Former engineering and community engagement manager at Canonical, Alan Pope, brought attention to a concerning trend targeting users of the Snap Store app catalog. Attackers have shifted their tactics from creating new accounts to purchasing expired domains found in the emails of registered Snap package developers. Once in control of these domains, the attackers redirect email traffic to their servers and proceed to recover forgotten passwords, gaining access to the associated accounts.
By compromising existing accounts, attackers are able to push malicious updates to previously trusted applications without being subjected to the rigorous checks applied to new accounts or receiving warnings about new projects. Pope highlighted two domains, enstorewise.tech and vagueentertainment.com, as examples of domains purchased by attackers for this purpose, with likely many more cases going undetected.
Previously, attackers would create their own accounts to publish malicious packages, often masquerading as official builds of popular programs or using names similar to legitimate packages. In response, Canonical introduced manual verification for new package names added to the Snap Store. However, malware distributors then shifted their focus to promoting original packages on social media and sneaking in malicious updates later on to evade the store’s automated checks and filters.
This recent wave of attacks targeting expired domains was made possible by the lack of verification of email domain relevance in the Snap Store repository. A similar issue was encountered by the PyPI (Python Package Index) repository last year, prompting them to automatically flag emails with expired domains as unverified, leading to the blocking of over 1,800 such email addresses.