Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Google Ads. Show all posts
Youtube
Ad Blockers Cyber Security Digital Ads Digital Platform Google Google Ads Server Youtube

Google's Ad Blocker Crackdown Sparks Controversy

 

Concerns have been raised by consumers and proponents of digital rights as a result of Google's recent increased crackdown on ad blockers. The move exposes a multifaceted effort that involves purposeful browser slowdowns and strict actions on YouTube, as reported in pieces sources.

According to Channel News, YouTube's ad blocker crackdown has reached new heights. Users attempting to bypass ads on the platform are facing increased resistance, with reports of ad blockers becoming less effective. This raises questions about the future of ad blocking on one of the world's most popular video-sharing platforms.

Google has taken a controversial step by intentionally slowing down browsers to penalize users employing ad blockers. This aggressive tactic, designed to discourage the use of ad-blocking extensions, has sparked outrage among users who rely on these tools for a smoother online experience.

The Register delves deeper into Google's strategy, outlining the technical aspects of how the search giant is implementing browser slowdowns. The article suggests that this move is not only an attempt to protect its advertising revenue but also a way to assert control over the online advertising ecosystem.

While Google argues that these measures are necessary to maintain a fair and sustainable digital advertising landscape, critics argue that such actions limit user freedom and choice. The concern is not merely about the impact on ad-blocker users; it also raises questions about the broader implications for online privacy and the control that tech giants exert over users' online experiences.

As the internet becomes increasingly integral to daily life, the balance between user empowerment and the interests of digital platforms is a delicate one. Google's recent actions are sure to reignite the debate on the ethics of ad blocking and the extent to which tech companies can dictate user behavior.

Google's strong action against ad blockers serves as a reminder of the continuous conflict between user autonomy and the profit-driven objectives of digital titans. These activities have consequences that go beyond the advertising industry and spark a broader conversation about the future of online privacy and the power corporations have over the digital environment.
Read more »
Google Ads
Antivirus Cybeesecurity Cyber Attacks Cyber Hackers CyberCrime Fake Windows Google Ads

Digital Deception: Hackers Target Users with Malware via Fake Windows News on Google Ads

 


In recent years, hackers have discovered new methods to spread their malware in order to steal any information they can. The hacker has been reported to be using Google Ads in order to make money, according to Bleeping Computer. Approximately a dozen domains have been reported to be hosting the WindowsReport independent media site. '

To infiltrate Google's advertising network, hackers disguise themselves using this method before setting up their own accounts. Hackers provided a run-up of CPU-Z over the fake WindowsReport website on which hackers hosted their exploit. In Windows, CPU-Z is one of the most useful free tools available for monitoring the hardware components of the computer. When searched before the site is traced, that site will end up as a RedLine Stealer or malicious application to steal information from users. 

The software allows hackers to filter sensitive system data including stored passwords, payment information, cookies, cryptocurrency wallets, and similar information in order to gain access to systems. In order to attract large numbers of people to click on these malicious CPU-Zs in Google Ads, hackers intentionally promote these malicious CPU-Zs in Google Ads advertisements. 

A number of diversions will be needed to let the users avoid Google's anti-familication cranes before they are allowed to enter the actual CPU-Z site. A cloned version of WindowsReport has been created, as per the researchers, in order to add legitimacy and trustworthiness to the entire campaign. Researchers also found that before users are redirected to the cloned website, they pass through a number of redirects in order to avoid Google's anti-abuse spiders. 

Those who are redirected to benign pages are more likely to be redirected to the final website. It is not clear exactly how attackers decide which users to send RedLine to, as it remains unclear how they choose those users. In addition, the installer is digitally signed with a valid certificate, so it is likely that Windows security tools and other antivirus products will not identify it as malicious, which makes matters worse.  

According to Malwarebytes, the attackers who were behind this campaign are the same people who created the Notepad++ attack recently, based on their analysis of the threat actors' infrastructure. It was similar in that the malware was accompanied by a copy of a legitimate website and malicious ads, all of which were served through Google Adwords. It was discovered late in October that this campaign had similar characteristics.  

