Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label fake ads. Show all posts
ProPublica
Cyber Attacks Facebook Ads Facebook Hackers fake ads Hackers Internet scammers Meta Online Security ProPublica

Meta Struggles to Curb Misleading Ads on Hacked Facebook Pages

 

Meta, the parent company of Facebook, has come under fire for its failure to adequately prevent misleading political ads from being run on hacked Facebook pages. A recent investigation by ProPublica and the Tow Center for Digital Journalism uncovered that these ads, which exploited deepfake audio of prominent figures like Donald Trump and Joe Biden, falsely promised financial rewards. Users who clicked on these ads were redirected to forms requesting personal information, which was subsequently sold to telemarketers or used in fraudulent schemes. 

One of the key networks involved, operating under the name Patriot Democracy, hijacked more than 340 Facebook pages, including verified accounts like that of Fox News meteorologist Adam Klotz. The network used these pages to push over 160,000 deceptive ads related to elections and social issues, with a combined reach of nearly 900 million views across Facebook and Instagram. The investigation highlighted significant loopholes in Meta’s ad review and enforcement processes. While Meta did remove some of the ads, it failed to catch thousands of others, many with identical or similar content. Even after taking down problematic ads, the platform allowed the associated pages to remain active, enabling the perpetrators to continue their operations by spawning new pages and running more ads. 

Meta’s policies require ads related to elections or social issues to carry “paid for by” disclaimers, identifying the entities behind them. However, the investigation revealed that many of these disclaimers were misleading, listing nonexistent entities. This loophole allowed deceptive networks to continue exploiting users with minimal oversight. The company defended its actions, stating that it invests heavily in trust and safety, utilizing both human and automated systems to review and enforce policies. A Meta spokesperson acknowledged the investigation’s findings and emphasized ongoing efforts to combat scams, impersonation, and spam on the platform. 

However, critics argue that these measures are insufficient and inconsistent, allowing scammers to exploit systemic vulnerabilities repeatedly. The investigation also revealed that some users were duped into fraudulent schemes, such as signing up for unauthorized monthly credit card charges or being manipulated into changing their health insurance plans under false pretences. These scams not only caused financial losses but also left victims vulnerable to further exploitation. Experts have called for more stringent oversight and enforcement from Meta, urging the company to take a proactive stance in combating misinformation and fraud. 

The incident underscores the broader challenges social media platforms face in balancing open access with the need for rigorous content moderation, particularly in the context of politically sensitive content. In conclusion, Meta’s struggle to prevent deceptive ads highlights the complexities of managing a vast digital ecosystem where bad actors continually adapt their tactics. While Meta has made some strides, the persistence of such scams raises serious questions about the platform’s ability to protect its users effectively and maintain the integrity of its advertising systems.
Read more »
Window Admin
Cyber Security fake ads Fraudulent Sites Ransomware attack Typosquatting Window Admin

Windows System Admins Targeted by Hackers Via Fraudulent PuTTy, WinSCP Ads

 

A ransomware attack targets Windows system administrators by using Google advertisements to promote fraudulent download sites for Putty and WinSCP. WinSCP and Putty are popular Windows applications; WinSCP is an SFTP and FTP client, while Putty is an SSH client. 

System administrators typically have more rights on a Windows network, making them prime targets for threat actors looking to quickly propagate over a network, steal data, and get access to a network's domain controller to deliver ransomware. 

According to a recent Rapid7 report, a search engine campaign featured adverts for fake Putty and WinSCP websites when users searched for download winscp or download putty. It's unclear whether this promotion took place on Google or Bing. 

These advertisements employed typosquatting domain names such as puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net. While these sites impersonated the official WinSCP site (winscp.net), the threat actors impersonated an unaffiliated PuTTY site (putty.org), which many people assume is the real one. PuTTY's official website is at https://www.chiark.greenend.org.uk/~sgtatham/putty/. 

These sites include download links that, when clicked, may either redirect you to legitimate websites or download a ZIP archive from the threat actor's servers, depending on whether you were sent by a search engine or another site in the campaign. 

The downloaded ZIP packages contain two executables: Setup.exe, a renamed and legitimate Python for Windows executable (pythonw.exe), and python311.dll, a malicious program.

When the pythonw.exe programme is run, it will try to launch a valid python311.dll file. However, the threat actors changed this DLL with a malicious version loaded via DLL Sideloading. 

When a user launches Setup.exe, expecting to install PuTTY or WinSCP, it loads the malicious DLL, which extracts and implements an encrypted Python script. 

This script will eventually install the Sliver post-exploitation toolkit, which is a popular tool for gaining access to corporate networks. Rapid7 claims the threat actor utilised Sliver to remotely deploy other payloads, including Cobalt Strike beacons. The hacker utilised this access to steal data and try to install a ransomware encryptor. 

While Rapid7 provided little specifics about the ransomware, the researchers say it is comparable to campaigns detected by Malwarebytes and Trend Micro, which used the now-defunct BlackCat/ALPHV ransomware. 

"In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution," stated Rapid7's Tyler McGraw. "The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year.”
Read more »
malware
Brave Browser fake ads Google malware

Google Took Down Luring Ads Posing as Brave Browser

 

Malicious advertising has attracted internet visitors to the bogus Brave website. The fraudulent website delivered an ArechClient (SectopRAT) malware variant of the Brave browser. Google put an end to the scam by removing the fraudulent advertisement. 

Website surfers who tried to install a copy of the Brave browser had a smartly camouflaged advertisement that sent the visitors to a dangerous website, wherein they implanted malware on their computers. 

This rogue website was placed on brav.com, wherein Brave is spelled in place of the standard Latin alphabet with a little Lithuanian capital (with a dot at the top). Brave's Web browser is free and open-source, created by Chromium-based Brave Software, Inc. 

Brave, indeed is a confidentiality-focused browser, which is distinguished for eliminating online ads and website tracking in its default settings. An ISO file claiming to carry the Brave installer was downloaded by users who visited the site, engineered to resemble the authentic Brave portal. 

In contrast to the Brave browser installation, an ArechClient malware variant (SecctopRAT) of the ISO file was downloaded, security researcher Bart Blaze told The Record after scanning the malicious file. The malware's key characteristic is to rob data from browsers and cryptocurrencies, Blaze claimed. 

It also contains many anti-VM and anti-emulator scanning functions to stop the identification of malicious capabilities for investigators and security solutions. 

It is advisable to change web account passwords and transfer cryptocurrency assets to new addresses for anybody who inadvertently downloaded this spyware. Nevertheless, Google has claimed that the fraudulent ad had been deleted. 

Such kinds of attacks are referred to as IDN homographic attacks which take place whenever threat actors record domains that are internationally similar to the Latin alphabet. 

Attacks, similar to that of against Brave, are being conducted over a decade since internationalized glyphs have been permitted for domain name use, and by Punycode, browsers have reacted to those non-standard characters. 

For instance, if the page is loaded within a modern browser, the fraudulent domain brav.com equals xn-brav-epa.com, but visitors would most probably download the malicious payload if the address bars are not paid attention to. 
Read more »
Subscribe to: Posts (Atom)