Archive for author: makoadmin

A week in security (October 7 – October 13)

Last week on Malwarebytes Labs:

Last week on ThreatDown:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Modern TVs have “unprecedented capabilities for surveillance and manipulation,” group reveals

Your television is debuting the latest, most captivating program: You.

In a report titled “How TV Watches Us: Commercial Surveillance in the Streaming Era,” the Center for Digital Democracy (CDD) spotlighted a massive data-driven surveillance apparatus that ensnares the public through modern television sets.

“The widespread technological and business developments that have taken place during the last five years have created a connected television media and marketing system with unprecedented capabilities for surveillance and manipulation.”

In cooperation with data brokers, streaming video programming networks, Connected Television (CTV) device companies, and smart TV manufacturers are creating detailed digital dossiers about viewers, based on a person’s identity information, viewing choices, purchasing patterns, and thousands of online and offline behaviors.

Because of their findings, the CDD has called on the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and California Regulators to investigate connected TV practices.

The report provides a detailed overview of all the different ways in which streaming services and streaming hardware target viewers in ways that are severe privacy infringements.

Earlier, we read a paper by researchers of the Cornell University about a tracking approach called Automatic Content Recognition (ACR). ACR is a technology that periodically captures the content displayed on a TV’s screen and matches it against a content library to detect what content is being displayed at any given point in time.

The researchers found that ACR is functional even when the smart TV is used as a “dumb” external display. There are two types of ACR fingerprinting: one to process acoustic (ACR audio) media, and one for video content (ACR Video).

Brands utilize ACR TV for multiple reasons. The most obvious are frequency optimization, unique reach abilities, and improved targeting. With the advent of CTV, more and more people are opting out of cable television, which opens the opportunity of more targeted advertising to reach a specific audience.

Free Advertiser-Supported TV (FAST channels) such as Tubi, Pluto TV, and many others are commonplace, and present advertisers with a key opportunity to monetize viewer data and target them with sophisticated new forms of interactive marketing.

CTV has unleashed a powerful arsenal of interactive advertising techniques, including virtual product placement inserted into programming and altered in real time. CTV companies operate cutting-edge advertising technologies that gather, analyze, and then target consumers with ads, delivering them to households in the blink of an eye. These can be hyper targeted advertisements which are personalized for individual viewers.

The report profiles major players in the connected TV industry, along with the wide range of technologies they use to monitor and target viewers. Some household names you might be interested in include:

  • Disney(+)
  • Netflix
  • Amazon
  • Roku
  • Vizio
  • Comcast (NBCU)
  • LG
  • Samsung
  • Google (YouTube)

“Many of these entities offer misleading and disingenuous ‘privacy policies’ and self-serving descriptions of their systems that fail to explain the complex processes they use to extract data from consumers, track viewing and other behaviors, and facilitate targeted marketing.”

Combine the data these companies are gathering about us with other information that data brokers possess, and you are way past anything we should find acceptable.

Experian offers “over 240 politically relevant audience” segments for sale, based on a detailed set of criteria, including “audience interactions, preferences, demographics, behaviors, location, income and more.”

The US market, which is one of only two that allow direct-to-consumer advertising of pharmaceutical products, is seeing marketers for pharmaceutical products that are heavily invested in connected TV advertising.

Industry research shows that families with young children tend to watch more streaming TV content. Children and teens play a powerful role in determining the viewing patterns of their families, serving as decision-makers when it comes to streaming content. Disney Advertising even calls the cohorts of children, teens and adults viewing its Disney+ and other content “Generation Stream.”

Report co-author Kathryn C. Montgomery, Ph.D. stated:

“Policy makers, scholars, and advocates need to pay close attention to the changes taking place in today’s 21st century television industry. In addition to calling for strong consumer and privacy safeguards, we should seize this opportunity to re-envision the power and potential of the television medium and to create a policy framework for connected TV that will enable it to do more than serve the needs of advertisers. Our future television system in the United States should support and sustain a healthy news and information sector, promote civic engagement, and enable a diversity of creative expression to flourish.”