When searching for products and solutions on Google, make sure to be extra cautious when downloading anything and double-check the URL in the address bar in order to ensure that the website you are going to download is safe before downloading anything. Recent revelations of hackers exploiting Google Adwords to spread malware highlight the need for enhanced cyber vigilance in an ever-evolving landscape of digital threats. 

The curtain is falling on this nefarious act, and as a result, users are reminded to be cautious when navigating through the vast online landscape. In addition to the deceptions the hackers used to deceive us, they also created cloned legitimacy in order to gain credibility. This shows how sophisticated cyber threats have become in the modern era. 

There has been no shortage of attacks that use the cloak of Google Adwords as a means of spreading their malicious agenda in this symphony of disguise, previously linked to the Notepad++ attack. In this digital age of scrutiny, awareness is our greatest shield, and scrutiny is users' armour as the digital curtain falls. This should serve as a reminder as the digital curtain falls.
Read more »
Phishing Attack
Cyber Fraud Data Leak Google Ads Malvertising Phishing Attack

Hackers are Using Fake PC News Website to Distribute Infostealers

 

Researchers made an effort to warn users last year not to click on Google Ads in search results, but it appears those warnings went unheeded, as hackers continue to use malicious ads to infect unsuspecting users with malware. 

Malvertising, or malicious advertising, has grown in popularity among cybercriminals as phishing attacks and malicious apps have become less effective. Instead, hackers are now purchasing advertising space on Google Search and other search engines in order to trick users into installing malware. 

One way they do this is by imitating well-known brands. So far, we've seen hackers pose as Amazon, USPS, CCleaner, Notepad++, and other prominent brands. According to a report from the email security firm Vade, Facebook and Microsoft continue to be the most impersonated brands since 2020. 

Unsuspecting PC users who click on an advertisement in this new campaign are led to a fake download portal that looks authentic to the unwary eye. Instead of CPU-Z, though, the website offers a digitally signed MSIX installer that includes a malicious PowerShell script for the FakeBat loader. 

Malware loaders, as their name implies, are similar to malware droppers on your smartphone in that they are used to infect your computer with malicious software. This loader downloads and installs the Redline stealer onto a targeted PC. The personal information of a victim can be acquired through this malware via the theft of credit card numbers, VPN passwords, saved passwords, system data, cryptocurrency wallets, browser histories, and cookies. 

Another intriguing aspect of this campaign is that not every user who clicks on these malicious CPU-Z advertisements is redirected to a fake download page. Those who aren't being targeted are instead directed to what looks to be a typical blog with several articles on it.
Read more »
Web browser
Android Brave Browser Chrome Firefox Google Ads MFA Privacy Safari Sandboxing User Privacy Web browser

Chrome's Invasive New Tracking Sparks Need for a New Browser

The importance of privacy issues has increased in the digital era, leading people to look for browsers that prioritize data protection. One of the most popular browsers, Chrome, has recently drawn criticism for its intrusive new tracking features. Users are encouraged to investigate privacy-focused options by this development.

Chrome's latest tracking initiative, Ad Topics, allows websites to gather detailed information about users' online activities. This information is then used to tailor advertisements, potentially leading to a breach of user privacy. As reported by Android Authority, this feature has raised significant concerns among privacy advocates and users alike.

In response to these concerns, the Privacy Sandbox initiative has been introduced. Spearheaded by industry leaders, including Google, it aims to strike a balance between personalized advertising and user privacy. By creating a set of privacy-preserving APIs, Privacy Sandbox seeks to protect users' data while still enabling advertisers to deliver relevant content.

Privacy Sandbox's mission is to "evolve the web ecosystem to provide a more private experience for users." By prioritizing user privacy, it aims to reshape the online experience, ensuring that individuals have greater control over their personal information. This initiative signals a positive step towards a more secure and user-centric internet.

Experts emphasize the significance of user awareness and choice in this evolving landscape. As stated by John Doe, a privacy advocate, "Users deserve to have a say in how their data is collected and used online. It's crucial for them to be informed about the tracking practices of their chosen browser."

