IT NEWS

Last week on Malwarebytes Labs:

• A private moment, caught by a Roomba, ended up on Facebook. Eileen Guo explains how: Lock and Code S04E03
• New data wipers deployed against Ukraine
• Update your LearnPress plugins now!
• Riot Games refuses to pay ransom to avoid League of Legends leak
• Analyzing and remediating a malware infested T95 TV box from Amazon
• Google sponsored ads malvertising targets password manager
• 40% of online shops tricking users with “dark patterns”
• How to protect your business from supply chain attacks
• Up to 10 million people potentially impacted by JD Sports breach
• GitHub revokes several certificates after unauthorized access
• Malwarebytes earns AV-TEST Top Product awards for fifth consecutive quarter
• Ransomware in December 2022
• Cybersecurity and privacy tips you can teach your 5+-year-old
• The rise of multi-threat ransomware
• Cyberthreats facing UK finance sector “a national security threat”
• How the CISA catalog of vulnerabilities can help your organization
• Business Email Compromise attack imitates vendors, targets supply chains

Stay safe!

On Friday and over the weekend, several Computer Emergency Response Teams (CERTs) sounded the alarm about an ongoing large scale ransomware attack on VMware ESXi virtual machines.

With some discrepancies between Shodan queries from various researchers, most agree that an estimated 500 entities were affected by the attack over the weekend.

Old vulnerability

The suspected vulnerability, which is listed as CVE-2021-21974 was patched by VMware almost two years ago. The vulnerability can be found in OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) and is a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. Heap memory is used by all the parts of an application as opposed to stack memory which is used by only one thread of execution.

Mitigation

The products that are vulnerable for CVE-2021-21974 are VMware ESXi, and VMware Cloud Foundation (Cloud Foundation).To remediate CVE-2021-21974 apply the updates listed under 3b in the ‘Fixed Version’ column of the ‘Response Matrix’ to affected deployments.

The fixed versions are:

• For ESXi 7.0: ESXi70U1c-17325551 or later
• For ESXi 6.7: ESXi670-202102401-SG or later
• For ESXi 6.5: ESXi650-202102101-SG or later
• For Cloud Foundation (ESXi) 4.x: 4.2 or later
• For Cloud Foundation (ESXi) 3.x: please refer to VMware KB82705

A recommended workaround if you are not using the OpenSLP service in ESXi is to disable the SLP service on VMware ESXi.

Ransomware

Even though Proof-of-Concept (PoC) instructions were posted only a few months after the vulnerability was patched we haven’t seen any reports of the exploit being used in the wild before February 3, 2023. The attack was aimed at vulnerable ESXi servers that are exposed to the internet on port 427. The threat actor runs an encryption process which is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”). Although some researchers have found instances where only the configuration files were encrypted. More on that later.

The ransomware group that reportedly launched this large-scale attack dubbed ESXiArgs against vulnerable ESXi is believed to be the new Nevada ransomware group.

Recently, it became known that the Royal ransomware group had added the ability to target Linux machines to their arsenal. With the transition of organizations to Virtual Machines (VMs) a Linux based ransomware version allows them to target the very popular ESXi virtual machines.

Decryptable

Security researcher Matthieu Garin posted on social media that the attackers only encrypt the config files, and not the vmdk disks where the data is stored. In such cases, the Enes.dev website may be of help to you. The guide explains how admins can rebuild their virtual machines and recover their data for free.

According to research from BleepingComputer, the encryption routine itself is secure, which means there are no cryptography bugs that allow free decryption.

Disclaimers

Nevada may turn out to be the Linux variant of a well-known ransomware group.

While all clues point to CVE-2021-21974 there are several critical vulnerabilities in VMware ESXi like CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699, that can potentially lead to remote code execution (RCE) on affected systems.

There may be special circumstances at work in the cases where only the config files were encrypted. For example the ransomware tries to stop the VM so it can encrypt the file, but this may not always be successful in which cases the damage is limited to the config files.

When more details become available we will keep you updated here.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a “known exploited vulnerabilities catalog” which can be useful if you need help prioritizing the patching of vulnerabilities. In essence it is a long list of vulnerabilities that are actually being used by criminals to do harm, with deadlines for fixing them.

Many organizations are running a plethora of software and Internet-facing devices and vulnerabilities that can be used to exploit them are found every day. Everybody knows they need to patch, but deciding what to patch when, and then finding time and resources to do it, are a significant challenges.