Personal Data Remover

It may feel like keeping your sensitive data away from data brokers is a losing fight, but there are ways to stop those data brokers from collecting new information and, where possible, to have it deleted from their rosters. For people in the United States, Malwarebytes Personal Data Remover provides:   

  • Immediate, deep scans across roughly 175 databases to find your personal data. 
  • Personalized, in-depth reports on what data is being sold and who is selling it.  
  • Automatic data removal requests for subscribers, which can save 300+ hours of manual work in wiping sensitive details off the internet, along with free DIY guides to tackle each site individually.  
  • Recurring scans and data removal requests that will make it harder for invasive websites to rebuild their digital portraits of you.

Internet Archive suffers data breach and DDoS

A non-profit that benefits millions of people has fallen victim to a data breach and a DDoS attack.

Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at website snapshots from the past. It is often used for academic research and data analysis.

Cybercriminals managed to breach the site and steal a user authentication database containing 31 million records. The stolen database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

Who stole the database and why is not yet known. An unverified source told Malwarebytes that login credentials for the Azure servers of the Internet Archive were found in an information stealer log shared on the Dark Web, which could have offered someone the opportunity for a minimum-effort attack.

To pile more grief onto the breach, a “hacktivist” group calling themselves SN_BLACKMETA has launched several DDoS attacks against Internet Archive’s website archive.org for all the wrong reasons.

Screenshot of tweet that reads "They are under attack because the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of “Israel”."

Their tweet which explains their motivation hasn’t gone down well among X users, with many commenting that the Internet Archive is not connected to the US Government and, in fact, a very useful tool.

Screenshot of tweet that reads "Look, I'm not a fan of that either but we need the internet archive to thrive. Would you really want countless amounts of data to be completely wiped from the internet over this? Think of all the things the internet archive preserves."

Since the objective behind the DDoS attacks is no doubt attention-seeking, it is unlikely that the same group is behind the data breach as they haven’t claimed responsibility.

Internet Archive founder Brewster Kahle posted an update on X:

What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.

What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.

Will share more as we know it.

For now, anyone who suspects they’re affected by the data breach should follow our tips below. We’ll keep you updated on any developments in the story.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

Google Search user interface: A/B testing shows security concerns remain

For the past few days, Google has been A/B testing some subtle visual changes to its user interface for the search results page. You may only get the new UI for certain types of searches or based on your current geolocation.

This test is not to be confused with (but could part of) a previously reported experiment by Google to add blue verified checkmarks beside business links that indicate the company is genuine.

We wanted to see how it may affect ads, and in particular if this change would help with the brand impersonation problem we have documented on this blog many times.

Despite a more simplified look and feel, threat actors are still able to use the official logo and website of the brand they are abusing. From a user’s point of view, such ads continue to be as misleading.

Small change to Google Search’s user interface

Like most software companies that want to better understand how their users react to changes, Google is running an A/B test on a new user interface for its search engine. The update so far is subtle, but some people are certainly noticing it.

The new UI combines the ad title with its corresponding URL into a one-line greyed out shape. That URL is something important for end users as it allows to compare the search result with the official website for a brand, product, or service. In other words it is a little bit of a trust indicator.

The following image shows a Google search for the time tracking app Clockify in the current version of the UI and the new UI being tested:

image 55ab45

When it comes to ads (shown as Sponsored), the same UI changes apply. Note how the top result is an ad with the official URL https://www.clockify.me:

image 90dba2

Under the hood

Clicking on the 3 dots next to the ad shown above brings up “My Ad Center” and we see a verified advertiser from Hong Kong. This account is not new to us, as we previously reported 4 malvertising incidents associated with it to Google.

But this is not a fake account, rather it looks compromised and is being abused by threat actors who are able to insert their own malicious ads whenever they are running a new malvertising campaign.

image 64d43a

Clicking on the link takes us to a decoy website that looks and feels like the official Clockify:

image 88f794

Victims that click on the button to start tracking time end up downloading a malicious ClockifySetup.exe hosted on the same GitHub account we reported recently.

Indicators of Confidence

In the security industry, people often use the acronym “IOCs” for Indicators of Compromise. But, what users need the most are Indicators of Confidence.