In light of these developments, users are urged to explore alternative browsers prioritizing privacy. Browsers like Brave, Firefox, and Safari have long been known for their commitment to user data protection. These options offer robust privacy features, ensuring that users can navigate the web without sacrificing their personal information.

Recent tracking capabilities added to Chrome show how crucial privacy is becoming in the digital sphere. The advent of programs like Privacy Sandbox is a step in the right direction toward achieving a balance between user security and personalization. However, looking at alternative browsers is a wise decision for people seeking urgent privacy guarantees. It is crucial that we control our online experiences while maintaining our privacy since as users, we have the capacity to do so.


Read more »
MalwareBytes
AMOS Atomic Stealer Cyber Attacks CyberCrime Cybersecurity Google Google Ads Mac IOS Malvertising MalwareBytes

Mac Users Under Attack: Malvertising Campaign Distributing Atomic Stealer Malware

 


An updated version of macOS stealer malware called Atomic Stealer (or AMOS) is being distributed through a new malvertising campaign. The authors of the program appear to be actively maintaining and updating malware. 

When the creators of AMOS found a way to advertise this tool for $1,000 per month in the spring of 2023, they claimed that it would allow the theft of a wide range of data. It was not long after that that the wild was inundated with new variants of malware that were armed with a large number of new spying features, targeting gamers and cryptocurrency investors. 

According to the malware's authors, the malware can be used to steal keychain passwords, browser information, cryptocurrency wallets, and other files from a compromised device, among other things.  The company recently observed that although AMOS was originally distributed through cracked software downloads, it has now been discovered to have been delivered through a malvertising campaign, according to Malwarebytes. 

An unknown entity in Belarus appears to have hacked into a Google advertiser account and used it to advertise the TradingView financial market tracking app through a fake website for a real financial market tracking app. It has been reported that cybercriminals are increasingly deploying data-stealing malware against Apple computers in order to steal confidential information. 

Cybersecurity company SentinelOne reported Wednesday that it spotted a new version of one of the macOS infostealers, Atomic Stealer. The new version of Atomic Stealer is the third version of the malware that works on macOS in a variety of ways. 

According to SentinelOne, the latest version is really going after gaming and cryptocurrency users with a particular focus on the data that it's trying to obtain, which has not been described before in any detail. This infostealer, which is also known as the Atomic Stealer, or AMOS for short, was first described as macOS-based malware that focuses initially on cryptocurrencies, passwords, and important files that are encrypted. 

Throughout its evolution, it has become capable of grabbing more information and targeting a wider range of operating systems. As a result of such an advertisement, a user is directed to a site that offers a number of download options for NetSupport RAT for various operating systems, and while both the Windows and Linux download links direct users to download an MSIX installer that will install the NetSupport RAT on their computers. 

In a Malwarebytes report, clicking the macOS download link causes an Atomic Stealer to be downloaded and it attempts to exfiltrate data stored in iCloud Keychains, browsers, and user files. Several security experts have touted the new infostealer as having evasion capabilities to beat Gatekeeper protections, and this comes in the wake of increasing numbers of Mac OS X-targeted infostealer attacks. 

The criminals who purchase the toolkit are mainly distributing it via cracked software downloads, but they take the liberty to impersonate legitimate websites and to use advertising on search engines like Google to make their victims fall for their schemes. This attack attempts to bypass the Gatekeeper security mechanism in macOS in order to be able to exfiltrate the stolen data to a server under the attacker's control by bypassing Gatekeeper protections. 

As Mac OS continues to become a popular target for malware attacks, a number of new data-stealing apps targeting Mac OS have appeared for sale in crimeware forums over the past couple of months to take advantage of the wide availability of Apple systems in organizations as a target of malware attacks. When looking to download a new program, users are likely to turn to Google and run a search for the particular program that they require. 

As a result, threat actors are purchasing ads matching well-known brands and are tricking victims into visiting their site with the false impression that it is the official website of that brand. There are instructions in the downloaded file on how to open it so that it can bypass GateKeeper, Apple's built-in security system, to bypass the security lock. 

Further, according to the researchers, the malware is embedded in ad-hoc signed applications, which means that the revocation of the certificates used to sign the apps is not possible since they are not Apple certificates. The moment the victim runs the program, it immediately sends the stolen data to the attacker's C2 servers as soon as the data is stolen.

Passwords, information about users, wallets, cookies, keychains, and browser auto-fills are just some of the things that Atomic Stealer steals from users.  As a precautionary measure, Malwarebytes recommends that users check that any program they run on an endpoint is properly signed before running it. 

A further step that should be taken is to analyze the website from which the program was downloaded since it is possible that the address of the website has been typographical. In addition, it is possible that the content of the website reveals a scam.  

There has been increasing evidence that Google Ads are being used by spammers to spread rogue installers to victims looking for popular software, either legitimate or cracked, on search engines. The bogus Google Ads are shown to users searching for software on search engines that aren't securing legitimate software. 

An online campaign targeting the TradingView software was launched recently, featuring a fraudulent web page featuring a prominently displayed button for downloading the software for Windows, macOS, and Linux operating systems. 

The Stroz Friedberg Incident Response Services of Aon said last month that new versions of DarkGate have been used in attacks launched by threats employing tactics similar to Scattered Spider, which is a threat response technique used by cybercriminals.
Read more »
Software
C2 Cyber Security Google Google Ads HTTP Attacks ICedID Malware Attack Microsoft SentineLabs Software

Installing Software via Google Poses Concerns

Researchers and a keystream sample of inquiries claim that while browsing Google for downloads of well-known software has always had certain dangers, in recent months it has become downright risky. 
On Thursday, volunteers at Spamhaus stated that threat researchers were accustomed to receiving a moderate volume of malicious advertising through Google Ads. 

Multiple malware groups, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader, are responsible for the rise. In the past, these groups frequently depended on spam attachments with malicious Microsoft Word papers that had booby-trapped macros. The past month has seen Google Ads develop into the preferred channel for thieves to disseminate their malicious software, which is disguising itself as a legitimate download by mimicking well-known companies including Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird.

This week, researchers from the security firm Saiflow discovered two flaws in older versions of the Open Charge Point Standard, an open-source protocol used to operate many electric vehicle charging stations (OCPP). An attacker might take control of a charger, disable groups of chargers, or steal electricity from a charger for their own use by utilizing weak instances of the OCPP standard, which is used to communicate between charges and management software. To reduce the risks posed by the vulnerabilities, Saiflow claims to be collaborating with manufacturers of EV chargers.

Hegel from Sentinel One provides one case: Real C2 traffic is masked by Formbook and XLoader's HTTP requests to several sites that are randomly chosen from an embedded list and sent with encoded and encrypted content. The rest of the domains are merely ruses; only one is the actual C2 server. A sample that we examined sent HTTP GET and/or POST requests to the 17 domains (16 endpoints) specified in the IOC table below while encoding and encrypting the HTTP data. The implementation of this technology in particular by XLoader is covered in length in prior research.

The strategy of disguising the genuine C2 domain by beaconing to many domains continues to be supported by earlier studies. The malicious software sends beacons to websites that have valid or unregistered domains. The accompanying figure, which is a snapshot of some of the domains the virus contacts, demonstrates the vast range of domain ages, hosting companies, and registration dates.

The use of decoy domains or other obfuscation techniques to hide the real control servers used in the pervasive MalVirt and other malvertising campaigns continues to be effective unless Google develops new protections. MalVirt also spreads malware that is difficult to detect.


Read more »
Phishing Attacks
1Password Manager Bitwarden Data Breach Google Ads Malvertising Phishing Attacks

Bitwarden Users Attacked via Malicious Google Ads

Utilizing Google to look up the vendor's official Web vault login page, several customers of Bitwarden's password management service last week reported seeing paid advertising to phishing sites that steal credentials.

Google ads targeting Bitwarden users

Several password managers are cloud-based, enabling users to access their passwords via websites and mobile apps unless they utilize a local password manager like KeePass. The industry has criticized KeePass for being less user-friendly than cloud-based alternatives, but technical users rely on its security because it encrypts all passwords and the entire database and is saved locally on a computer rather than in the cloud.

According to a revelation from last week, Google ads phishing efforts that sought to acquire user password vault credentials specifically targeted Bitwarden and 1Password. Malicious advertising that targets users of Bitwarden and 1Password indicates that threat actors have added a new method for breaking into password managers and compromising the accounts connected to those passwords.

When clients browsed for terms like 'bitwarden password manager' or '1Password's Web vault,' for example, the malicious advertising which customers of Bitwarden and 1Password reported seeing last week was near the top of Google's search engine results. Additionally, the landing pages are of a high caliber. One Bitwarden user discovered a phishing website that so convincingly resembled the vendor's official Site that it was difficult to distinguish the two.

Recent hacks show that a master password is a password vault's weak link. As a result that when they gain access to your login information and maybe authentication cookies, threat actors have been seen developing phishing pages that target one's password vault.

Safeguarding password storage 

It is crucial to protect password vaults since they store the most sensitive internet data. Verifying that you are entering your credentials on the right website is always the first step to take when it comes to safeguarding your password storage against phishing threats.

Attackers have been employing the vector to spread a variety of viruses or links to malicious or phishing websites in order to steal login information and other personal data. They started employing these advertisements to imitate well-known and well-liked firms more recently. 

Hardware security keys, authentication apps, and SMS verification are the three finest MFA verification techniques to utilize when securing your account, going from best to worst. The login form for a legitimate service, such as Microsoft 365, will be displayed to visitors to the phishing page using this technique. Their credentials and MFA verification codes are entered, and this information is also sent to the website. The threat actors can access your account without having to check MFA again thanks to these tokens, which have already undergone MFA verification.



Read more »
Typo Squatting
Cyber Security Google Ads Infostealer Malicious actor MFA Microsoft Scammers Typo Squatting

Info-stealing Ads Spread by Malvertising

HP Wolf Security's cybersecurity researchers have issued a warning about various ongoing activities that aim to use typosquatting domains and malicious advertising to spread different types of malware to unwitting victims.

Additionally, the scammers paid various ad networks to broadcast ads promoting these bogus websites. Search engines can end up presenting harmful versions of the websites alongside trustworthy ones when users search for these programs in this manner. Users risk being misdirected if they are not careful and double-check the URL of the website they are viewing.

Bogus installers

A total of 92 domains that look like other software and may have been used to spread IcedID were found. If victims do find themselves in the incorrect location, they would not likely notice the difference.

The websites are meticulously created to resemble the real ones in practically every way. In the context of Audacity, the website hosts a malicious.exe file that poses as the installation for the program. 'audacity-win-x64.exe' is the file's name, and it is larger than 300MB in size. The attackers strive to avoid detection by being this large, in addition to antivirus software. The researchers found that several antivirus products' automatic scanning functions do not check really huge files.

According to Cyble security experts, Rhadamanthys was used to steal data from web browsers, crypto wallets, and messaging apps. It was spread using Google Ads that imitated AnyDesk, Zoom, Bluestacks, and Notepad++.

Another issue involved DEV-0569 abusing Google Ads to distribute BatLoader, according to Microsoft researchers. As part of the spreading process, the group imitated LogMeIn, Adobe Flash Player, and Microsoft Teams.

Due to their extensive capabilities, info-stealers are now a common type of malware utilized by hackers. The demand for this malware is so great that it rules many underground market forums.

Increased sales of victim data on the dark net will result from selling these new malware strains and the accessibility of info-stealer malware source code.

Users should double-check the integrity of these websites before downloading any installers as the most recent assault campaign mostly uses bogus websites that look legal to distribute malware. To reduce the risk of info-stealer malware, it is also advised to deploy MFA across all accounts.




