Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label fake ads. Show all posts

Cybercriminals Use Google Ads and URL Cloaking to Spread Malware

 

Cybercriminals are increasingly using Google ads and sophisticated cloaking techniques to push malware onto unsuspecting users. The latest example involves a fake Homebrew website that tricked users into downloading an infostealer designed to steal sensitive data, including login credentials and banking details. Security researcher Ryan Chenkie first noticed the malicious Google ad, which displayed the correct Homebrew URL, “brew.sh,” making it appear legitimate. 

However, once users clicked on the ad, they were redirected to a fraudulent clone hosted at “brewe.sh.” The deception was so convincing that even experienced users might not have spotted the trick before engaging with the site. The technique used in this campaign, known as URL cloaking, allows cybercriminals to manipulate how links appear in ads. According to Google, these attackers create thousands of accounts and use advanced text manipulation to bypass detection by both automated systems and human reviewers. This makes it difficult to catch fraudulent ads before they reach users. 

While Google has since removed the ad and is ramping up its security efforts, the issue highlights ongoing vulnerabilities in online advertising. The malware behind this attack, identified by security researcher JAMESWT as AmosStealer (also known as Atomic), is specifically designed for macOS systems. Developed in Swift, it is capable of running on both Intel and Apple Silicon devices. AmosStealer is a subscription-based malware service, sold to cybercriminals for $1,000 per month. 

Once installed, it can extract browser history, login credentials, bank account details, cryptocurrency wallet information, and other sensitive data. What makes this attack particularly alarming is its target audience. Homebrew is a package manager used primarily by macOS and Linux users, who are generally more tech-savvy than the average internet user. This suggests that cybercriminals are refining their tactics to deceive even experienced users. By leveraging Google’s ad platform to lend credibility to their fake sites, these attackers can reach a broader audience and increase their success rate.  

To protect against such malware campaigns, users should take extra precautions. Checking an ad’s displayed URL is no longer sufficient — verifying the website address after the page loads is crucial. Even a minor change in spelling, such as replacing a single letter, can indicate a fraudulent site. Another effective defense is avoiding Google ads altogether. Legitimate websites always appear in organic search results below the ads, so skipping the top links can help users avoid potential scams. 

Instead of clicking on ads, users should manually search for the company or product name to locate the official website. For those looking to minimize risks from malicious ads, alternative search engines like DuckDuckGo or Qwant offer more privacy-focused browsing experiences with stricter ad filtering. As cybercriminals continue to evolve their tactics, adopting safer browsing habits and remaining vigilant online is essential to avoiding security threats.

Hackers Employ Fake Mac Homebrew Google Ads in Novel Malicious Campaign

 

Hackers are once more exploiting Google advertisements to disseminate malware, using a fake Homebrew website to compromise Macs and Linux systems with an infostealer that harvests credentials, browsing data, and cryptocurrency wallets. 

Ryan Chenkie discovered the fraudulent Google ad campaign and warned on X regarding the potential of malware infection. The malware employed in this operation is AmosStealer (aka 'Atomic'), an infostealer intended for macOS devices and sold to malicious actors on a monthly subscription basis for $1,000. 

The malware recently appeared in various malvertising campaigns promoting bogus Google Meet conferencing pages, and it is now the preferred stealer for fraudsters targeting Apple customers. 

Targeting Homebrew customers 

Homebrew is a popular open-source package manager for macOS and Linux that lets you install, update, and manage software using the command line. 

A fraudulent Google advertising featured the correct Homebrew URL, "brew.sh," misleading even seasoned users into clicking it. However, the ad redirected users to a bogus Homebrew website hosted at "brewe.sh". Malvertisers have extensively exploited this URL strategy to trick users into visiting what appears to be a legitimate website for a project or organisation.

When the visitor arrives at the site, he or she is requested to install Homebrew by copying and pasting a command from the macOS Terminal or Linux shell prompt. The official Homebrew website provides a similar command for installing legitimate software. However, running the command displayed on the bogus website will download and execute malware on the device. 

Cybersecurity expert JAMESWT discovered that the malware injected in this case [VirusTotal] is Amos, a potent infostealer that targets over 50 cryptocurrency extensions, desktop wallets, and online browser data. Mike McQuaid, Homebrew's project leader, indicated that the project is aware of the situation but that it is beyond its control, criticising Google's lack of oversight. 

"Mac Homebrew Project Leader here. This seems taken down now," McQuaid stated on X. "There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good.”

At the time of writing, the malicious ad has been removed, but the campaign could still run through other redirection domains, therefore Homebrew users should be aware of sponsored project adverts.

To mitigate the risk of malware infection, while clicking on a link in Google, make sure you are directed to the authentic site for a project or company before entering sensitive information or installing software. Another safe option is to bookmark official project websites that you need to visit frequently when sourcing software and utilise them instead of searching online every time.

General Dynamics Confirms Data Breach Via Phishing Campaign

 


In October 2024, General Dynamics (GD), a prominent name in aerospace and defense, confirmed a data breach impacting employee benefits accounts. The breach, detected on October 10, affected 37 individuals, including two residents of Maine. Attackers accessed sensitive personal data and bank details, with some accounts experiencing unauthorized changes.

The incident originated from a phishing campaign targeting a third-party login portal for Fidelity’s NetBenefits Employee Self Service system. Through a fraudulent ad campaign, attackers redirected employees to a spoofed login page resembling the legitimate portal. Employees who entered their credentials inadvertently provided access to their accounts. The compromised data included:

  • Personal Information: Names, birthdates, and Social Security numbers.
  • Government IDs: Details of government-issued identification.
  • Banking Details: Account numbers and direct deposit information.
  • Health Information: Disability status of some employees.

In some cases, attackers altered direct deposit information in affected accounts. The breach began on October 1, 2024, but was only discovered by General Dynamics on October 10. Once identified, access to the compromised portal was suspended, and affected employees were promptly notified. Written instructions were sent to reset credentials and secure accounts. Forensic experts were engaged to assess the breach, determine its scope, and address vulnerabilities.

Company’s Response and Support

General Dynamics emphasized that the breach was isolated to the third-party login portal and did not compromise its internal systems. In a report to the Maine Attorney General’s Office, the company stated, “Available evidence indicates that the unauthorized access occurred through the third party and not directly through any GD business units.”

To assist affected individuals, General Dynamics is offering two years of free credit monitoring services. Impacted employees were advised to:

  • Reset login credentials and avoid reusing old passwords.
  • Monitor bank and benefits accounts for suspicious activity.
  • Follow provided guidelines to safeguard personal information.

For additional support, the company provided resources and contacts to address employee concerns.

Previous Cybersecurity Incidents

This is not the first cybersecurity challenge faced by General Dynamics. In June 2024, its Spanish subsidiary, Santa Barbara Systems, was targeted by a pro-Russian hacker group in a distributed denial-of-service (DDoS) attack. While the incident caused temporary website disruption, no sensitive data was compromised.

Earlier, in March 2020, a ransomware attack on Visser Precision, a General Dynamics subcontractor, exposed sensitive data through the DoppelPaymer ransomware group. Although General Dynamics’ internal systems were not directly impacted, the incident highlighted vulnerabilities in supply chain cybersecurity.

These recurring incidents highlight the persistent threats faced by defense companies and underscore the critical need for robust cybersecurity measures to protect sensitive data. General Dynamics’ swift response and ongoing vigilance demonstrate its commitment to addressing cybersecurity challenges and safeguarding its employees and systems.

Rising Cyber Threats in Q3 2024: AI’s Dual Role in Attacks and Defense

 

The Q3 2024 Threat Report from Gen unveils a concerning rise in the sophistication of cyber threats, shedding light on how artificial intelligence (AI) is both a tool for attackers and defenders. 

As cybercriminals evolve their tactics, the line between risk and resilience becomes increasingly defined by proactive measures and advanced technology. One significant trend is the surge in social engineering tactics, where cybercriminals manipulate victims into compromising their own security. A staggering 614% increase in “Scam-Yourself Attacks” highlights this evolution. 

Often, these attacks rely on fake tutorials, such as YouTube videos promising free access to paid software. Users who follow these instructions unknowingly install malware on their devices. Another emerging strategy is the “ClickFix Scam,” where attackers pose as technical support, guiding victims to copy and execute malicious code in their systems. Fake CAPTCHA prompts and bogus software updates further trick users into granting administrative access to malicious programs. 