Adding checkmarks next to search results is a good step forward to increasing online trust, but we have not seen this applied to ads yet. It also remains to be seen whether the checkmarks will actually work as intended. Some unnamed social media previously diluted their value by handing them to anyone willing to pay a small fee (something threat actors can easily do).

Beyond checkmarks, two of the most important visual indicators of safety are the logo and URL address seen in the ad snippet. This is what users will look at for a split second, before clicking on the link.

Google has the following choices:

  • only assigning official logo and URL to genuine businesses that can prove they own or work with the brand name
  • adding an additional checkmark on ads for genuine business associated with the brand
  • adding an indicator of “non-confidence” to any ad using a trademark/copyright for which they have not proved they own

These ideas are a little tongue in cheek, as security is clearly not the only consideration at stake here with ads making for a substantial (as in $ billions) part of Google’s revenues.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

AI girlfriend site breached, user fantasies stolen

A hacker has stolen a massive database of users’ interactions with their sexual partner chatbots, according to 404 Media.

The breached service, Muah.ai, describes itself as a platform that lets people engage in AI-powered companion NSFW chat, exchange photos, and even have voice chats.

As you can imagine, data like this is very sensitive, so the site assures customers that communications are encrypted and says it doesn’t sell any data to third parties.

Absolute privacy Encrypted communication. Delet account with ease. We do not sell any data to any 3rd party.
Absolute privacy promised

The stolen data, however, tells a different story. It includes chatbot prompts that reveal users’ sexual fantasies. These prompts are in turn linked to email addresses, many of which appear to be personal accounts with users’ real names.

Mauh.ai says it believes in freedom of speech and to uphold that right, it says:

“AI technology should be for everyone, and its use case to be decided by each mature, individual adult. So that means we don’t actively censor or filter AI. So any topic can be discussed without running into a wall.”

Unfortunately, that means that filth is created to satisfy the needs of some sick users, and some of the data contains horrifying explicit references to children.

Presumably those users in particular don’t want their fantasies to be discovered, which is exactly what might happen if they are connected to your email address.

The hacker describes the platform as “a handful of open-source projects duct-taped together.” Apparently, it was no trouble at all to find a vulnerability that provided access to the platform’s database.

The administrator of Muah.ai says the hack was noticed a week ago and claims that it must be sponsored by the competitors in the “uncensored AI industry.” Which, who knew, seems to be the next big thing.

The administrator also said that Muah.ai employs a team of moderation staff that suspend and delete ALL child-related chatbots on its card gallery (where users share their creations), Discord, Reddit, etc, But in reality, when two people posted about a reportedly underage AI character on the site’s Discord server, 404 Media claims a moderator told the users to not “post that shit” here, but to go “DM each other or something.”

Muah.ai is just one example of a new breed of uncensored AI apps that offer hundreds of role-play scenarios with chatbots, and others designed to behave like a long-term romantic companion.

404 Media says it tried to contact dozens of people included in the data, including users who wrote prompts that discuss having underage sex. Not surprisingly, none of those people responded to a request for comment.

Innovation before security

Emerging platforms like these are often rushed into existence because there is money to be made. Unfortunately, that usually happens at the expense of security and privacy, so here are some things to bear in mind:

  • Don’t trust AI platforms that promise privacy and encryption just because they say so
  • Don’t login with your Google/Facebook/Microsoft credentials or by using your regular email address or phone number
  • Remember that anything you put online, including a service that promises privacy, has a risk of being made public

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

MoneyGram confirms customer data breach

Money transfer company MoneyGram has notified its customers of a data breach in which it says certain customers had their personal information taken between September 20 and 22, 2024.

The investigation into the incident that was discovered on September 27 is still ongoing, and the number of impacted customers remains unclear.

Initial investigations show the type of information stolen varies between different individuals, but may include:

  • Names
  • Contact information (phone number, email, physical address)
  • Date of birth
  • Social Security Numbers
  • Government-issued identification documents (e.g. driver’s licenses)
  • Other identification documents (e.g. utility bills)
  • Bank account numbers
  • MoneyGram Plus Rewards numbers
  • Transaction information (such as dates and amounts of transactions)
  • Criminal investigation information (such as fraud)

MoneyGram says that only a limited number of customers’ Social Security numbers and criminal investigation information was taken.