If you are having difficulty deciding what to patch next whether you use a vulnerability and patch management service or not, the CISA catalog offers useful guidance to help you decide what to focus on.

BOD 22-01

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 in November 2021. The directive established the catalog and bound everyone operating federal information systems to abide by it.

Two things made the directive stand out. The first was that it was based on what was actively being exploited, rather than an abstract severity score, like CVSS. The second was that it mandated specific—and very tight—deadlines, for vulnerabilities to be dealt with. Although agencies were given a longer grace period to handle historic vulnerabilities, they only had two weeks to patch anything new—the blink of an eye in patching terms.

At first the catalog focused on vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold suitable for data theft or ransomware.

Later, around the start of the war in Ukraine, CISA added a long list of vulnerabilities that threat actors can use to disrupt operations and networks. Actions that do not lead to financial gain, but can be used in a conflict.

Because it’s based on what criminals are actually exploiting, your organization might still want to feed the catalog into its patch management strategy, even if it isn’t a federal agency that’s obliged to.

The catalog has 9 columns:

• The CVE number of the vulnerability.
• Vendor/Project
• Product
• Vulnerability Name
• Date Added to Catalog
• Short Description (of the vulnerability)
• Action: What needs to be done to mitigate the vulnerability
• Due Date: by when the action needs to be completed by FCEB agencies.
• Notes: point to Emergency Directives about the vulnerability or vendor sites that discuss the vulnerability.

If you’re responsible for keeping your organization’s systems secure, you will already know that having a network inventory is critical: To be effective, you have to know what to protect. With that network inventory in hand, it’s good to know that the catalog can be sorted, among others, by Vendor/Project, by Product, and by Due Date.

Advice

Because the list is regularly updated you will want to keep an eye out for changes, once you are caught up. To make things easier, you can subscribe to receive updates. We also suggest you check out Malwarebytes’ patch management solution, and finally, make sure you ditch any software that has reached its end-of-life (EOL) and is beyond the scope of security updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Today we have a fascinating tale of a business email compromise (BEC) group steering clear of targeting executives, in favour of fouling up supply chains instead. The attack, which may sound overly complicated, is a fairly streamlined attack with the intention of making a lot of money.

BEC: What is it?

BEC follows a few different patterns, but primarily revolves around an approach by a criminal who has compromised or spoofed an executive-level email account.

The criminal sends one or more “urgent” emails to a more junior employee about moving money from inside the business to somewhere else entirely. Some attackers perform reconnaissance in advance so they can target people in HR, finance, or accounts.

The criminal is likely to insist the money is moved quickly, and that nobody else is involved.

This technique has been around for a number of years, and some folks are getting wise to it. As a result, attackers are trying to broaden how these scams operate to give them the best chance of flying under the radar.

What we’re looking at below is Vendor Email Compromise (VEC). Instead of going after a company directly, attackers figure out a network of vendors, clients, customers, suppliers…you name it, they’ll try and map it all out. From there, it’s a case of figuring out the weak links in the chain and then pursuing them as best they can.

A splash of fraudulent domain management and social engineering may be all that it takes to get the job done.

VEC

The supply chain steps to success

The group at the heart of this particular campaign, the bizarrely monikered “Firebrick Ostrich”, has been flagged as having its hand in no fewer than 350 campaigns dating back several years. 151 organisations were spoofed across 200 or so different URLs. The attacks are said to have been US-centric, with a particular focus on US business.

According to Abnormal Intelligence, the group behind the research, Firebrick Ostrich was at its peak in August 2022, numbers wise, and the majority of URLs used in the various campaigns were less than a day old when they were used.

The steps to success for the VEC group are listed as follows:

1. Pretend to be a vendor, complete with imitation domain and multiple bogus email addresses related to said bogus “company”.
2. The bogus vendor initiates communication with the potential victim, going down one of several paths as the ball is set in motion. In the example given, the scammers ask to update a bank account on file, and then note that they’ve “lost track” of outstanding payments. This is how they gain insight into actual potential payments owed, or other relevant information which can be further used against the victim.
3. Some or all of the additional email addresses created, mentioned above, may be tied into some of the various email chains to add a layer of “this all looks plausible and real” to the recipients. Would scammers go to all this length to steal money? You bet. Many employees looking at this kind of email chain wouldn’t give it a second thought.

