IT NEWS

Magecart threat actor rolls out convincing modal forms

To ensnare new victims, criminals will often devise schemes that attempt to look as realistic as possible. Having said that, it is not every day that we see the fraudulent copy exceed the original piece.

While following up on an ongoing Magecart credit card skimmer campaign, we were almost fooled by a payment form that looked so well done we thought it was real. The threat actor used original logos from the compromised store and customized a web element known as a modal to perfectly hijack the checkout page.

While the technique to insert frames or layers is not new, the remarkable thing here is that the skimmer looks more authentic than the original payment page. We were able to observe several more compromised sites with the same pattern of using a custom-made and fraudulent modal.

This skimmer and associated campaigns represent one of the most active Magecart attacks we have been tracking in recent months.

Smooth checkout 

We identified a compromised online website for a Parisian travel accessory store running on the PrestaShop CMS. A skimmer we previously identified as Kritec, was injected and loading malicious JavaScript that altered the checkout process. In the following section, we will compare the checkout process when the skimmer is active and when it is not.

Fraudulent payment form

What we see here is the use of a ‘modal‘ which is a web page element displayed in front of the current active page. The modal disables and grays out the background so that the user can focus on the presented element instead. This is an elegant way for website owners to keep their customers on the same web site and have them interact with another form.

easset upload file6854 264365 eFigure 1: Compromised store loads fake payment modal

The problem is that this modal is entirely fake and designed to steal credit card data. It may sound hard to believe given everything matches to the original brand and feel of the site. Before digging further into why it is fraudulent, we will take a look at the same online store when the skimmer has been disabled.

Actual (real) payment form

In order to view this legitimate sequence, we first had to block the skimmer when requesting the e-commerce page. In our case, we simply blocked the connection to the malicious domain where the skimmer is hosted. As a result, the website will display what the original payment form should be (prior to the compromise).

easset upload file73914 264365 eFigure 2: Legitimate payment form when same store is not compromised

The actual payment flow for this merchant is to redirect users to a third-party processor hosted by Dalenys, now part of Payplug, a French payment solutions company. So rather than display a modal, it loads the webpage for the payment processor to allow the user to enter their banking information. Once that is validated, it will take them back to the merchant page.

Malicious modal

The malicious modal is built very cleanly and contains an animation that displays the store’s logo in the middle and then moves it back up. We have to give credit where credit is due: this is a very well done skimmer that is actually a smoother user experience than the store’s default. We should also note that the malware author is not only well versed in web design, they also use proper language (French) for each form field.

easset upload file68786 264365 eFigure 3: A closer look at the fake modal

However, we noticed a small mistake in the hyperlink for Politique de confidentialité (terms of use). That link redirects to the terms of use for Mercardo Pago, a payment processor used in South America. It is likely the threat actor copied the data from a previous template and did not notice their mistake. This is just a detail, and does not affect the functionality of the skimmer at all.

We can try to look for this erroneous hyperlink within the skimmer source code in order to confirm that the modal was created by the threat actor. The skimmer is rather complex and heavily obfuscated but we can see that HTML content is generated dynamically and goes through a decodeURIComponent routine.

easset upload file14011 264365 e

Figure 4: Extracting code from the skimmer to reveal connection with the modal

If we step through the code until the modal is loaded, we can grabbing the Base64 value corresponding to the HTML content. One we have it, we can convert it to plain text and finally see the reference to mercadopago, that is proof that the skimmer is the one rendering this beautiful modal. In fact, we can see the whole thing is an iframe called v.ECPay:

easset upload file34067 264365 eFigure 5: The iframe created by the skimmer to display the modal

Full payment flow

We recreated the payment flow from the perspective of a customer shopping via that compromised store. We can see that upon selecting the credit card payment option, the malicious modal is loaded and will harvest their payment card details.

A fake error is then displayed briefly “votre paiment a été annulé” (your payment was cancelled) before the user is redirected to the real payment URL:

easset upload file67566 264365 eFigure 6: Payment process flow with the skimmer active

On the second attempt, the payment will go through and victims will be unaware of what just happened.