At the time, MoneyGram announced on X that it had taken certain systems offline temporarily to avoid any further compromise. That left a large number of worried customers trying to send money abroad to their relatives.

The outage also affected MoneyGram partners, including the Bank of Jamaica and the UK’s Post Office. The UK’s Information Commissioner’s Office (ICO) confirmed to TechCrunch that the watchdog had received a report from MoneyGram.

“We have received a report from MoneyGram and will be making enquiries.”

MoneyGram recommends that its customers remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports.

If you are in the US and would like to check your credit report, you are entitled under US law to one free credit report annually from each of the three nationwide consumer reporting agencies. MoneyGram has arranged to offer affected US consumers identity protection and credit monitoring services for two years at no cost. Its US Reference Guide provides information on activation of the services.

MoneyGram says there is no evidence that a ransomware group is behind the incident. As always, we will keep you posted about where the information shows up and what the consequences for impacted customers might be.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

Exposing the Facebook funeral livestream scam (Lock and Code S05E21)

This week on the Lock and Code podcast…

Online scammers were seen this August stooping to a new low—abusing local funerals to steal from bereaved family and friends.

Cybercrime has never been a job of morals (calling it a “job” is already lending it too much credit), but, for many years, scams wavered between clever and brusque. Take the “Nigerian prince” email scam which has plagued victims for close to two decades. In it, would-be victims would receive a mysterious, unwanted message from alleged royalty, and, in exchange for a little help in moving funds across international borders, would be handsomely rewarded.

The scam was preposterous but effective—in fact, in 2019, CNBC reported that this very same “Nigerian prince” scam campaign resulted in $700,000 in losses for victims in the United States.

Since then, scams have evolved dramatically.

Cybercriminals today willl send deceptive emails claiming to come from Netflix, or Google, or Uber, tricking victims into “resetting” their passwords. Cybercriminals will leverage global crises, like the COVID-19 pandemic, and send fraudulent requests for donations to nonprofits and hospital funds. And, time and again, cybercriminals will find a way to play on our emotions—be they fear, or urgency, or even affection—to lure us into unsafe places online.

This summer, Malwarebytes social media manager Zach Hinkle encountered one such scam, and it happened while attending a funeral for a friend. In a campaign that Malwarebytes Labs is calling the “Facebook funeral live stream scam,” attendees at real funerals are being tricked into potentially signing up for a “live stream” service of the funerals they just attended.

Today on the Lock and Code podcast with host David Ruiz, we speak with Hinkle and Malwarebytes security researcher Pieter Arntz about the Facebook funeral live stream scam, what potential victims have to watch out for, and how cybercriminals are targeting actual, grieving family members with such foul deceit. Hinkle also describes what he felt in the moment of trying to not only take the scam down, but to protect his friends from falling for it.

“You’re grieving… and you go through a service and you’re feeling all these emotions, and then the emotion you feel is anger because someone is trying to take advantage of friends and loved ones, of somebody who has just died. That’s so appalling”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Comcast and Truist Bank customers impacted by debt collector’s breach

A data breach at Financial Business and Consumer Solutions (FBCS), a US debt collection agency, has led to the loss of data of some Comcast Cable Communications and Truist Bank customers.

FBCS is in the business of collecting unpaid debts on behalf of its customers. The data breach occurred in February 2024 and the cybercriminals responsible for the incident gained access to:

  • Full names
  • Social Security Numbers (SSNs)
  • Date of birth
  • Account information and other provider information
  • ID card and/or driver’s license
  • Other state identification number
  • Medical claims information
  • Clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information.

FBCS discovered the unauthorized access to certain systems in its network on February 26, 2024.

The latest count of impacted people, established in July, increased the number of people in the US impacted by the data breach from the original 1.9 million to 4.2 million people.

As part of the ongoing investigation, FBCS recently informed additional customers that the breach had impacted them and their clients. Among those customers are Comcast and Truist Bank.

Comcast commented that FBCS originally reassured the company that the breach involved none of Comcast’s customer data. However, that subsequently had to be revoked. According to a notice submitted to the Maine authorities, 273,703 Comcast customers were impacted by the breach.