Data-stealing malware has also seen a significant rise, with information stealers increasing by 39%. For instance, the activity of Lumma Stealer skyrocketed by 1154%. Ransomware attacks are also on the rise, with the Magniber ransomware exploiting outdated software like Windows 7. Gen has responded by collaborating with governments to release free decryption tools, such as the Avast Mallox Ransomware Decryptor, to help victims recover their data. Mobile devices are not spared either, with a 166% growth in data-stealing malware during Q3 2024. 

The emergence of NGate spyware, which clones bank card data for unauthorized transactions, underscores the growing vulnerabilities in mobile platforms. Banking malware, including new strains like TrickMo and Octo2, has surged by 60%, further amplifying risks. Malicious SMS messages, or “smishing,” remain the most common method for delivering these attacks. According to Norton Genie telemetry, smishing accounted for 16.5% of observed attacks, followed by lottery scams at 12% and phishing emails or texts at 9.6%. 

AI plays a dual role in these developments. On one hand, it powers increasingly realistic deepfakes and persuasive phishing campaigns, making attacks harder to detect. On the other hand, AI-driven tools are vital for cybersecurity defenses, identifying threats and mitigating risks in real time. 

As cyber threats grow more complex, the Q3 2024 report underscores the urgency of staying vigilant.
Proactive measures, such as regular software updates, using advanced AI-powered defenses, and fostering awareness, are essential to mitigate risks and safeguard sensitive information. The battle against cybercrime continues, with innovation on both sides defining the future of digital security.

Meta Struggles to Curb Misleading Ads on Hacked Facebook Pages

 

Meta, the parent company of Facebook, has come under fire for its failure to adequately prevent misleading political ads from being run on hacked Facebook pages. A recent investigation by ProPublica and the Tow Center for Digital Journalism uncovered that these ads, which exploited deepfake audio of prominent figures like Donald Trump and Joe Biden, falsely promised financial rewards. Users who clicked on these ads were redirected to forms requesting personal information, which was subsequently sold to telemarketers or used in fraudulent schemes. 

One of the key networks involved, operating under the name Patriot Democracy, hijacked more than 340 Facebook pages, including verified accounts like that of Fox News meteorologist Adam Klotz. The network used these pages to push over 160,000 deceptive ads related to elections and social issues, with a combined reach of nearly 900 million views across Facebook and Instagram. The investigation highlighted significant loopholes in Meta’s ad review and enforcement processes. While Meta did remove some of the ads, it failed to catch thousands of others, many with identical or similar content. Even after taking down problematic ads, the platform allowed the associated pages to remain active, enabling the perpetrators to continue their operations by spawning new pages and running more ads. 

Meta’s policies require ads related to elections or social issues to carry “paid for by” disclaimers, identifying the entities behind them. However, the investigation revealed that many of these disclaimers were misleading, listing nonexistent entities. This loophole allowed deceptive networks to continue exploiting users with minimal oversight. The company defended its actions, stating that it invests heavily in trust and safety, utilizing both human and automated systems to review and enforce policies. A Meta spokesperson acknowledged the investigation’s findings and emphasized ongoing efforts to combat scams, impersonation, and spam on the platform. 

However, critics argue that these measures are insufficient and inconsistent, allowing scammers to exploit systemic vulnerabilities repeatedly. The investigation also revealed that some users were duped into fraudulent schemes, such as signing up for unauthorized monthly credit card charges or being manipulated into changing their health insurance plans under false pretences. These scams not only caused financial losses but also left victims vulnerable to further exploitation. Experts have called for more stringent oversight and enforcement from Meta, urging the company to take a proactive stance in combating misinformation and fraud. 

The incident underscores the broader challenges social media platforms face in balancing open access with the need for rigorous content moderation, particularly in the context of politically sensitive content. In conclusion, Meta’s struggle to prevent deceptive ads highlights the complexities of managing a vast digital ecosystem where bad actors continually adapt their tactics. While Meta has made some strides, the persistence of such scams raises serious questions about the platform’s ability to protect its users effectively and maintain the integrity of its advertising systems.