The skimmer will drop a cookie which will serve as an indication that the current session is now marked as completed. If the user was to go back and attempt the payment again, the malicious modal would no longer be displayed (instead the real payment method by the external processor Dalenys will be used).

easset upload file37928 264365 eFigure 7: Cookie dropped by skimmer once data has been stolen

Ongoing, covert campaigns

We now believe this Kritec skimmer is part of the same compromises with injections into vulnerable websites where malicious code is placed within the Google Tag Manager script. It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly.

While many hacked stores had a generic skimmer, it appears the custom modals were developed fairly recently, maybe a month or two ago. The threat actor is using different domains to host the skimmer but names them in a similar way: [name of store]-loader.js.

We crawled several thousand e-commerce sites and found more fraudulent modals, in different languages.

easset upload file72784 264365 eFigure 8: A Dutch e-commerce site with the fake modal

easset upload file18429 264365 eFigure 9: A Finnish e-commerce site with the fake modal

Discerning whether an online store is trustworthy has become very difficult and this case is a good example of a skimmer that would not raise any suspicion.

If you are a Malwarebytes customer, you will get a notification and block when attempting to make a purchase from a store that has been compromised by this skimmer.

easset upload file2247 264365 eFigure 10: Skimmer being blocked by Malwarebytes

Indicators of Compromise

Domain names

genlytec[.]us
shumtech[.]shop
zapolmob[.]sbs
daichetmob[.]sbs
interytec[.]shop
pyatiticdigt[.]shop
stacstocuh[.]quest

IP addresses

195.242.110[.]172
195.242.110[.]83
195.242.111[.]146
45.88.3[.]201
45.88.3[.]63

YARA rule

rule kritecloader
{
 strings:
     $string = "'fetchModul'"
     $string2 = "'setAttribu'"
     $string3 = "'contentWin'"
     $string4 = "'zIndex'"

condition:
    all of them
}

Whether you are visiting an online store from home or while at work, web protection is a critical layer in your overall defense. Malwarebytes Premium for consumers and Endpoint Protection for businesses provide real-time protection against threats like Magecart.

TRY NOW

ChatGPT writes insecure code

Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI’s popular chatbot, is prone to generating insecure code.

How Secure is Code Generated by ChatGPT?” is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn’t robust, despite claiming awareness of its vulnerabilities. 

“The results were worrisome,” the researchers say in the paper. “We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts.”

“In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not. The chatbot, however, was able to provide a more secure version of the code in many cases if explicitly asked to do so.”

In the experiment, the researchers assumed the role of a novice programmer who doesn’t have security in mind. They asked ChatGPT to generate code, specifying in some cases that the code would be used in a “security-sensitive context.” What they didn’t do, however, was specifically ask the AI chatbot to create secure code or include certain security features.

ChatGPT generated 21 applications written in five programming languages: C, C++, HTML, Java, and Python. The programs are simple, with 97 lines of code at most.

In its first run, ChatGPT produced five secure applications out of 21. When prompted for changes, it made seven more secure applications from the remaining 16.

The authors note that ChatGPT can only create “secure” code when a user requests it. When tasked with creating a simple FTP server for file sharing, it generated code without applying input sanitization (where code is checked for harmful characters and removed where necessary). ChatGPT only added the security feature after the authors prompted it to do so.

“Part of the problem seems to be that ChatGPT simply doesn’t assume an adversarial model of execution,” the authors say, explaining why the AI bot cannot create secure code by default. Despite this, the bot readily admits to errors in its code.

“If asked specifically on this topic, the chatbot will provide the user with a cogent explanation of why the code is potentially exploitable. However, any explanatory benefit would only be available to a user who ‘asks the right questions’. i.e.; a security-conscious programmer who queries ChatGPT about security issues.”

Additionally, the authors point to the chatbot’s ethical inconsistency when it refuses to create attack code but will create insecure code.

It might refuse to create attack code, but there are ways round it. Malwarebytes Security Evangelist Mark Stockley decided to try to create ransomware using ChatGPT. The AI bot refused to create malware code at first, but Stockley found his way around the initial safeguards and managed to get it to create (admittedly quite dubious) ransomware anyway.