Apparently, due to FBCS’s worsening financial position, which could be a direct result of the breach, entities indirectly impacted by the incident will have to undertake the notification and remediation processes themselves. Comcast is offering customers impacted by the FBCS breach 12 months of free-of-charge identity theft protection services.

Unfortunately, it’s not the first or even the worst time Comcast customers have been affected by a data breach.

In January 2023, data belonging to 7,358,464 Comcast customers was leaked on a hacking forum. The data contained names, usernames and additional personal information.

And in November 2015, a cybercriminal offered to sell listed 590,000 Comcast user account information for $1,000 on the Dark Web. At the time Comcast insisted that there was no breach and that only 200,000 of the leaked were active customers, and it was unclear if the data leak was indeed a security breach or a result of years of phishing.

Truist customers have also been impacted before. In October 2023, data reported to belong to Truist Bank, was stolen during a cyberincident. The stolen data included email addresses, phone numbers, birth dates, bank information, full names, company names, physical addresses, credit card information, and more. Like the Comcast breach, this data was publicly shared on the internet.

Scan for your exposed personal data

It’s always extra painful when a company you have done no direct business with has leaked your personal data. Sadly these days you can’t know who has your data, but you can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Large scale Google Ads campaign targets utility software

After what seemed like a long hiatus, we’ve observed threat actors returning to malvertising to drop malware disguised as software downloads. The campaign we identified is high-impact, going after utility software such as Slack, Notion, Calendly, Odoo, Basecamp, and others. For this blog, we decided to focus on the Mac version of communication tool Slack.

Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking.

We have reported these incidents to Google and the related advertisers have been banned. However, we are still finding new malicious ads and hearing from others seeing the same, indicating that this campaign is not over yet.

Wanted: Utility software

The threat actor is abusing various platforms to host their payloads, giving insights into what they are choosing to lure in victims. For Windows users, all payloads were found in various GitHub accounts which we have reported already.

image a98607

For Mac, we saw payloads originating from the same domain via PHP scripts using identifiers. These appear to be created for individual and perhaps time-based downloads. Other links that include the name of the software (i.e. clockify_mac.php) work regardless.

creativekt[.]com/macdownloads/script_6703ea1fc058e8.92130856.php
creativekt[.]com/macdownloads/script_66ffc3cf465a45.36592714.php
creativekt[.]com/macdownloads/clockify_mac.php
creativekt[.]com/macdownloads/script_66e6ba358cd842.42527539.php
image 58412b

Impersonating two identities at once

When we searched for Slack from the US, the top Google result was an ad that looked completely trustworthy. It had the brand’s logo, official website and even detailed description.

If you follow this blog, you probably know there is more to it. By clicking on the three dots next to the ad, you can see more information about the advertiser, which in this case is a law firm.

Note: We understand that most users will not—for lack of time, interest or knowledge—take this step, which is why we offer solutions such as Malwarebytes Browser Guard that automatically blocks ads.

googlead

The “My Ad Center” vignette shows that the advertiser was not verified yet, but we were able to access their profile and see their collection of ads. There were four ads in total, and three of them were related to lawyer services using the name and address of a real company in the US.

The Slack ad was somewhat the odd one sticking out but could, in theory, have been promoted by this advertiser. What we believe is the problem with Google ads is how any advertiser can still use the branding of a major company as if they were them. From the point of view of internet users, this is extremely deceiving and provides no rail guard against abuse.

image c74a70

After we validated the ad ourselves and saw where it redirected to (a malicious site), we reported it to Google. Very shortly thereafter, Google took action and removed not just the ad, but the advertiser.

However, a couple of days later a new ad appeared, once again using a stolen identity this time from a women’s health company.

image 6bc396

Decoy site and payload

As we have seen before, the malicious ad starts a redirection chain made of various click trackers, cloaking and a decoy site. This allows victim profiling, but more importantly it is used to avoid automated detection in order to keep the ad up and running as long as possible.

image d51a6f

Victims eventually land on a decoy sites, similar to those used for phishing credentials, except here the end goal is to trick users into downloading malware.

image 8aa7d0
image 99bbb7

Windows users get their respective payload hosted on GitHub. The binaries have been inflated into large files to hinder sandbox analysis and are likely Rhadamathys infostealer.