Cashing out

If the email antics are successful, a follow-up mail from the fake vendor includes tweaked payment information for the victim to wire funds. Abnormal Security notes that in some cases, PDF documents are attached to the mails containing the payment details. It’s possible that this is done to try and bypass any email flags looking out for suspicious content (such as payment details in the body of the mails).

With all of the imitation details in place, from fake emails and imitation URLs to including real employee names in some of the communications in case someone perhaps jumps onto Google or LinkedIn, this attack could very well cause big problems for an organisation.

Vendor attacks: a slippy customer

Given that this particular group does not appear to target one industry sector specifically, running the range of manufacturing and retail to energy and education, it could affect any business, and if it’s successful, it will be imitated.

The best defence against these kind of attacks is to ensure that staff are aware that they exist and how they work. Many scams rely on isolating and hurrying employees, so they are less diligent, so it also helps to have processes that ensure more than one employee is involved in significant transactions.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Today we have a ten minute YouTube expedition into the murky world of ransomware.

In the video, “The rise of multi-threat ransomware” (embedded below), I cover a couple of key talking points that always seem to come up in conversation.

Single, double, triple?

The video covers how ransomware made the leap from “just” encrypting your files to double- or even triple-threat ransomware. The threats, the blackmail, the possibility of leaking data, and more.

A timeline of ransomware

It also examines attacks of interest from 2017 to the present day, looking at some of the key incidents from the last couple of years, and the brutal real world impact of ransomware attacks that increasingly affect the spaces and services around us. Schools, hospitals, housing associations, everyone is a potential target.

Keeping the enemy at the gate

The video finishes with a run through some of the ways organisations can avoid the perils of ransomware, and the realisation that cyber insurance may not solve every problem.

The video covers the importance of locking down your remote desktop access and VPNs, rolling out multi-factor authentication, and keeping a tight handle on repeated login attempts.

A determined attacker may find a way through despite your best efforts, but in many cases they’ll give up and look for a less resilient target. If you’re causing ransomware gangs to shrug and go elsewhere, you’re doing OK.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

As the reports covering all of 2022 start trickling in, we can see that cybercrime and other types of fraud had a major impact last year.

Take for example the 2022 half year fraud update by UK Finance, which tells us that criminals stole a total of £609.8 million (roughly $750 million) through authorized and unauthorized fraud and scams in the UK alone.

UK Finance is the collective voice for the UK’s banking and finance industry, representing around 300 firms across the industry. Its report states: “As we have warned previously, the level of fraud in the UK has reached a point where it must be considered a national security threat.”

Another report, called the ‘State of cyber security in the UK’, surveyed 500 UK-based cybersecurity strategy decision makers. It showed that financials are at significantly higher risk than the average UK business. More than half (58.2 percent) reporting between 40 and 60 cyber security incidents in the last 12 months.

Businesses

Many financials not only carry the burden of protecting their customers, but are also at risk of falling victim to cybercrime themselves.

The threat which was mentioned the most in responses to the survey was phishing. Some 67 percent of respondents highlighted it as their main worry for their organization. This is no surprise as phishing is often the prelude to more serious threats like ransomware, breaches, and BEC scams.

Other worries were the rise in premium prices for cyber insurance, and the security implications of the rise in flexible working. The advancing pace of technology (39 percent) also featured, as effects from the pandemic have complicated organizations’ ability to protect themselves from cyber threats.

The report based on the survey also shows a higher-than-expected number of breaches. Which made more organizations realize that having a recovery plan is almost as important as having effective preventive measures.

Consumers

The main types of fraud targeting consumers were:

• Authorized push payment (APP) scams, which use social engineering that tricks victims into authorizing payments to accounts belonging to the scammer. Romance scams and investment scams operate this way, as do purchase scams, where people pay for goods that are never delivered.
• Unauthorized payment card fraud. This category covers fraud on debit, credit, charge, and ATM-only cards issued in the UK. Payment card fraud losses are organized into five categories: Remote card purchases, lost and stolen cards, cards that aren’t received, counterfeit cards, and card ID theft.
• Remote purchase fraud. This type of fraud occurs when a criminal uses stolen card details to buy something on the Internet, over the phone or via mail order. It is also referred to as card-not-present (CNP) fraud, because the threat actor does not have the physical card, but has enough details to pretend that they are authorized to use it.

A common factor behind APP scams is use of online platforms and social media to target victims and trick them into making payments. This includes fraudulent advertising on search engines, fake websites and posts on social media. This is where the first contact between perpetrator and victim usually takes place.

Another worrying side effect of many of these financial frauds is the use of money mules. Often younger people that allow their bank account to be used to ‘cash out’ fraudulent funds, without realizing how sever the consequences can be.

For detailed numbers and more information you are encouraged to look at the UK Finance report.

Cooperation

Because of the direct threats and the responsibility for their customers, the banking and finance industry invests billions in tackling fraud. But it’s not a problem the banking sector can solve on its own.

Some of the initiatives that have been taken by the sector in the UK are:

• Working with the government and law enforcement to establish clear strategic priorities.
• Sharing intelligence on emerging threats.
• Delivering customer education campaigns.
• Training staff to spot and stop suspicious transactions.
• Sponsoring a specialist police unit.
• Cracking down on phone number spoofing.
• Blocking scam text messages.

How can we help?

NatWest, one of the UK’s “big four” banks, is offering all of its customers a free Malwarebytes Premium subscription, which can be used on up to 10 devices. The software protects against viruses, ransomware, and phishing scams, and is available for Windows PCs and Macs, as well as Android and Apple phones and tablets.

In the first half of 2022, Malwarebytes helped stop over seven million security threats that would have impacted NatWest customers. The bank’s customers can access the software by clicking the security tab within their online banking, where they will receive a coupon and a link to the Malwarebytes site.

Stuart Skinner, head of fraud protection at NatWest, said:

We are committed to helping our customers stay safe and secure and are continuously investing in new fraud prevention tools and the latest security technology. I urge you to download Malwarebytes today, to help ensure you are doing everything possible to protect yourself against this crime.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Everything we teach our kids starts at home—we parents are their first teachers, after all. So, why wait for them to start going to school to start learning about cybersecurity and online privacy?

Though it’s hardly news that more and more children are being introduced to mobile computing devices like tablets, smartphones, and laptops at an early age, you may be surprised at what that age is. In 2015, Time featured a study revealing parents handing over such devices to kids as young as six months old. That may be too early an age for teaching a child beyond getting them to sit up, but after nearly a decade, similar trends on age versus technology use have persisted. [1][2][3]

As mobile devices have become an indispensable part of a child’s life, a big question stands: What is the “appropriate” age to start teaching your little one about their security and privacy when using those devices? 

Well, it depends. If your child can understand (simple?) instructions and do them, you’re good to go. Remember, every child is different.

5 cybersecurity and privacy tips you can tell your 5+-year-old

Fostering habits for some simple yet good cybersecurity and privacy best practices early on can go a long way.

1. Lock the device.

When it’s time to put away the phone or tablet so your child can do something else like going to the park, remind them to lock it. They can do this by pressing the power button of the device. Of course, this only works if you have Lock Screen enabled on the device.

If your child is 5 years old and up, you can explain to them that locking the phone or tablet stops other people from using it without asking permission.

2. Use passwords.

Of course, in order to lock a device’s screen, a password is needed in this case. Not going for a pattern lock is deliberate. At this stage, we’re not only seeding the idea of creating strong passwords but also making locking devices the norm (From 2016 to 2018, a reported 28 percent of Americans surveyed failed to use any safeguards to lock their phones).

Don’t be too concerned about length yet, but if you can get your little one to spell out and remember a six to eight-character string—ideally, a word—you’re both golden. We started our little one with a three-letter password to open her tablet when she was four, and we plan to triple that length now that she’s two years older.

3. Keep the device in a safe place.

Instruct your little one to put away the phone or tablet after they lock it. Make sure you already have a designated place in the house that your child knows about. Also, check that this place is accessible, and if it has doors, they can easily open and close them with minimal effort and supervision.

Under a pillow on the master’s bed works, too (just don’t forget to remove it before bedtime).

4. Ask for permission.

Your five-year-old may have access to either the Google Play or Apple App stores via the device you’re letting them use. Whether you have parental controls set up for these stores or not, wouldn’t it be great to hear them ask: “Is this okay to download, mum?” This gives you, the parent or guardian, the opportunity to review the app to see if it’s any good for them (Remember, dubious apps can still end up in these stores.).

The same principle should apply when they’re watching videos on YouTube.

Every now and again, we see or read about cute or cartoony clips that are not actually for kids’ consumption. And believe it or not, some of them were purposefully made to appear inviting to young children. To be safe, a critical eye is needed because, sometimes, even YouTube’s AI can get it wrong.

5. Share only with relatives and close family friends.

Kiddo loves having her picture taken. Sometimes, she would ask me to take a snap and send it to her Nana, who is part of an Instagram group.

Thankfully, only family members—and those close to us who’re treated as family—are members of that group. We would’ve been reluctant to share otherwise.

Kiddo doesn’t have a single social media account, but we’re already instilling in her the value of information related to her and, consequently, us. She knows our home address, for example, and she also knows she should only share it with a policeman or policewoman if she’s lost.

Final thoughts

The computing devices and apps your little one uses are already impacting them in more ways than one. It’s essential to steer them in the right direction by getting ourselves involved in their digital lives as early as possible. There is plenty of room for growth.

So, parents and guardians, be patient. Put these points on repeat and expand on them. And, if you’re lucky, be thankful that before your child starts school, they already have some of the cybersecurity and privacy basics down.

Good luck!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their dark web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

Lockbit has rebounded from its unusual fall from grace in November, snatching the title of the month’s worst ransomware, back from Royal. Royal has meanwhile still shown itself as a force to be reckoned with, ranking third in number of attacks for December. 

Attacks by Royal may be down 35 percent from their high of 49 in November, but at the same time, there’s good reason to suspect that their attacks are becoming more targeted. 

On December 07, 2022, the Health Sector Cybersecurity Coordination Center (HC3)—an arm of the US Department of Health and Human Services (HHS)—released a threat brief about Royal after observing the group disproportionately targeting the healthcare industry. Their crowning attack for December came late in the month when they breached telecommunications company Intrado.

In terms of progress, the two newcomers that we introduced last month, Play and Project Relic, have vastly different stories to tell. 

Project Relic has fallen off the map while Play has turned up the jets—we recorded a whopping 136 percent increase in attacks from the gang compared to November. Since our last update Play has been seen leveraging a never-before-seen exploit chain, which might be responsible for their sharp uptick in attacks. The new Microsoft Exchange attack, dubbed ‘OWASSRF’, chains exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks. This was the technique behind a ransomware attack on cloud computing service provider Rackspace in early December, which Play later claimed responsibility for. 

Play’s surge in activity, however, was hardly an anomaly for December. Month-on-month we saw hefty percentage-point increases in attacks across the board.

ALPHV (aka BlackCat), for example, is a ransomware gang that has consistently topped the charts in our ransomware reviews; the number of their attacks in December (33), however, is not only a 70 percent increase from November but also the highest it’s been all 2022. We also saw 25 percent and 116 percent increases from BianLian and BlackBasta, respectively. These upticks are perhaps to be expected, given that attackers famously love the holiday seasons due to the reduction in security staff on deck. Only time will tell if ransomware gangs will sustain their heightened levels of activity into the New Year—or if the increase is indeed simply a gift-wrapped aberration.

Lockbit… apologizes?

Lockbit in December regained the throne as the biggest ransomware gang by attack volume, reversing a three-month downward trend in number of victims.

The prolific ransomware group claimed on December 12 to have stolen up to 75GB of confidential data from California’s Department of Finance, or over 246,000 files in more than 114,000 folders. Not even SickKids (a hospital for sick children) was spared from LockBit’s avarice in December. A ransomware attack using LockBit impacted the hospital’s internal and corporate systems, hospital phone lines, and website.

While we’re not surprised to see a gang stoop to such lows, we don’t find many issuing apologies after the fact. Two days later LockBit apologized for the attack, which it blamed on a rogue affiliate, and released a decryptor for free. 

LockBit’s operation’s policy states “It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed.”

Of course the apology doesn’t turn LockBit in to some kind of Robin Hood. Its business model is to inflict so much harm that people are willing to pay a fortune to make it stop.

New ransomware gangs

Unsafe

In December, we saw a group emerge that makes its cash by riding on the coattails of real ransomware gangs. 

The new player, Unsafe, seems to recycle leaks from other ransomware groups. Unsafe provides security blogs for cybercriminals to post victims and leaked data as well as consultation services for a fee. It currently lists eight victims. 

Endurance

We call them ransomware gangs for a reason: These are groups of cybercriminals working together in a hierarchical organization. Rarely do we ever see lone wolf attacks, and if we do it’s even more unusual for them to make as big of a splash in so short of a time as Endurance has.

This cybercriminal, known on dark web forums as IntelBroker, tends to make individual posts about data on sale.

In less than 30 days since its inception, Endurance appears to have successfully infiltrated some big corporations and breached several US government entities. After posting some high-value victims, Endurance has removed them from its dark web site, which is “undergoing development”.

The European Commission has been looking at retail websites to see if they’re misleading consumers with “dark patterns”. Spoiler: Yes, they are.

The Commission, along with the national consumer protection authorities of 23 EU member states, plus Norway and Iceland, have released the results of their screening of online shops. In a sweep of 399 sites the investigation discovered that 148 of them contained at least one of the three dark patterns they were checked for.

Dark patterns

Dark patterns, also known as deceptive design patterns, occur when a user interface has been carefully crafted to nudge or trick users into doing things they didn’t set out to do.

Dark patterns are not subliminal messagaging, visual or auditory stimuli that the conscious mind cannot perceive, although advertisers have been accused of using that as well.

The investigation focused on three manipulative practices that can push consumers into making choices that may not be in their best interests:

• Fake countdown timers, which create a sense of false urgency
• Interfaces designed to lead consumers to certain purchases, subscriptions or other choices.
• Hidden information.

Numbers

Frankly, the numbers are surprising, if not disappointing. The investigation found that “nearly 40% of the online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.”

The sweep found 42 websites that used fake countdown timers with deadlines for purchasing specific products. 54 websites directed consumers towards certain choices–from subscriptions to more expensive products or delivery options–either through their visual design or choice of language.

At least 70 websites hid important information or made it less visible for consumers. For example, this included information related to delivery costs, the composition of products, or on the availability of a cheaper option.

23 websites hid information with the aim of manipulating consumers into entering into a subscription.

Follow-up

The offending vendors will be contacted by their national authorities and ordered to rectify their websites. If necessary, further action will be taken. The Commissioner for Justice has called on all national authorities to make use of their enforcement capacities to take relevant action and fight these practices.

Tthe Commission is gathering feedback to analyze whether additional action is needed to ensure an equal level of fairness online and offline. The evaluation will look at three pieces of European Union consumer protection legislation to determine whether they ensure a high enough level of protection in the digital environment.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

We have recently written about malvertising campaigns that leverage Google paid advertisements to try and trick people into downloading malware instead of the software they were looking for. This malware then stole login credentials from the affected system.

Now, our researchers found that the malvertising campaigns via Google Ads are not just about software downloads and scams. They also include a  much more direct way to get at your login credentials by phishing for users of popular password managers such as 1Password.

Below is a screenshot of what we found:

Searching for “1password” we noticed two different sponsored advertisements as the top results. The first one leads to the legitimate domain 1password[.]com, but the second one points to start1password[.]com. Both claim to be for 1Password and both are https sites. Which makes it very hard for someone who is unfamiliar with the brand to determine which one to follow.

The following order in the search results is based on a metric called “Ad Rank.”

Google says (emphasis by me):

“Ad Rank is a value that’s used to determine where ads are shown on a page relative to other ads, and whether your ads will show at all. Your Ad Rank is recalculated each time your ad is eligible to appear. It competes in an auction, which could result in it changing each time depending on your competition, the context of the person’s search, and your ad quality at that moment.”

Just to point out that going for the top result is not always a sure fire way to get to the right one.

Next phase

So where does the fake URL take us? To a very convincing phishing site. We have posted a comparison between the two login forms below.

The differences are so subtle, most people will fall for it. The only real difference is that following the legitimate link will keep you in the same domain because it goes to my.1password[.]com and the phishing link will take you to my1password[.]com, where the missing dot is the only real difference in the URLs.

Secret key

The real difference is that phishing site will always have to ask for your secret key, because, well that’s what they are after. The legitimate 1Password will be able to retrieve it from your browser’s database and only ask for it if it has been deleted or if you are using 1Password on a new device or in a new browser. Deletion of the secret key can happen if you haven’t used the password manager for an extended period or if you have cleaned your browser’s cache. In which case you will have to retrieve it.

So, any attacker will not be satisfied with just your email address and password. They will need the secret key as well. But with that they would have access to all the login credentials in your vault.

While the sites used in this particular example have been taken offline, there is always the danger of new attempts, so be careful out there. Don’t give away the secret key to your password manager to any phishers.

Real URLs:

https://my[.]1password.com/signin

https://www[.]1password.com

Phishing URLs:

https://my1pasword[.]com/signin

https://www[.]start1password.com

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.