In an interview with The Register, one of the Université du Québec researchers said he had concerns about ChatGPT. “We have actually already seen students use this, and programmers will use this in the wild,” Khoury said. “So having a tool that generates insecure code is really dangerous. We need to make students aware that if code is generated with this type of tool, it very well might be insecure.”


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Decoy dog toolkit plays the long game with Pupy RAT

Researchers at Infoblox have discovered a new toolkit being used in the wild called Decoy Dog. It targets enterprises, and has a fondness for deploying a remote access trojan called Pupy RAT.

Activity from the RAT was first noticed earlier this month. Subsequent research revealed that it has been in operation since at least April last year. An initial two domains were being used as Command & Control centers (C2), with almost all of the C2 communications originating from Russia.

From there, further research identified a DNS signature not related to Pupy components. This signature was so unique that its presence indicated not just the open source Pupy RAT, but the Decoy Dog toolkit being used for deployment. Infoblox claims that this unique DNS signature for Decoy Dog “matches less than 0.0000027% of the 370 million active domains on the internet”.

Pupy itself has been seen in numerous nation state attacks and other serious compromises. Back in 2020, it was at the heart of a European electricity association breach. Elsewhere, it was seen as part of a campaign called Magic Hound in 2017, which targeted Government and technology sectors in Saudi Arabia.

Pupy RAT is very good at hiding in networks for long periods of time and can infect several platforms including Windows, Linux, and mobile. It communicates with its C2 via DNS. This makes it harder to spot than more common forms of malicious activity due to its tiny footprint. Its open source nature means all manner of changes—such as detecting sandboxes, installing keyloggers, or dumping hashes from a target system—can be made to keep security teams on their toes.

It’s not easy to set up or make use of, as a result of the skill required to use the tool alongside effective DNS server configurations. This is not your average DIY bedroom coded malware operation, and anyone using this knows what they’re doing.

There is currently no evidence to suggest any consumer targets have been hit by the Decoy Dog/Pupy RAT combination. So far, everything Infoblox and other security vendors it’s consulted with has all been enterprise based. This makes sense; it would be rather peculiar to see something of this nature striking out at people in their homes. If you’re not an enterprise or running “large organisational, non-consumer devices” then this isn’t something you’re likely to run into.

Additionally, there’s no data shared on which sector is targeted by the above, so it’s currently impossible to say if it’s one specific realm of business at risk here or if the group behind these installations is picking targets at random. One would suspect the former. While the energy sector shows up in many historical Pupy attacks, that doesn’t mean this is the case here. Investigations into Decoy Dog and Pupy RAT are ongoing, so for now we have to hope that this particular spate of network compromise is still something of a rarity.

Users of Malwarebytes are protected against this threat.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

APC warns about critical vulnerabilities in online UPS monitoring software

In a security notification, APC has warned home and corporate users about critical vulnerabilities in the software used to monitor and control their UPS systems online.

APC, which started as the American Power Conversion in 1981, today is a part of Schneider Electric™.  APC is an industry leader in physical infrastructure and software solutions, and one of the most popular uninterruptible power supply (UPS) brands. The company offers a range of UPS solutions, from home users to industrial control applications.

The monitoring software affected by the vulnerabilities is:

  • APC Easy UPS Online Monitoring Software (V2.5-GA-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022))
  • Schneider Electric Easy UPS Online Monitoring Software (V2.5-GS-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022))

The Easy UPS Online Monitoring Software is used to configure and manage APC and Schneider Electric branded Easy UPS products.

Users of APC Easy UPS Online Monitoring Software (Windows 10) can download a versions that includes a fix here.

Users of Schneider Electric Easy UPS Online Monitoring Software (Windows 10) can get a version that includes a fix here.

Failure to apply the remediations may risk remote code execution, escalation of privileges, or authentication bypass, which could result in execution of malicious web code or loss of device functionality.