For Apple users, the installers are also an infostealer, branched out of the AMOS (Atomic Stealer) family. Passwords and other secrets found on a system within the file system, browsers, extensions and apps are grabbed and uploaded as a zip archive onto a remote server located in Russia:

image 7ae34d

Conclusion

When we investigate ads, we use a simple yet realistic setup that mimics what most users would have. This is not an automated process, which sometimes requires multiple attempts from different geographic locations and browser profiles. While this work can be tedious and time consuming, we believe it is necessary in order to identify threat actors at the source, therefore providing protection to the Malwarebytes customer base, but also anyone else that uses the Google search engine.

Slack is not the only brand that threat actors like to impersonate. In fact, we also saw and reported malicious ads for the productivity suite Notion. We noticed that it also shared the same payload hosting infrastructure, indicating that the two campaigns were related.

If you are still clicking on ads to download software, you take a risk by allowing fraudulent advertisers to redirect you to malicious sites. Inadvertently installing malware and getting your identity stolen has never been easier.

We recommend paying special attention to sponsored results or adopting a tool such as Malwarebytes Browser Guard. For our Mac users, we detect this threat as OSX.Poseidon.

image b56c7b

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Malicious hostnames

creativekt[.]com
slack[.]designexplorerapp[.]net
odoo[.]studioplatformapp[.]net
notion[.]foreducationapp[.]com
slack[.]workmeetingsapp[.]com
clockify[.]turnrevenue[.]com
slack[.]aerodrame[.]finance

GitHub repositories

github[.]com/09shubin/asdjh23/releases/download/nhehhh34/
github[.]com/fewefwfewfew/dwqfqwe/releases/download/fecfewwefewf3/

Payloads (Windows)

9c8dadbb45f63fb07fd0a6b6c36c7aa37621bbadc1bcc41823c5aad1b0d3e93e
2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211
e3557fb78e8fca926cdb16db081960efc78945435b2233fbd80675c21f0bc2e2
637b3ac5b315fd77b582dff2b55a65605f2782a717bed5aa6ef3c9722e926955
79017a6a96b19989bcf06d3ceaa42fd124a0a3d7c7fca64af9478e08e6c67c72
6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601
de7b5e6c7b3cee30b31a05cc4025d0e40a14d5927d8c6c84b6d0853aea097733
77615ea76aedf283b0e69a0d5830035330692523b505c199e0b408bcccd147b7

Payloads (Mac)

b55f2cb39914d84a4aa5de2f770f1eac3151ca19615b99bda5a4e1f8418221c2
9dc9c06c73d1a69d746662698ac8d8f4669cde4b3af73562cf145e6c23f0ebdd

Command and control servers

85.209.11[.]155
193.3.19[.]251

iPhone flaw could read your saved passwords out loud. Update now!

Apple has issued security updates for iOS 18.0.1 and iPadOS 18.0.1 which includes a fix for a bug that could allow a user’s saved passwords to be read aloud by its VoiceOver feature.

VoiceOver allows users to use their iPhone or iPad even if they can’t see the screen. It gives audible descriptions of what’s on your screen—for example, the battery level, who’s calling you, or what item your finger is on.

Unfortunately, that also included an audible description of a user’s saved passwords, effectively reading aloud someone’s passwords.

While the chance of abusing this vulnerability is relatively small—the device would have to be unlocked and in the attacker’s proximity to exploit it—it’s always better to install security updates as soon as possible. Once criminals know vulnerabilities exist they tend to go looking for unpatched vulnerable devices.

The patch for the flaw (listed as CVE-2024-44207) is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

To check if you’re using the latest software version of iOS and iPadOS, go to Settings > General > Software Update. You want to be on iOS 18.0.1 or iPadOS 18.0.1.

If you’re not on the latest version, you can update from this screen. It’s also worth turning on Automatic Updates if you haven’t already, which you can also do from this screen.

Automatic update settings
Preferred setting for automatic updates

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.