request, it will need to send an authentication request via SMB, which can be captured on the server. The request would include the victims’ username, his domain, and the NTLMv2 password hash. This information can be extremely useful for an attacker who wants to expand his foothold on a network.

The consequences

Once the attacker has the hashed password it depends on the strength of the hash for how long it takes to find out the password. This can vary from mere seconds to a few days. In targeted attacks, you can be sure the username and hash will be checked against lists published after breaches to see whether a password has been re-used and can be matched with the hash even faster.

If the Windows 8/10 user is using Microsoft Authentication (MSA) to use Microsoft services like Office 365, OneDrive, Skype, and many others, the impact on the victims can be even bigger.


You probably heard this before this week, but if you don’t need SMB, disable it. This is the only part of the attack chain the end-user can easily manipulate by executing a simple Powershell command. Other options are:

  • To always use the “Save as… ” option when you are knowingly downloading something, so you’d never have to open the default downloads folder.
  • Alter the file association for SCF files, which you would have to do in the registry. Changing the default value under the key HKEY_CLASSES_ROOT.scf “ txtfile” makes the files visible and opens it in notepad.

But disabling SMB is more likely to be successful and it helps protect you against other malware like the WannaCry ransom worm and the Adylkuzz cryptocurrency miner.


This article explains how Chrome users are at risk of spilling their Microsoft Authentication credentials by simply visiting the wrong site.


Pieter Arntz

The post Stealing Windows credentials using Google Chrome appeared first on Malwarebytes Labs.

How Using A VPN Could Save Your Summer

As summer inches closer, I begin to daydream about all the trips I’ll get to take with my family. However, whether our days are spent on the beach or walking around cities we’ve never explored, they all start the same: long-haul flights, airports, and hotels. While the Wi-Fi at the airport may claim to be secure in the network name, public Wi-Fi networks lack encryption, which scrambles the data being sent over the network. Without encryption, cybercriminals can intercept shared information and gain access to personal passwords, financials, or identity information.

Traveling often means I’ll be surrounded by (and connecting to) unfamiliar Wi-Fi networks, which makes it especially important to have a smart security solution in place for all my devices. I rely on two different tools to keep my devices and my family’s devices safe while we’re on the road. One is a personal VPN, which keeps my connections safe, even if I need to log into an insecure Wi-Fi network. Personal VPNs encrypt online activities in both public and secure Wi-Fi networks, allowing users to surf the web safely and feel at peace knowing that sensitive information will be kept private.

If you tend to spend a lot of browsing or doing work from your device while traveling, make sure to download security apps that protect your devices directly. It’s nice to have that extra layer of security, as these apps analyze the applications already installed on my phone that use my private information, and secure my data accordingly. If you’re traveling to cities where pickpocketing is common (or if you’re simply forgetful), many of the security apps also offer anti-theft protection that allow the user to back up, lock, and wipe the device remotely.

My family likes to travel to many different places in one vacation, which makes these apps perfect – since we’re bouncing between hotels or vacation rentals, we’re often surrounded by unknown networks. If your device has made an unknown connection, you’re potentially at risk of downloading fishy viruses or malware through the network. I’ve found that it’s always smart to have extra protection if your devices have a higher chance of making an insecure connection.

While these tools are important to have, we’ve learned that technology can occasionally fail us. One of the most trustworthy ways to keep your devices safe while jet-setting around this summer is to understand what an insecure Wi-Fi connection looks like. If you can determine whether the connections around you are safe or not, it will potentially save you and your loved ones a massive headache down the road. Look out for these warning signs of an insecure network, and stay away from connecting if the network looks suspicious.

  • Check the Authenticity. If there is no WPA or WP2 password for protected access, the connection is open, or unencrypted. You can check the authenticity of the network by going into internet settings and looking to see if it’s protected with a WPA or WPA2, or if it says it’s “open.”
  • HTTP vs. HTTPS? Make sure that the web pages you visit are “HTTPS” encrypted whenever possible. Do this by looking at the beginning of the URL you are accessing – if the URL starts with “HTTP”, log out – particularly if you’re doing something sensitive.
  • Pay Attention to the Warning Signs. SSL and TLS warnings are the messages that pop up in your browser when you’re in danger of connecting to an insecure connection – and it’s likely that you’ve clicked through the notification without a second thought. Take a moment to think about what you’re agreeing to before moving past the notifications next time, because it could mean you’re putting your devices in danger.
  • Be Picky. Don’t set your device to automatically connect to Wi-Fi networks. Rather, make sure your laptops, tablets, or smartphones will “forget” certain networks when you disconnect, and that they’ll only reconnect when you choose to do so manually.

From the “secure Wi-Fi” you find at the airport and airplane, to whatever you can connect to in your hotel or vacation rental, it’s smart to have a secure solution if you plan to stay connected while traveling.  Know the warning signs of an insecure Wi-Fi connection and use a personal VPN and/or mobile security solution whenever possible to keep your data as protected as possible. Have a secure summer, and happy travels!

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post How Using A VPN Could Save Your Summer appeared first on McAfee Blogs.