Any users that choose not to apply the remediation provided above, should immediately apply the following general security recommendations to reduce the risk of exploit:

For Windows (10, 11) and Windows server 2016, 2019, 2022: Customers with direct access to their Easy UPS units should upgrade to PowerChute Serial Shutdown (PCSS) software on all servers protected by the Easy UPS On-Line (SRV, SRVL models).

As a general advice, it’s worth saying that online monitoring tools should be behind a firewall, and access should be restricted to those that really need it.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-29411 CVSS score 9.8 out of 10: A missing authentication for critical function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface. Exploiting this vulnerability offers an unauthorized attacker the option to change the administrator login credentials.

CVE-2023-29412 CVSS score 9.8 out of 10: The improper handling of case sensitivity vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface. The software does not neutralize or incorrectly neutralizes special elements which could lead to remote code execution.

CVE-2023-29413 CVSS score 7.5 out of 10: A missing authentication for critical function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. Generally Denial-of-Service vulnerabilities are not considered serious, but given the importance in some use cases of uninterrupted power supply, the consequences of an outage can be serious.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update your PaperCut application servers now: Exploits in the wild

PaperCut, maker of print management solutions, has urged product users to update as soon as possible. A security vulnerability which exploits unpatched servers has been seen in the wild, with serious ramifications for any organisation impacted.

Two specific vulnerabilities are at the heart of this alert, and are ranked with severity scores of 9.8 (critical) and 8.2 (high) respectively. Full information about the individual security flaws has not been revealed, in order to reduce the likelihood of more attackers making use of them.

Mitigation

At time of writing, both security issues have been addressed with patches. If you update your PaperCut application servers, you are no longer at risk. A recent check in security tool Shodan’s search functionality highlights roughly 1,700 software instances currently exposed to the internet. These flaws are quite severe, so it’s absolutely worth your time to get things updated as soon as possible.

From the Updating FAQ:

  • Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.
  • If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

If you’re unable to upgrade

PaperCut advises those who are unable to apply the patches to follow the below steps:

  • Block all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default)
  • Block all traffic inbound to the web management portal on the firewall to the server. Note: this will prevent lateral movement from internal hosts but management of the PaperCut service can only be performed on that asset.
  • Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this to only allow the IP addresses of verified Site Servers on your network. Note this only addresses ZDI-CAN-19226 / PO-1219.

Exploits

The two exploits in question are:

CVE-2023-27350: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability.

CVE-2023-27351: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system.

In both cases, compromised systems could be used to perform additional exploitation after the initial attack. Arbitrary code can be deployed, or even ransomware if that’s part of the attacker’s toolkit. The relative ease with which these exploits can be launched is just one reason for the high threat severity score. Indeed, researchers quickly discovered two types of (legitimate) remote management software being used in these attacks. These management tools are used to grant a potential form of persistent remote access to the target network. From here, they can burrow in ever deeper without the affected organisation noticing.

It will probably be a while before all possible patchable installations are running the necessary updates. If you’re potentially affected, do your part and head over to the updates page immediately.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Black Basta ransomware attacks Yellow Pages Canada

The Canadian Yellow Pages Group has confirmed it recently became victim of a cyberattack. The Black Basta ransomware group has claimed responsibility for this attack by posting about Yellow Pages on the “Basta News” leak site.

When such a post shows up, it usually means that negotiations with the victim have stopped and that the ransomware group is getting ready to sell the data it managed to get its hands on during the attack.

Based on the most recent leaked information and an outage of the Yellow Pages website Canada 411 at the beginning of April, it is likely the attack occurred between March 15 and April 7. Attackers using Black Basta have been known to be active on a victim’s network for two to three days before running their ransomware.

Canada is ranked first if you look at the number of ransomware attacks divided by GDP.

top 10 countries ransomware attacks per GDPNumber of ransomware attacks per $1T GDP

Black Basta is not very different from other ransomware groups in the way it operates. Similar to others, the gang’s attacks frequently begin with initial access gained through phishing attacks. A typical attack might start with an email containing a malicious document in a zip file. Upon extraction, the document installs the Qakbot banking trojan to create backdoor access and deploy SystemBC, which sets up an encrypted connection to a command and control server. From there, CobaltStrike is installed for network reconnaissance and to distribute additional tools.