Windows System Admins Targeted by Hackers Via Fraudulent PuTTy, WinSCP Ads

 

A ransomware attack targets Windows system administrators by using Google advertisements to promote fraudulent download sites for Putty and WinSCP. WinSCP and Putty are popular Windows applications; WinSCP is an SFTP and FTP client, while Putty is an SSH client. 

System administrators typically have more rights on a Windows network, making them prime targets for threat actors looking to quickly propagate over a network, steal data, and get access to a network's domain controller to deliver ransomware. 

According to a recent Rapid7 report, a search engine campaign featured adverts for fake Putty and WinSCP websites when users searched for download winscp or download putty. It's unclear whether this promotion took place on Google or Bing. 

These advertisements employed typosquatting domain names such as puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net. While these sites impersonated the official WinSCP site (winscp.net), the threat actors impersonated an unaffiliated PuTTY site (putty.org), which many people assume is the real one. PuTTY's official website is at https://www.chiark.greenend.org.uk/~sgtatham/putty/. 

These sites include download links that, when clicked, may either redirect you to legitimate websites or download a ZIP archive from the threat actor's servers, depending on whether you were sent by a search engine or another site in the campaign. 

The downloaded ZIP packages contain two executables: Setup.exe, a renamed and legitimate Python for Windows executable (pythonw.exe), and python311.dll, a malicious program.

When the pythonw.exe programme is run, it will try to launch a valid python311.dll file. However, the threat actors changed this DLL with a malicious version loaded via DLL Sideloading. 

When a user launches Setup.exe, expecting to install PuTTY or WinSCP, it loads the malicious DLL, which extracts and implements an encrypted Python script. 

This script will eventually install the Sliver post-exploitation toolkit, which is a popular tool for gaining access to corporate networks. Rapid7 claims the threat actor utilised Sliver to remotely deploy other payloads, including Cobalt Strike beacons. The hacker utilised this access to steal data and try to install a ransomware encryptor. 

While Rapid7 provided little specifics about the ransomware, the researchers say it is comparable to campaigns detected by Malwarebytes and Trend Micro, which used the now-defunct BlackCat/ALPHV ransomware. 

"In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution," stated Rapid7's Tyler McGraw. "The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year.”

Google Took Down Luring Ads Posing as Brave Browser

 

Malicious advertising has attracted internet visitors to the bogus Brave website. The fraudulent website delivered an ArechClient (SectopRAT) malware variant of the Brave browser. Google put an end to the scam by removing the fraudulent advertisement. 

Website surfers who tried to install a copy of the Brave browser had a smartly camouflaged advertisement that sent the visitors to a dangerous website, wherein they implanted malware on their computers. 

This rogue website was placed on brav.com, wherein Brave is spelled in place of the standard Latin alphabet with a little Lithuanian capital (with a dot at the top). Brave's Web browser is free and open-source, created by Chromium-based Brave Software, Inc. 

Brave, indeed is a confidentiality-focused browser, which is distinguished for eliminating online ads and website tracking in its default settings. An ISO file claiming to carry the Brave installer was downloaded by users who visited the site, engineered to resemble the authentic Brave portal. 

In contrast to the Brave browser installation, an ArechClient malware variant (SecctopRAT) of the ISO file was downloaded, security researcher Bart Blaze told The Record after scanning the malicious file. The malware's key characteristic is to rob data from browsers and cryptocurrencies, Blaze claimed. 

It also contains many anti-VM and anti-emulator scanning functions to stop the identification of malicious capabilities for investigators and security solutions. 

It is advisable to change web account passwords and transfer cryptocurrency assets to new addresses for anybody who inadvertently downloaded this spyware. Nevertheless, Google has claimed that the fraudulent ad had been deleted. 

Such kinds of attacks are referred to as IDN homographic attacks which take place whenever threat actors record domains that are internationally similar to the Latin alphabet. 

Attacks, similar to that of against Brave, are being conducted over a decade since internationalized glyphs have been permitted for domain name use, and by Punycode, browsers have reacted to those non-standard characters. 

For instance, if the page is loaded within a modern browser, the fraudulent domain brav.com equals xn-brav-epa.com, but visitors would most probably download the malicious payload if the address bars are not paid attention to.