The Daily Decrypt
The Daily Decrypt
Everything is Fake! Fake Error Messages, Fake Chrome Updates, and SnowFAKE (Snowflake)

In today’s episode, we delve into the recent surge of identity-based cyberattacks targeting Snowflake customers, with at least 100 companies confirmed impacted as disclosed by Mandiant and Pure Storage ( We also explore how attackers are leveraging social engineering to install malware through fake error messages, as outlined by Proofpoint researchers ( Finally, we discuss how legitimate websites are being exploited to deliver the BadSpace Windows backdoor, detailed by German cybersecurity company G DATA (

00:00 Introduction to Fake Cyber Attacks

01:11 Fake Error Messages

03:30 The Badspace Backdoor with Trae

06:54 Snowflake Breach: What Happened?

Thanks to Jered Jones for providing the music for this episode.

Logo Design by

Tags: Snowflake, cyberattacks, identity-based, infiltrate, cybercriminals, malware, proofpoint, fake error messages, hackers, BadSpace, G DATA, cybersecurity, social engineering, cloud data security, Windows backdoor

Search Phrases:

  • Identity-based cyberattacks on Snowflake customers
  • Protecting Snowflake accounts from cybercriminals
  • Malware threats to cloud security
  • Proofpoint cybercrime reports
  • Steps to prevent fake error message scams
  • BadSpace Windows backdoor protection measures
  • How hackers use fake browser updates
  • G DATA cybersecurity insights
  • Social engineering defenses in cybersecurity
  • Preventing identity-based infiltrations in cloud systems

What we know about the Snowflake customer attacks —`Sure thing! Here’s a flash briefing summarizing the key information about the Snowflake customer attacks:

  • Widespread Impact: Over 100 Snowflake customers have been confirmed impacted by identity-based attacks utilizing stolen credentials from infostealer malware. Approximately 165 businesses remain potentially exposed. [Source: Mandiant]
  • Key Entry Point: Attacks were not due to a vulnerability or breach within Snowflake’s system but through stolen credentials from infostealer malware on non-Snowflake systems. Impacted accounts lacked multifactor authentication (MFA). [Source: Mandiant]
  • Early Detection: The earliest unauthorized access to Snowflake customer instances was detected on April 14, with Mandiant beginning its investigation on April 19 and identifying the first confirmed connection to Snowflake on May 14. [Source: Mandiant’s June 10 Threat Intelligence Report]
  • Immediate Actions: Snowflake has been suspending user accounts showing signs of malicious activity, blocking suspicious IP addresses, and advising customers to enable MFA and configure network access policies. [Source: Snowflake CISO Brad Jones]
  • Data Theft: The first known sale of stolen data from a Snowflake customer database was posted on May 24. Snowflake disclosed the attacks on May 30, providing indicators of compromise and recommended actions for companies to investigate. [Source: Mandiant]
  • Ongoing Investigation: The investigation, assisted by Mandiant and CrowdStrike, is ongoing. The attacker, referred to as UNC5537, continues to extort victims with stolen data as of June 13. [Source: Mandiant]

Malware peddlers love this one social engineering trick! —`- Key Information: Attackers increasingly use fake error messages to trick users into installing malware.

  • Actionable Insight: Stay vigilant when encountering unexpected error messages prompting installations or updates.
  • Key Information: These fake error messages often accompany HTML documents delivered via email attachments.
    • Actionable Insight: Exercise caution when opening email attachments, especially HTML documents, and verify the sender’s authenticity.
  • Key Information: Users may be prompted to install root certificates, resolve issues, install extensions, or update DNS caches.
    • Actionable Insight: Before following any such prompts, consult your IT department or perform a quick search to confirm the legitimacy of the request.
  • Key Information: The attack chain requires significant user interaction but cleverly disguises malware installation as a problem-solving step.
    • Actionable Insight: Always take a moment to consider the risk before performing any suggested actions from an error message.
  • Key Information: Various attackers, including initial access brokers, use these techniques to deploy PowerShell scripts, installing malware like DarkGate and NetSupport.
    • Actionable Insight: Familiarize yourself with the signs of PowerShell script execution and report any suspicious activity to your security team.
  • Key Information: Detection is difficult because the malicious script is copied to the clipboard via JavaScript and manually run by the user.
    • Actionable Insight: Be wary of any browser prompts to copy scripts or commands and avoid running them directly from your clipboard.
  • Key Information: Users are the last line of defense if browsing protections and email filters fail.
    • Actionable Insight: Engage in regular cybersecurity training to identify and report suspicious activities promptly.

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

  • Compromised Websites as Conduits:
    • Hackers use legitimate websites, often built on platforms like WordPress, to deliver a Windows backdoor named BadSpace.
    • They disguise the attack as fake browser updates, making it hard for users to detect.
  • Multi-Stage Attack Chain:
    • The attack begins with an infected website that checks if a user has visited before.
    • On the first visit, the site collects device data, IP address, user-agent, and location, then sends it to a command-and-control (C2) server.
    • The server responds with a fake Google Chrome update pop-up that either directly drops the malware or uses a JavaScript downloader to deploy BadSpace.
  • Malware Capabilities:
    • BadSpace can harvest system information, take screenshots, execute commands, read/write files, and delete scheduled tasks.
    • It employs anti-sandbox techniques and sets up persistence using scheduled tasks.
  • Connections to SocGholish:
    • The C2 servers linked to BadSpace show connections to another malware known as SocGholish (aka FakeUpdates), which uses similar tactics.
  • Current Threat Landscape:
    • Organizations like eSentire and Sucuri report ongoing campaigns using fake browser updates to spread information stealers and remote access trojans.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.