As is the overarching trend for ransomware groups these days, Black Basta’s primary goal is to steal data so that it can hold the threat of leaked data over its victims. The data is generally stolen using the command line program Rclone, which filters and copies specific files to a cloud service. After the data is copied, the ransomware encrypts files with the “.basta” extension, erases volume shadow copies, and presents a ransom note named readme.txt on affected devices. Attackers using Black Basta may be active on a victim’s network for two to three days before running their ransomware.

On the leak site, Black Basta provided samples of highly sensitive information about several people. Included are copies of Canadian passports, Quebec and British Columbia driver’s licenses, Régie de l’assurance- maladie du Québec (RAMQ health insurance) cards, and a tax return containing one individual’s social insurance number.

Franco Sciannamblo, YP’s Senior Vice President Chief Financial Officer commented in a statement to BleepingComputer:

“Based on our investigation to date, we have reason to believe that the unauthorized third party stole certain personal information from servers containing YP employee data and limited data relating to our business customers.”

All impacted individuals and the appropriate privacy regulatory authorities have been notified about the attack.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

GuLoader returns with a rotten shipment

GuLoader, a perennial favourite of email-based malware campaigns since 2019, has been seen in the wild once again. GuLoader is a downloader with a chequered history, dating back to somewhere around 2011 in various forms. Two years ago it was one of our most seen malspam attachments.

Malspam chart 2020Most popular attachments by tags in Malwarebytes email telemetry

We also saw it during the pandemic, masquerading as a health e-book sent from the World Health Organisation.

GuLoader is typically used to load in the payload for the campaign in question. It often arrives in a ZIP file, and once opened and the file inside is executed the malicious activity begins. It may attempt to download data stealers, trojans, generic forms of malware…whatever is required. On top of this, GuLoader is designed to evade network detection and sneak past sandbox technology. For example, it may recognise being loaded up inside a virtual testing machine and refuse to load.

In this case, we have a bogus shipping notification written in Italian.

GuLoader Detected

This is somewhat humorous given GuLoader’s Italian origins. The mail, titled “Shipment Notification”, reads as follows:

Dear Customer,

We are pleased to inform you that the shipment to you by Mastrotto Express has begun. For shipping details, please see the attached file. For convenience, we summarise the details of the shipment:

Shipping number:

Delivery note number:

Number of packages:

Weight:

Volume:

We inform you that the email was automatically generated by a server, please do not reply, thanks for your cooperation.

In this example, GuLoader is not hidden inside a Zip file. Instead, the attachment is an .ISO file. An .ISO is designed to be a copy of a DVD, a CD, and other related forms of media. If you ever spent some time backing up your CD collection to a computer, you probably have a lot of these in a folder somewhere.

The file (or image, as they’re also sometimes called) would then be mounted as a virtual drive to gain access to the content. You could also just use a program like WinZip to open the files. However you do it, in this case the only thing waiting inside is GuLoader taking the form of a fake .JPG file. Note the .EXE (executable) extension in the below screenshot. Pretending that an executable is an image by giving it a double extension is an incredibly old trick. On the other hand, it works!

GuLoader-double-extension

How to avoid fake parcel scams

  • Check your orders. The email isn’t going anywhere, and neither is your order. You have plenty of time to see if you recognise parcel details, and also the delivery network. 
  • Avoid attachments. So-called invoices or shipping details enclosed in a ZIP file should be treated with suspicion.
  • Watch out for a sense of urgency. Be wary of anything applying pressure to make you perform a task. A missing payment and only 24 hours to make it? A time-sensitive refund? Mysterious shipping charges? All are designed to hurry you into making a decision.
  • If in doubt, make contact with the company directly via official channels.

Thanks to Jerome for sending over.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Adult content malvertising scheme leads to clickjacking

Malwarebytes’ researchers have found a malvertising scheme that leads to clickjacking.

Clickjacking is a form of ad fraud which is also referred to as click fraud or click spam. It is a practice performed by certain dubious advertising networks, where they sometimes use automated programs—from simple to sophisticated bots and botnets—to interact with advertisements online. But it can also be done by tricking legitimate users into clicking ads, visiting pages, and (in some cases) creating fake form submissions.

