Image

Image

The Ngrok service is hosted on Amazon AWS so reporting to them is basically a waste of time because by the time they respond the malware has done its work & vanished and the malware isn’t actually stored anywhere on an Amazon server, just a link or redirect to the malware happens via Amazon AWS.What's more, the way VirusTotal works makes it hard to gauge the efficacy of this campaign. That's because VirusTotal (at least the public version) doesn't show all subdomains. As a result, security researchers can only see malware delivered from the main ngrok.io.domain and not potentially thousands or even millions of subdomains. Given this lack of visibility, organizations should focus on protecting themselves against attack campaigns similar to the one described above. They should do so by educating their employees about some of the most common phishing attacks in circulation today. They should also leverage a sophisticated solution like Tripwire Malware Detection that can protect their critical assets against known threats and zero-day attacks.