Cybercriminals have launched Matrix Push, a new command-and-control platform that exploits web-browser notifications to phishing users of services like Netflix and PayPal, as detailed in a BlackFog Security report. This attack deceives victims into revealing credentials through disguised alerts on compromised websites.
The cybersecurity landscape this week featured multiple emerging threats. Reports emerged about Sturnus, a new Android banking trojan developed by cybercriminals. This malware bypasses encryption protocols to access secure instant-message conversations. It achieves this by reading and copying the content when messages display on the smartphone screen, allowing attackers to intercept sensitive information during active use.
Businesses received alerts regarding stealthy copy-and-paste attacks. These exploits target the clipboard function as an entry point for malicious code. Attackers insert harmful payloads into copied text, which then execute when users paste the content into applications or documents, potentially compromising systems without direct user awareness.
Matrix Push represents the latest development in this series of deceptive tactics. BlackFog Security’s threat-warning report identifies it as a command-and-control infrastructure operated by cybercriminals. The platform delivers both malware and phishing attacks exclusively through web-browser mechanisms, avoiding traditional delivery methods like email attachments.
The operation of Matrix Push relies on several technical exploits. It leverages push browser notifications to send unsolicited alerts to users. These notifications mimic system-generated messages from the operating system or the browser itself. Attackers also employ faked system alerts that imitate official warnings. Additionally, lick-me link redirects guide users to malicious pages under the guise of legitimate interactions.
Brenda Robb, from BlackFog Security, explained the core mechanism: “Leveraging push browser notifications, faked system alerts, and lick‑me link redirects, Matrix Push turns web browsers into an attack delivery vehicle.” This transformation enables browsers to serve as vectors for ongoing attacks, embedding threats directly into user interfaces.
The phishing process initiates with social engineering techniques. Cybercriminals direct potential victims to a website, either fully malicious or a legitimate one that has been compromised without the owner’s knowledge. Users encounter prompts to accept browser notifications from this site. Granting permission activates the attack sequence, granting attackers the ability to bombard the device with deceptive messages.
Once permissions are obtained, Matrix Push dispatches tailored alerts. These appear as notifications from trusted brands, blending seamlessly with authentic device prompts. Robb detailed the scope: “We found templates for brands such as MetaMask, Netflix, Cloudflare, PayPal, TikTok, and more, each designed to look like a legitimate notification or security page from those providers.” Such impersonation heightens the deception, as the alerts integrate into the device’s standard notification area.
This placement in the genuine notification feed reduces user suspicion. Victims perceive the messages as routine updates or alerts from their subscribed services. Clicking on these prompts redirects users to phishing sites engineered to capture login credentials. The authenticity of the notification’s appearance and location significantly increases the success rate of these credential-grabbing attempts.
Users of affected services have access to specific resources for protection. Netflix provides phishing attack guidance on its help page, outlining recognition and avoidance strategies. Similarly, PayPal maintains a dedicated help page with advice on identifying and responding to phishing attempts, including verification steps for suspicious communications.
The BlackFog report underscores the persistence of browser-based threats across all operating systems. Matrix Push’s design exploits universal web functionalities, making it compatible with various devices and browsers. Cybercriminals continue to refine these platforms, incorporating templates for an expanding array of high-profile brands to broaden their reach.