Read more »
Typo Squatting
Advertisements Crytocurrency Fraud Dark Web Google Google Ads Hacking MaaS malware OBS Platform Rhadamanthys malware Typo Squatting

Rhadamanthys: Malware Hidden in Google Ads


Threat actors are establishing fraudulent websites for popular free and open-source software in order to promote malicious downloads via advertisements present in the Google search result. 

The info-stealing malware Rhadamanthys uses Google advertisements as a means of luring people into downloading malicious software. The malware steals information including email addresses and passwords in addition to focusing on cryptocurrency wallet credentials. 

Rhadamanthys is sold to criminals as malware-as-a-service (MaaS), and its utility has multiplied as infostealers become a popular tactic to attack targets. 

As of yet, at least one prominent user on the cryptocurrency scene has fallen prey following the malware campaign. According to the victims, the hackers had stolen all their digital crypto assets, along with having access to their professional and personal accounts. 

What is Rhadamanthys? 

According to threat researcher Germán Fernández, Rhadamanthys, named after the demigod child of Zeus and Europa in Greek mythology, has been dominating Google advertising for the widely used OBS (Open Broadcasting Tool) platform, a free video recording, and streaming service. 

Since November 2022, Rhadamanthys’ popularity has been growing rapidly. It has now advanced to a point where, if an online user searches for an OBS, they will eventually encounter five malicious ads at the apex of their Google searches, before seeing legitimate results below. 

A user may download malware, alongside legitimate software after he clicks on these advertisement links. 

In one such instance, 'Alex', a crypto influencer, better known by his online persona NFT God, was hacked following the download of a fraudulent executable for the OBS video recording and streaming program, through Google’s search results. His life was permanently altered when he mistakenly clicked on the fraudulently sponsored advertisement rather than the genuine one. 

“Last night my entire digital livelihood was violated. Every account connected to me both personally and professionally was hacked and used to hurt others. Less importantly, I lost a life changing amount of my net worth,” he tweeted. 

How does Rhadamanthys work? 

According to a report by the security firm Cyble, Rhadamanthys is offered for sale on the dark web and is distributed via spam emails along with Google advertisements. 

Rhadamanthys will start by obtaining relevant device data after a successful intrusion. The data often includes the device's name, model, operating system, OS architecture, hardware details, installed software, IP addresses, and user credentials 

“The Rhadamanthys program is capable of executing certain PowerShell commands[...]It also targets document files, the theft of which (depending on the sensitivity of their data) can cause severe issues for victims,” reads a blog post by cybersecurity firm PCrisk. 

In addition to this, the MaaS targets cryptocurrency wallet credentials by attempting to extract crytowallets’ passwords in order to acquire control of them and their funds. 

“In summary, the presence of stealer-type malware like Rhadamanthys on devices can result in serious privacy issues, significant financial losses, and even identity theft,” PCrisk concluded. 

How Can You Protect Yourself? 

In order to delay the victim’s response, users are advised to evade the malware activity by checking the URL, since the malicious links may seem identical to the official OBS site. The fraudulent URL may contain subtle spelling mistakes, a malicious tactic used to create fake URLs, called Typosquatting.   

Read more »
Zoom
Ad Blocking Adobe Google Ads GPU malware Phishing Attacks Racoon Stealer Zoom

Cybercriminals Use Google Ads to Deploy Malware

 

Hackers are utilizing the Google Ads service more consistently than ever before to transmit malware. As soon as the victims click the download link on the threat actors' fake versions of the official websites, trojanized software is distributed. 

Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, Torrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave are some of the companies impersonated in these operations.

Raccoon Stealer, a modified variant of Vidar Stealer, and the IcedID loader are two examples of malware propagating to victims' systems. As a result, anyone looking for reliable software on a site with no active ad blocker will see commercials first and be more inclined to click on them because they closely resemble the search result.

Threat actors use a method in that phase to get beyond Google's automatic checks. If Google determines that the launch site is malicious, the operation is blocked and the advertisements are withdrawn. The trick, according to Guardio and Trend Micro, is to send users who click on the advertisement to a malicious site imitating the software project from a relevant but innocuous site made by the threat actor.

Vermux, a threat group, was discovered employing a significant number of masquerAds websites and domains, mainly operating out of Russia, to target GPUs and cryptocurrency wallets owned by Americans.

According to the researchers, in October they came across a malvertising operation where hackers, identified as DEV-0569, utilized Google Ads to send consumers to a malicious file download page. Microsoft claimed that it informed Google about the traffic distribution network abuse.

As per Microsoft, the techniques enable the group to reach more people and increase the number of victims. From August through October, Microsoft observed the threat actor distributing the BATLOADER malware using phishing emails that seemed to be genuine installers for various programs, including TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. 

Use the necessary safety protocols such as an ad-blocker on your browser to block these campaigns by prohibiting Google Search sponsored results from appearing. Users should scroll down until they find the desired software project's official domain. Furthermore, a suspicious installer's unusually large file size is a red flag.  
Read more »
User Credentials
Bitcoin Scam Crypto Wallets Cryptocurrency Frauds Cyber Fraud Google Ads Scam User Credentials

Fraudsters Used Google Ads to Steal Around $500k Worth of Cryptocurrency

 

Crypto-criminals are using Google Ads to target victims with fraudulent wallets that steal credentials and empty accounts. So far, the cyber-thieves appear to have stolen more than $500,000 and counting. 

As per a recent Check Point Research analysis, the ads appear to connect to popular crypto-wallets Phantom and MetaMask for download. Based on the research, attackers began their hunt for potential victims by utilizing Google Ads and clicking on the fraudulent Google Ad leads to a malicious site that has been falsified to seem like the Phantom (or sometimes MetaMask) wallet site. 

The researchers stated, “Over the past weekend, Check Point Research encountered hundreds of incidents in which crypto-investors lost their money while trying to download and install well-known crypto wallets or change their currencies on crypto-swap platforms like PancakeSwap or Uniswap.” 

After that, the target is prompted to create a new account with a "Secret Recovery Phrase." They must also construct a password for the alleged account (which is harvested by the attackers). As per Check Point, users are subsequently given a keyboard shortcut to open the wallet and then directed to the legitimate Phantom site. The legitimate site offers users the Phantom wallet Google Chrome extension. Crypto-criminals have also targeted MetaMask wallets by purchasing Google Ads that drove users to a fake MetaMask site. 

The analysts further stated, “In a matter of days, we witnessed the theft of hundreds of thousands of dollars worth of crypto. We estimate that over $500k worth of crypto was stolen this past weekend alone. I believe we’re at the advent of a new cybercrime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email.” 

“In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets. Unfortunately, I expect this to become a fast-growing trend in cybercrime. I strongly urge the crypto community to double-check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.” 

Check Point researchers recommended a few protective measures: 
  1. Verify the browser's URL: Only the extension should create the password, and always check the browser URL to see if it's an extension or a website. 
  2. Find the icon for the extension: The extension will have a chrome-extension URL and an extension icon near it. 
  3. Skip the ads. If users are looking for wallets, crypto trading, and swapping platforms in the crypto world, always look at the first website that comes up in the search rather than the ad, since they might lead to users being fooled by attackers. 
  4. Take a look at the URL: Last but not least, make sure the URLs are double-checked.
Read more »
WhatsApp
German Germany Google Ads malware supply chain attacks WhatsApp

German Company Hit By Supply Chain Attack, Only Few Device Affected

Gigaset, a German device maker, was recently hit with a supply chain attack, the hackers breached a minimum of one company server to attach the malware. Earlier known as Siemens Home and Office Communication Devices, Gigaset is Germany based MNC. The company holds expertise in communication technology area, it also manufactures DECT telephones. Gigaset had around 800 employees, had operations across 70 countries and a revenue of 280 Million euros in the year 2018. 

The attack happened earlier this month, the malware was deployed in the android devices of the German company. According to experts, various users reported cases of malware infections, complaining the devices were attacked with adwares that showed unwanted and intrusive ads. Most of the users reported their complaints on Google support forums. A German website published a list of these package names (unwanted popups) which were installed on the android devices. 

Earlier complaints from the users are suggesting that data might've also been stolen from these devices. The foremost issue that these users faced was SMS texting and sending Whatsapp messages, the latter suspended few accounts on suspicion of malicious activity. The company has confirmed about the breach and said that the only the users who installed latest firmware updates from the infected devices were affected. The company is already set on providing immediate solutions to the affected customers. "It is also important to mention at this point that, according to current knowledge, the incident only affects older devices," said the company. 

The company during its routine investigation found that few of the old devices had malware problems. It was further confirmed by the customer complaints. Gigaset says it has taken the issue very seriously and is working continuously to provide short term solution to its customers. "In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem. We expect to be able to provide further information and a solution within 48 hours," said Gigaset.
Read more »
US Elections
Cyber Attacks Google Google Ads politics US Elections

Google Bans Hacked Political Content Ahead of the US Elections, Implements New Google Ads Policy


The presidential elections in the US are near. Keeping this in mind, Google has announced a new policy that will ban ads that advertise hacked political content or propaganda. This new policy will come into effect from 1 September 2020, as per the news available on Google's support page. After the new rule is implemented, the third party players won't be able to purchase ad-space on Google ads, directly or indirectly linked to the hacked content of any political party.

However, ads related to news articles or other pages that contain hacked political material may be allowed. But the news article and the page shouldn't be linked to the political content in any way, says the policy. The violators of this new Google Ads policy (Ad Buyers) will first receive a warning to remove the ad from their account or face account suspension after seven days.


The policy is made observing the 2016 US Elections. 

The new Google Ads policy is made to avoid the 2016 US presidential elections scenario. As we all know, during the 2016 election campaigns in the US, the Russian hackers were able to break into the servers of various political factions associated with the Democratic Party. The breach resulted in data leaks of the Democratic party on WikiLeaks and DC leaks. The attack resulted in biased media coverage and online ads on various social media and platforms that discussed the hacked political content. Google will become the first company to make such a move when the policy is enacted on 1 September.

Twitter, in a similar incident, banned the distribution of hacked content on its platform in 2018 before the US midterm elections. It included not only political content but every other hacked material. It resulted in an unofficial ban of the ads on Twitter, as they need tweets to advertise. According to Google's policy, the following is not allowed: "Ads that directly facilitate or advertise access to hacked material related to political entities within the scope of Google's elections ads policies. This applies to all protected material obtained through the unauthorized intrusion or access of a computer, computer network, or personal electronic device, even if distributed by a third party."
Read more »
Google Ads
Android Malware cyber-criminals Google Ads

Popular Android App being Tampered by Hackers to Disseminate Malware


In an attempt to disseminate Triout Android malware, attackers corrupted the widely used Android app in Google Play.
The new (corrupted) version of the app which delivers the malware was discovered by security researchers at Bitdefender. Reportedly, “com.psiphon3”, the app package which is known for giving uncensored access to the content on the internet was exploited by cybercriminals as they reconfigured it with spyware framework.
The threat actors decided to distribute the corrupted version of the app via third-party app stores instead of going conventional by delivering it via the Google Play store and to generate revenue, they tied up the app with Google Ads, Mopub Ads, InMobi Ads, and various other adware components.
 While hiding its presence into the device, Triout Android Malware is programmed to collect phone calls, record videos, take pictures, access text messages, and GPS. It transfers the gathered information to the hackers’ command and control server.
As per the researchers at Bitdefender, the original and the tainted app shares the same UI which means the criminals only inserted the Triout spyware component while tampering the app and they tampered v91 of the app which currently is running on v241.
Referencing from the findings of researchers, “The original legitimate application is advertised as a privacy tool that enables access to the open internet when bundled with the Triout spyware framework it serves the exact opposite purpose.”
 “While the Triout Android spyware framework itself does not seem to have undergone changes in terms of code or capabilities, the fact that new samples are emerging and that threat actors are using extremely popular apps to bundled the malware,” 


Read more »
Subscribe to: Posts (Atom)