Ad fraud means that the advertiser pays the referrer or the advertising network to show their ads to interested visitors. In reality, the criminal doesn’t care who actually clicks or whether they are interested, as long as the money keeps coming their way.

The campaign

To start things up, visitors are lured to several fake blogs about topics they might find interesting.

the actual blogThis is how the actual blog looks

The original blog however is hidden by an overlay showing blurred explicit content and a button asking the visitor to confirm they are 18+ and asking if they want to enter the website. We have seen a few different overlays on the same website, so there could some fingerprinting involved. Below are a few examples:

example of overlay 1

overlay button version 2

Whichever one the visitor sees, clicking the button does nothing other than registering a click on an advertisement. However, that does help the cybercriminals set up this clickjacking scheme. 

advertisement targeting Dutch audience

Above is an example of an advertisement shown to a Dutch IP and, below, a screenshot of the Google ad that was presented to a Canadian IP address.

full link to the advertisement shown to a Canadian visitor

This is the link behind the version you can see here:

overlay version 3Dragging the button allows the visitor to see where the click will take them

The code behind these attacks is obfuscated.

obfuscated javascript

In this case there is no imminent danger for the website visitor. It is just wasted money for the advertiser. So, if you run into one of these, don’t make them any richer by clicking that 18+ button.

If you are spending money on advertising it is worth looking at what you get for the money your are spending. According to research carried out by BusinessOfApps the total cost of ad fraud in 2022 was around $81 billion, and is predicted to increase to $100 billion by 2023.

If the spending and return on investment are non-transparent, advertisers can also look at solutions that can significantly reduce their advertising costs. You can try some for free for up to 5,000 paid clicks per month on the Google Ads platform.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Removing the human: When should AI be used in emotional crisis? Lock and Code S03E09

In January, a mental health nonprofit admitted that it had used Artificial Intelligence to help talk to people in distress. 

Prompted first by a user’s longing for personal improvement—and the difficulties involved in that journey—the AI tool generated a reply, which, with human intervention, could be sent verbatim in a chat box, or edited and fine-tuned to better fit the situation. The AI said:

“I hear you. You’re trying to become a better person and it’s not easy. It’s hard to make changes in our lives, especially when we’re trying to do it alone. But you’re not alone. There are people here who care about you and want to help you. I’m proud of you for making the decision to try to improve your life. It takes a lot of courage and strength. I send you love and support as you go through this journey.”

This was experimental work from Koko, a mental health nonprofit that integrated the GPT-3 large language model into its product for a short period of time that is now over. In a video demonstration posted on Twitter earlier this year, Koko co-founder Rob Morris revealed that the nonprofit had used AI to provide “mental health support to about 4,000 people” across “about 30,000 messages.” Though Koko pulled GPT-3 from its system after a reportedly short period of time, Morris said on Twitter that there are several questions left from the experience. 

“The implications here are poorly understood,” Morris said. “Would people eventually seek emotional support from machines, rather than friends and family?”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Courtney Brown, a social services administrator with a history in research and suicidology, to dig into the ethics, feasibility, and potential consequences of relying increasingly on AI tools to help people in distress. For Brown, the immediate implications draw up several concerns. 

“It disturbed me to see AI using ‘I care about you,’ or ‘I’m concerned,’ or ‘I’m proud of you.’ That made me feel sick to my stomach. And I think it was partially because these are the things that I say, and it’s partially because I think that they’re going to lose power as a form of connecting to another human.”

But, importantly, Brown is not the only voice in today’s podcast with experience in crisis support. For six years and across 1,000 hours, Ruiz volunteered on his local suicide prevention hotline. He, too, has a background to share. 

Tune in today as Ruiz and Brown explore the boundaries for deploying AI on people suffering from emotional distress, whether the “support” offered by any AI will be as helpful and genuine as that of a human, and, importantly, whether they are simply afraid of having AI encroach on the most human experiences. 

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

A week in security (April 17 – 23)

Last week on Malwarebytes Labs:


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW