IT NEWS

After getting in hot water for using an AI chatbot to provide mental health counseling, non-profit startup Koko has now been criticized for experimenting with young adults at risk of harming themselves. Worse, the young adults were unaware they were test subjects. 

Motherboard reports the experiment took place between August and September 2022. At-risk subjects, aged 18 to 25, were directed to a chatbot after posting “crisis-related” keywords like “depression” and “sewer-slide” on Discord, Facebook Messenger, Telegram, and Tumblr. They were then randomly assigned to a group that received a “typical crisis response” (call the crisis hotline), or a “one-minute, enhanced crisis response Single-Session Intervention (SSI)” powered by AI.

Rob Morris, Koko co-founder and Stony Brook University professor, carried out the experiment with his psychology peers, Katherine Cohen, Mallory Dobias, and Jessica Schleider. The study says it aims to show social media platforms that pointing young adults to crisis hotlines isn’t enough. Morris says he wants to show that an AI chatbot intervention is more effective in supporting young adults struggling with mental health issues.

However, this appears to only look good on paper.

Before Koko performs what it was designed to do, it first presents its privacy policy and terms of service (ToS), telling users their anonymous data may be shared and used for research. Here lies the first problem: Consent to take part in the project is given by agreeing to Koko’s privacy policy and ToS. As we all know, a great majority of people online normally don’t read these. Presumably, it’s not the first thought for at-risk young adults either.

When asked about provisions for true consent, Morris tells Motherboard, “There are many situations in which the IRB would exempt researchers from obtaining consent for very good reasons because it could be unethical, or impractical, and this is especially common for internet research. It’s nuanced.” An IRB, or institutional review board, is also called a research ethics committee. Essentially, they’re the group protecting human research subjects.

The second problem involves data. The preprint reveals that subjects provided their age, gender identity, and sexual identity to the researchers. Such datasets may be anonymous, but studies show these can still be traced back to specific individuals with a high accuracy of 99.98 percent. “Most IRBs give a pass to ‘de-identified’ research as they claim there can be no privacy or security harms. But, in this case, they are collecting demographic information which could be used to identify users,” said Eric Perakslis, the chief science and digital officer at the Duke Clinical Research Institute, Motherboard reports.

And the last problem, which alarmed and appalled researchers and psychologists alike, was that the experiment was carried out as “nonhuman subjects research.” This means subjects have been stripped of due safety- and privacy-related protections.

“Completely, horribly unethical. Mucking around in an experimental manner with unproven interventions on potentially suicidal persons is just awful,” New York University bioethics professor Arthur Caplan was quoted as saying.

“If this is the way entrepreneurs think they can establish AI for mental diseases and conditions, they had best plan for a launch filled with backlash, lawsuits, condemnation and criticism. All of which are entirely earned and deserved.”

“I have not in recent years seen a study so callously asleep at the ethical wheel. Dealing with suicidal persons in this way is inexcusable,” he added.

---

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

According to information gathered by BleepingComputer, the Clop ransomware group has claimed responsibility for the ransomware attacks that are tied to a vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution.

As we reported on February 8, Fortra released an emergency patch (7.1.2) for an actively exploited zero-day vulnerability found in the GoAnywhere MFT administrator console.

GoAnywhere MFT, which stands for managed file transfer, allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, predominantly ones with over 10,000 employees and 1B USD in revenue.

Some of these organizations are considered vital infrastructure such as local governments, financial companies, healthcare organizations, energy firms, and technology manufacturers.

The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they had used the flaw over ten days to steal data from 130 companies. At the time it was impossible to confirm this claim, but after two earlier victims, Community Health Systems (CHS) and Hatch Bank disclosed that data was stolen in the GoAnywhere MFT attacks, the Clop leak site now shows seven new companies. At least two of them reportedly have been breached using the GoAnywhere MFT vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE of the exploited vulnerability is CVE-2023-0669, and described as a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.

It is unknown whether these victims were targeted during the time that there was no patch available for the vulnerability or later. Recent scans showed that around 1,000 administrative consoles are publicly exposed to the internet. The Web Client interface, which is the one that is normally accessible from the public internet, is not susceptible to this exploit, only the administrative interface.

Mitigation

If your GoAnywhere MFT administration portal is exposed to the Internet, you are under urgent advice to download the security patch from the Product Downloads tab at the top of the GoAnywhere account page which you will see after logging in.

If for some reason you can’t install the patch, Fortra says you should follow the mitigation steps it put out, which involves implementing some access control wherein the administrator console interface should only be accessed from trusted sources, or disabling the licensing service altogether. There is also a technical mitigation configuration shared in the advisory that is only visible after logging in (which can be done with a free account if you are interested).

On the file system where GoAnywhere MFT is installed, edit the file [install_dir]/adminroot/WEB_INF/web.xml

 Find and remove (delete or comment out) the following servlet and servlet-mapping configuration in the screenshot below.

 Before:

 <servlet>

      <servlet-name>License Response Servlet</servlet-name>

      <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>

      <load-on-startup>0</load-on-startup>

 </servlet>

 <servlet-mapping>

      <servlet-name>Licenses Response Servlet</servlet-name>

      <url-pattern>/lic/accept/</url-pattern>

 

After:

 <!–

 Add these tags to comment out the following section (as shown) or simply delete this section if you are not familiar with XML comments

 <servlet>

      <servlet-name>License Response Servlet</servlet-name>

      <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>

      <load-on-startup>0</load-on-startup>

 </servlet>

 <servlet-mapping>

      <servlet-name>Licenses Response Servlet</servlet-name>

      <url-pattern>/lic/accept/</url-pattern>

 </servlet-mapping>

  –>

 

Restart the GoAnywhere MFT application

If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.

If you have questions, our support team is here to help.  Please contact Support via the portal https://my.goanywhere.com/, email goanywhere.support@helpsystems.com, or phone 402-944-4242 for assistance. “

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

---

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Becky Holmes knows how to throw a romance scammer off script—simply bring up cannibalism. 

In January, Holmes shared on Twitter that an account with the name “Thomas Smith” had started up a random chat with her that sounded an awful lot like the beginnins stages of a romance scam. But rather than instantly ignoring and blocking the advances—as Holmes recommends everyone do in these types of situations—she first had a little fun. 

“I was hoping that you’d let me eat a small part of you when we meet,” Holmes said. “No major organs or anything obviously. I’m not weird lol.” 

By just a few messages later, “Thomas Smith” had run off, refusing to respond to Holmes’ follow-up requests about what body part she fancied, along with her preferred seasoning (paprika). 

Romance scams are a serious topic. In 2022, the US Federal Trade Commission reported that, in the five years prior, victims of romance scams had reported losing a collective $1.3 billion. In just 2021, that number was $547 million, and the average amount of money reported stolen per person was $2,400. Worse, romance scammers themselves often target vulnerable people, including seniors, widows, and the recently divorced, and they show no remorse when developing long-lasting online relationships, all bit on lies, so that they can emotionally manipulate their victims into handing over hundreds or thousands of dollars. 

But what would you do if you knew a romance scammer had contacted you and you, like our guest on today’s Lock and Code podcast with host David Ruiz, had simply had enough? If you were Becky Holmes, you’d push back. 

For a couple of years now, Holmes has teased, mocked, strung along, and shut down online romance scammers, much of her work in public view as she shares some of her more exciting stories on Twitter. There’s the romance scammer who she scared by not only accepting an invitation to meet, but ratcheting up the pressure by pretending to pack her bags, buy a ticket to Stockholm, and research venues for a perhaps too-soon wedding. There’s the scammer she scared off by asking to eat part of his body. And, there’s the story of the fake Brad Pitt:

“ My favorite story is Brad Pitt and the the dead tumble dryer repairman. And I honestly have to say, I don’t think I’m ever going to top that. Every time …I put a new tweet up, I think, oh, if only it was Brad Pitt and the dead body. I’m just never gonna get better.”

Tune in today to hear about Holmes’ best stories, her first ever effort to push back, her insight into why she does what she does, and what you can do to spot a romance scam—and how to safely respond to one. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

---

Looking to accelerate your business? Our 2023 State of Malware report will equip you with the cybersecurity strategies you need to protect against the five most dangerous cyberthreats facing businesses this year.

Download and read the report here at www.malwarebytes.com/som. 

And for a live discussion on the most important takeaways from the 2023 State of Malware, join our Threat Down webinar on March 15.

Register here

Last week on Malwarebytes Labs:

• 8 cybersecurity tips to keep you safe when travelling
• National Cybersecurity Strategy Document: What you need to know
• Intel CPU vulnerabilities fixed. But should you update?
• Warning issued over Royal ransomware
• Play ransomware gang leaks City of Oakland data
• DoppelPaymer ransomware group disrupted
• DeepStreamer: Illegal movie streaming platforms hide lucrative ad fraud operation
• Ransomware review: March 2023
• Update Android now! Two critical vulnerabilities patched
• TikTok “a loaded gun” says NSA
• Malware targeting SonicWall devices could survive firmware updates

Stay safe!

---

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

The Russia-linked ALPHV ransomware group, also known as BlackCat, has posted sensitive clinical photos of breast cancer patients—calling them “nude photos”—to extort money from the Lehigh Valley Health Network (LVHN).

This has triggered a chorus of accusations from the cybersecurity community, with some labeling the group as “barbarians” and others saying the group is “exploiting and sexualizing breast cancer“.

The leak page for data stolen from the Lehigh Valley Health Network. Apart from the clinical photos, ALPHV also leaked sensitive, personally identifiable information on passports and questionnaires.

“This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior,” LVHN spokesman Brian Downs said, Lehigh Valley News reported.

LVHN had previously said it fell victim to a BlackCat ransomware attack on February 20. The Network initially detected an intrusion within its IT systems on February 6 and said that initial analysis showed the attack was on a network supporting one physician practice located in Lackawanna County.

The ransom amount has never been made public, but we know that the Network decided not to pay ALPHV anyway. Lehigh’s website has remained offline since the attack.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

---

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

WhatsApp will not comply with the UK’s Online Safety Bill when it passes legislation as is. In fact, WhatsApp would rather cease serving UK users, which make up 2% of its global market, than weaken its end-to-end encryption (E2EE).

Will Cathcart, head of WhatsApp at parent company Meta, made these claims in a briefing with the UK press on Thursday, March 9. He reportedly met with legislators to discuss the Bill, which Cathcart described as the most concerning online regulation in the Western world.

“The reality is, our users all around the world want security,” said Cathcart, The Guardian reported.

“Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users.”

The Bill includes a provision requiring companies to use “accredited technology” to scan messages for anti-terrorism and child protection purposes. It doesn’t say how such scans could be done, yet companies are liable for the content shared on their platforms.

At the moment, organizations cannot scan end-to-end encrypted messages. So, the only way they can comply with the Bill is to make private messages scannable. This means breaking E2EE.

And breaking E2EE in order to scan for terrorism and child sexual abuse images, also means breaking encryption for the crooks too, as it will likely introduce backdoors that create vulnerabilities for attackers and hostile states to exploit. This also precedes state-mandated surveillance on a mass scale, with privacy and security risks affecting entire societies.

“If a country like the UK pushed for that [breaking encryption] on the internet, that would shape what other countries all around the world ask for on different topics on different issues,” Cathcart said, reports Politico.

Client-side scanning (CSS), a technology that can intercept and filter messages before being sent, was seen as an alternative to weakening end-to-end encryption. Still, a study argued it doesn’t guarantee “efficacious crime prevention nor prevents surveillance”. Akin to wiretapping, CSS can give governments access to private content. Its potential for abuse will not be left unnoticed.

WhatsApp refusing to comply would subject it to fines of up to 4% of Meta’s annual turnover. However, this wouldn’t happen if WhatsApp pulls out of the UK market—a possibility that Signal, another popular private messaging app, has already threatened to do.

Wired reports that WhatsApp has reported more CSAM to the National Center for Missing and Exploited Children (NCMEC) than all other tech giants combined. Internet Watch Foundation’s head of policy and public affairs, Michael Tunks disagreed: “There’s a problem with child abuse in end-to-end encrypted environments.”

“The bill does not seek to undermine end-to-end encryption in any way,” he said. “The online safety bill is very clear that scanning is specifically about CSAM and also terrorism. The government has been pretty clear they are not seeking to repurpose this for anything else.”

The Online Safety Bill will be returning to Parliament this summer.

---

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

America’s TikTok-addicted youth is playing with a “loaded gun” according to General Paul Nakasone, Director of the National Security Agency (NSA). Speaking at a US Senate hearing on Wednesday, the general said “one third of Americans get their news from TikTok”, adding “one sixth of American youth say they’re constantly on TikTok. That’s a loaded gun.”

TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s enjoyed explosive growth since it first appeared in 2017, and now it claims to have 1 billion users, an estimated 100 million of them in the US.

Unique among major social media apps, TikTok is owned by a Chinese company Bytedance. Due to its ties with China and the ruling Chinese Communist Party (CCP), the platform has been under a national security review by the government’s Committee on Foreign Investment in the US, or CFIUS, and will soon be banned on federal devices.

A loud chorus of concern has surrounded the app for some time now. 

One of the earliest signs of trouble occurred in 2020 when retail giant Amazon sent a memo to employees telling them to delete TikTok from their phones. In the same year, the app escaped a total ban in the US after rumors that it was sharing the data of US citizens with the Chinese government.

Things picked up again in 2022, when Federal Communications Commissioner (FCC) Brendan Carr called for TikTok to be banned in America, months after deeming it an “unacceptable security risk“, and called for Apple and Google to remove the app from their respective stores.

TikTok has also been scrutinized by the European Union (EU), Canadian privacy protection authorities, and on Wednesday the White House backed legislation introduced by a dozen senators that gives President Biden’s administration new powers to identify and stop any technology from China or other adversaries from entering the US if it is deemed a national security risk. The bill would give the Commerce Department the ability to ban TikTok and other foreign-based technologies.

At the same hearing attended by General Nakasone, FBI Director Christopher Wray spelled out the agency’s three concerns:

• The algorithm. The FBI is concerned that the CCP’s control of the TikTok algorithm, which decides which posts are shown to which users, could be used to conduct hard-to-detect influence operations against Americans.
• Access to data. The Director explained that TikTok’s vast database of information about individuals in the US could be used to conduct traditional espionage operations.
• Control of the software. TikTok is installed on millions on devices, where it has access to location data, cameras, microphones and other sensors.

Fundamentally though, his concern with TikTok is a concern about who controls those three things: “it’s the ownership of the CCP that fundamentally cuts across all those concerns,” he told the hearing.

Wray used dividing Americans on the subject of Taiwan’s independence as an example of how TikTok’s reach could be used.

When asked about a situation in which China wanted to invade Taiwan, Wray agreed that the platform could be used to show Americans videos arguing why Taiwan belongs to China and why the US. should not intervene. He added that it could be difficult to see “the outward signs of it happening, if it was happening.”

Just last week, the White House issued an order requiring all federal agencies to remove TikTok from government devices within 30 days, citing security risks the app poses to sensitive government data. Now, another step has been taken towards a complete ban. If it weren’t for the popularity of the app, it is questionable whether these decisions would take so long. Even though the app is more popular among younger people (under 35 years old), a majority of its users are old enough to vote.

---

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Researchers at Mandiant have identified a malware campaign targeting SonicWall SMA 100 Series appliances, thought to be of Chinese origin. The malware was likely deployed in 2021, and was able to persist on the appliances tenaciously, even surviving firmware upgrades. The malware was able to steal user credentials and provide shell access.

The SMA 100 Series is an access control system that lets remote users log in to company resources. It offers a combined single-sign-on (SSO) web portal to authenticate users, so intercepting user credentials would give an attacker that is after sensitive information a huge advantage.

The Mandiant researchers reportedly worked with the SonicWall Product Security and Incident Response Team (PSIRT) to examine an infected device.

The analysis of the files found on the device showed that harvesting the (hashed) user credentials of all logged in users was the primary purpose of the malware. A number of scripts and a TinyShell variant provided the attacker with readily available, high-privileged access. The original TinyShell is a python command shell used to control and execute commands through HTTP requests to a web shell. A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. In other words, it acts as a backdoor on affected systems.

The researchers noted that the attackers put significant effort into the stability and persistence of their tooling and showed a detailed understanding of the appliance.

The malware checked for the presence of a firmware upgrade every ten seconds. When found it unzipped the package, copied the malware into the upgrade and put the zip back in the original place, now including the malware, so after the upgrade it could continue to harvest credentials.

Mitigation

SonicWall is urging SMA 100 customers to upgrade to version 10.2.1.7 or higher, which includes hardening enhancements. In a blog post from March 1, 2023 SonicWall describes the patch and states that:

SonicWall has taken the approach of incorporating security enhancements in their products, such as the SMA 100 series, which helps identify potentially compromised devices by performing several checks at the operating system level and baselining normal operating system state. In addition, SonicWall sends anonymous encrypted data to backend servers, including device health data, to detect and confirm security events and release new software to correct the issue.

As part of this upgrade, SMA100 customers on versions 10.2.1.7 or higher will receive notifications in their Management Console about pending CRITICAL security updates.

The upgrades, and the instructions on how to upgrade to 10.x firmware versions from various older versions of the SMA 100 Series can be found in the SonicWall knowledge base article Upgrade Path For SMA100 Series.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The March security updates for Android include fixes for two critical remote code execution (RCE) vulnerabilities impacting Android systems running versions 11, 12, 12L, and 13. Users should update as soon as they can.

The March 2023 Android Security Bulletin contains the details of the security vulnerabilities affecting Android devices. Security patch levels of 2023-03-05 or later address all of these issues.

That means, if your Android phone is at patch level 2023-03-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 11, 12, and 13.

Android partners are notified of all issues at least a month before publication. However, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your Android’s version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Vulnerabilities

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that deal with RCE vulnerabilities which were patched in these updates are:

CVE-2023-20951 and CVE-2023-20954: both are critical RCE vulnerabilities in the System component. The most severe vulnerability could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2022-33213 and CVE-2022-33256 are vulnerabilities in Qualcomm closed-source components that could allow for remote code execution. CVE-2022-33213 is a memory corruption vulnerability in a modem due to buffer overflow while processing a PPP packet. And CVE-2022-33256 is a memory corruption vulnerability due to the improper validation of an array index in a Multi-mode call processor.

Google only sparingly gives out details about vulnerabilities, so everyone gets a chance to patch before cybercriminals can start abusing the vulnerabilities in attacks. But there are some pointers in the descriptions of the vulnerabilities.

Memory corruption vulnerabilities are vulnerabilities that may occur in a computer system when its memory is altered without an explicit assignment. The contents of a memory location are modified due to programming errors which enable attackers to execute arbitrary code.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

PPP is commonly used as a data link layer protocol between two routers directly without any host or any other networking in between.

One other vulnerability that grabbed my attention was CVE-2021-33655 a vulnerability that occurs when sending malicious data to kernel by ioctl cmd FBIOPUT_VSCREENINFO, kernel will write memory out of bounds. It jumped out not just because it was reported in 2021 but also because the security bulletin discloses that it is an elevation of privacy (EoP) vulnerability in the Kernel that could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

A little digging revealed that a user with access to a framebuffer console driver could cause a memory out-of-bounds write via the FBIOPUT_VSCREENINFO ioctl. The ioctl is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls. The fix for this vulnerability was to prevent switching to screen resolutions which are smaller than the font size, and to prevent enabling a font which is bigger than the current screen resolution. Thisseems trivial, but it goes to show how many details go into safe coding.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

This investigation was a joint effort between Malwarebytes Threat Intelligence’s Jérôme Segura, DeepSee’s Rocky Moss and Antonio Torres.

Key findings

• Over a dozen unique domains were found selling ad inventory through Google Ad Manager, even though the pages were embedded invisibly under the content of illegal movie & porn streaming sites

• Streaming sites in the DeepStreamer fraud ring generated an estimated 210,550,928 visits in January 2023, as measured by Similar Web

• There was not a single seller in common between each of the sites used for laundering (the “money sites”), but most offered their inventory for sale through Google Ad Manager

• Using extremely conservative estimates, which factor in a 50% ad-block rate & 70% ad-unit fill rate, we project advertiser spend on this scheme between $120k – $1.2 million in January 2023 alone

• Working with a leading ad buying platform, we were able to confirm there were hundreds of millions of bid requests generated for these domains between January and February 2023

Introduction

Online video streaming sites have always been some of the most visited destinations on the web. Legitimate ones will typically require a subscription fee or rely on advertising as part of their business model. Unfortunately, at any given point in time, there are thousands of sites that allow users to illegally stream pirated content, and they often manage to devise strategies that allow them to monetize their illegally sourced content with programmatic advertising.

Researchers at DeepSee and Malwarebytes have identified an invalid traffic scheme that has gone undetected for over one year via a number of illegal video streaming platforms. DeepStreamer used different techniques to evade detection and forge traffic by surreptitiously loading “money sites” (ad-monetized sites used to monetize/launder the human traffic to pirate sites) filled with Google ads completely hidden from view, while internet users were watching movies.

Not only are these streaming sites breaking the law by using copyrighted material, they are also defrauding advertisers to the tune of $1.2million per month, based on conservative estimates.

A deceptive business model

DeepSee researchers contacted Malwarebytes about a scheme they had observed recently via a video streaming website called moviesjoy[.]to. DeepSee’s crawlers had observed the site mikerin[.]com loading ads deep under the content of moviesjoy, but it wasn’t exactly clear how this was happening.

Interestingly, the site claims to offer free HD movies and TV series with “absolutely zero ads on our site. Once you hit the play button, you can start streaming right away, without any interruptions in the middle.”

On the internet if something is “free”, it usually means you are the product in some shape or form. Hosting and streaming costs money that needs to be recouped so the service can stay online.

What we identified was not entirely surprising but was quite clever. The platform does indeed rely on ads but rather than having them visible on the site, they are embedding and hiding them.

While the site owner could display ads to their visitors, there is no way legitimate advertisers (meaning those that would pay more) would accept traffic coming from a site offering pirated movies.

The trick consists of loading ads from seemingly regular websites and not showing them to anyone. Those “legitimate” websites are embedded and hidden into the page as iframes while users are watching movies.

There are 4 Google ads that load per page and the pages reload periodically. Advertisers are buying ad space for mainstream content but on websites that are inserted as invisible iframes into illegal video streaming platforms.

Anti-debugging tricks

Rather than using more simple techniques such as popunders, DeepStreamer relies on intermediary domains that create hidden iframe containers within the existing page.

The code that they use is highly obfuscated and detects the presence of debuggers. Capturing network traffic externally will only show some static elements, and not the dynamically created iframes.

Here is the overall traffic view, from the streaming site (moviesjoy) to the money site (mikerin):

There are several anti-debugging tricks being used, the first one actually from the online video streaming site itself:

The domain hosted at adtrue[.]top (or adtrue[.]info) plays an important role in loading the money domains by performing a HEAD /dynamic/ads/ HTTP request, and yet it shows an enigmatic 404 code response.

We were able to replay the attack by putting a breakpoint on adtrue[.]info using an external web debugger (Fiddler) and observed that it started loading the domain immediately responsible for rendering the money site.

It appears though that all these intermediary domains are connected and watching for each other.

Hidden iframe containers

Let’s look at the difference between static and dynamically rendered content with mikerin[.]ml which is related to mikerin[.]com (money site with ads) only appears to load jquery.js:

This has nothing to do with the popular jQuery JavaScript library, but instead is heavily obfuscated and debugger-proof code that contains the clues on how DeepStreamer is loading their iframe:

However, we can take a shortcut and see what the Document Object Model (DOM) looks like by saving the current webpage as a complete *.html,*.html file using the browser UI.

While the HTML saved from mikerin[.]ml showed very little information, the DOM provides a lot more useful information since it shows objects that have been rendered by the browser.

There is a new element called “containerIframeBlog____” that is referring to the money sites which are ordinary looking blogs with Google ads. The iframe’s properties make it so that nothing is visible to the user.

One way to confirm those iframes without triggering the anti-debugger code is by launching Chrome’s Task Manager:

Evasion techniques

What we refer to as the money sites are WordPress sites with a number of blog articles and Google ads. At first glance, everything looks legitimate but that is simply a decoy to fool everyone.

What we noticed are articles that are completely clean, while others contain ad fraud code. Of course, you will only get to the latter if your referer is one of the movie streaming sites.

There is one problem though. If visitors truly came from a pirated site, then ad networks would not allow their customer’s ads through. 

This is where referral forging comes into play. We can see that DeepStreamer is spoofing the referer and choosing from one of their own (Google, Bing or Facebook):

Another issue is that the invisible iframes will not reflect user activity, and yet it is important to pretend humans are scrolling and clicking on the articles. The next piece of code from the ad fraud script does just that:

If the money site was not hidden as an iframe, this is what it would look like while performing ad fraud:

Perhaps as a measure to avoid creating too many ad requests, these embedded pages do not often refresh ad units within the context of a single page-view. Instead, they generate a visit to a new spoofed page every 2-3 minutes, as demonstrated in this code snippet (looking at the interval object in particular for details on timing):

This is also confirmed by our packet captures from manually generated visits to these pirate sites; a new page is loaded every 2-3 minutes.

(Un)intended 3rd Party Measurement Evasion

One interesting side effect of embedding the money domain as DeepStreamer here has: estimates from SimilarWeb were completely thrown off! Take for example the SimilarWeb results for 2 money sites that generated hundreds of millions of ad opportunities in the same measurement period (Nov ‘22 to Jan ‘23):

Similarweb has no idea they exist & are generating these kinds of ad traffic volumes. This makes it seem like SimilarWeb measures traffic for domains that are navigated to in the browser address bar, and not accounting for hidden / embedded pages. This could be both a blessing and a curse. 

On the plus side: many ad exchanges check for 3rd party traffic metrics from tools like SimilarWeb before making a publisher’s inventory available, and organizations doing that basic check will protect themselves from exposure to sites like this. Put another way: a quality specialist would see that there’s no traffic to mikerin[.]com, or guiadosabor[.]com, and the sites would not be approved for the platform subsequently. 

• This begs the question: how were these publishers able to sell their inventory through Google’s ad exchange? What checks and balances were in place to ensure that the traffic volumes to those sites were believable?

One negative outcome of this measurement scenario is that researchers who rely on SimilarWeb insights can not know about the “money” sites’ connections to pirate domains; the connection from source -> “money” site is lost given the absence of SimilarWeb “related sites” data. 

DeepSee’s crawl data revealed ground-truth connections between the pirate & “money” sites, but it could not account for the volume of traffic directed at the “money” sites. Luckily, since these sites load every time someone visits the pirate sites, it’s possible to estimate the visit counts to the “money” domains by understanding traffic volumes to the pirate sites which embed them.

Monetization

The Roster of Embedded Sites

By working with the team at Malwarebytes, DeepSee was better able to profile the activity of a monetized site involved in this scheme, and set about the task of mapping the active ones to their pirate/source domains. What we found are 14 active content domains, loaded by 250+ unique pirate sites, which cumulatively generated hundreds of millions of visits in January:

In order to arrive at the estimated visit statistics, we used data from Similarweb. Not every pirate domain was found in their dataset due to recent registration, or low traffic volumes.

Now that we had identified a sample of ad-monetized domains, we needed to make sure these ad units were actually firing off impression trackers, meaning the advertiser would be charged for presenting their ads on the page. 

In order to confirm this, DeepSee analyzed data its crawlers had gathered when visiting the pirate sites in question, and compared the number of Google ad requests generated to the number of corresponding Google impression trackers fired. 

This dataset, composed of 6,748 crawls performed between January 1st and February 27th 2023 showed the following:

• Of the 35,269 Google ad requests measured, DeepSee measured 25,387 corresponding impression trackers, making for a fill rate of ~72%

• The “money” sites loaded a median 4 ad units per-page load; confirmed by manual inspection performed by Malwarebytes

• In DeepSee’s limited manual tests, generated by visiting the pirate sites & running packet capture software, there was a measured fill rate of ~80%

• Perhaps more troubling, ~98% of the sessions that DeepSee crawlers generated were from known data centers, performed without any attempt to cloak the IP.

(For more information on how to do this kind of auditing yourself, check out this explainer from MonetizeMore)

These data points in hand, we could now construct an estimate of how much advertisers might be spending on this inventory. For complete insights into the dataset we used to create these estimates, alongside the complete list of Source:Money domain mappings, check out our companion document

• After matching the pirate source domains to SimilarWeb data, and summing the visit counts, we counted 221,823,394 cumulative visits generated.

• Using the visit data, and the time-on-site metrics from SimilarWeb, we arrived at a weighted average time-on-site of ~7.75 minutes per visit

• Visitors immediately cause 4 ads to load upon a page load, and another 4 ads load on average each 2.5 minutes when the page reloads. This makes for an average 16.40 ad exposures per visit for each user

• Multiplying average exposures per user by the number of visits yielded a total of 3,636,840,849 estimated ad exposures in January, but we had to add a few modifiers to this figure:

  • According to data compiled by Statista, ~50% of desktop web users block ads, and that number is ~30% for mobile browser users. We chose to use the more conservative 50% figure, and removed half of the projected impressions from the pool, leaving 1,818,420,425 estimated ad exposures in January

  • As we previously mentioned, DeepSee crawlers measured a fill rate of ~72% for Google ad units on the money sites during our visits. Factoring in a slightly more conservative 70% fill rate left us with 1,272,894,297 estimated ad exposures in January

Given our final figure of 1,272,894,297 estimated ad exposures in January, the advertiser spend was estimated to be between $127k and $1.27 million, depending on the average price of these advertisements, which was never disclosed to us. We broke our estimates down across several probable price points for this media:

At this point, it was clear that advertisers were really buying this space, so we started asking around for evidence that could point us to who was selling the space.

The Non-Google DSP Perspective

The data in this section was provided to DeepSee by a leading DSP (demand-side advertising platform) with global reach, who agreed to participate under condition of anonymity (we’ll call them DSP “A”) . They provided reporting, from their perspective, on the count of bid requests generated by the money domains dating back to August of 2020. Most helpfully, they also provided the supply-path related to an opportunity, which tells us the exchange & seller name related to the opportunity.

As a disclaimer, there are a few limitations of this dataset:

• This is just the perspective of one DSP, and we can’t claim to know that these sellers created a similarly large share of opportunities presented to all other DSPs. We suspect they do, but without input from Google in particular, it can’t be confirmed.

• These sites seemed to monetize extremely poorly outside of Google; fewer than 1% of requests resulted in an ad being delivered via the DSP we polled.

  • That low fill rate was echoed by another non-google exchange we polled, who told us that only .1% of opportunities they created resulted in ads being loaded

  • On the other hand, we observed that the Google filled these ad units upwards of 70% of the time, implying spend was mainly coming from users of Google’s DSP

Understanding the above, the below table shows the top sellers offering space on these money domains, and the ad exchange the opportunity came through.

Google Was the Top Exchange Offering These Opportunities; There Was Not 1 Particular Seller in Common

Top Seller Per Domain, Ordered by Magnitude of Ad Opportunities Presented to DSP “A” Since August 2020

Summary

In this investigation, we uncovered a network of streaming websites and bogus domains created for the purpose of illicitly gaining revenue from advertisements by a threat actor we called DeepStreamer.

We were impressed by the technical complexity of the code and underlying infrastructure. The perpetrators took many steps to prevent reverse engineering and tracking metrics were not accurately representing the scale of the abuse at play.

We have notified Google and other industry partners and some actions have already taken place. Malwarebytes users are not participating in this invalid traffic scheme defrauding advertisers as we already block the fraudulent domains used.

About Malwarebytes

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes’ award-winning endpoint protection, privacy and threat prevention solutions and its world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe. 

The effectiveness and ease-of-use of Malwarebytes solutions are consistently recognized by independent third parties including MITRE Engenuity, MRG Effitas, AVLAB, AV-TEST (consumer and business), Gartner Peer Insights, G2 Crowd and CNET.

The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

About DeepSee

DeepSee uses highly sophisticated crawlers, combined with rigorous network analysis, in order to capture the behaviors websites present when visited by actual humans, and contextualize those behaviors within the graph of the internet.

DeepSee uses this data to arm advertising professionals with ground-truth signals about content appropriateness, ad-density, on-page technologies, backlink makeup, and more.

This dataset enables the sell-side to effectively & automatically moderate the quality of the inventory they offer, and empowers the buy-side to quickly generate robust blocking / targeting lists.

Indicators of Compromise

Domains launching invisible iframes:

adorablefurnishing[.]ml
awscloudfront[.]ml
bigcache[.]ml
brcache201[.]ml
brient[.]ml
cache33[.]ml
cdncache[.]ml
compactembed[.]ml
dbcache[.]fun
dcache[.]ml
embed123[.]ml
fcache[.]ml
filecache[.]ml
financeirocartao[.]ml
fishuflatinned[.]ml
fullcdn[.]ga
harateness[.]ml
honessity[.]ml
hypercdn[.]ml
hypercdn3[.]ml
investwell[.]ml
jestick[.]ml
journeywithvision[.]ga
jscache[.]live
kbyte[.]ml
livrosdereceita[.]ml
maxcache[.]ml
mbyte[.]gq
mcdn[.]ga
megacdn[.]ml
megacdn[.]top
megasearch[.]gq
melhoresdomomento[.]ml
mikerin[.]ml
myplayer[.]ml
newsworldcity[.]ml
poptube[.]fun
primesinfo[.]ml
satishmoheyt[.]ml
supercache[.]top
tapcache[.]ml
tcache[.]ml
tecnowebclub[.]ga
toptube[.]fun
uwatchtube[.]ml
video[.]your-notice[.]fun
videocdn[.]fun
videosdahora[.]fun
whatsappvideos[.]ml
wispields[.]ml
wpcache[.]ml
youbesttube[.]gq
yourtube[.]fun
ytcache[.]fun
pharmabeaver[.]ml
pharmabeaver[.]com
virvida[.]com
guiadosabor[.]com
techyclub[.]in
journeywithvision[.]com
newsworldcity[.]com
mikerin[.]com
primesinfo[.]com
investwell[.]site
streamix[.]tv
guerytech[.]online
brandingjoy[.]in
aitechgear[.]in
adorablefurnishing[.]com
satishmoheyt[.]in

Money domains:

brandingjoy[.]in
aitechgear[.]in
guiadosabor[.]com
mikerin[.]com
adorablefurnishing[.]com
journeywithvision[.]com
satishmoheyt[.]in
primesinfo[.]com
techyclub[.]in
streamix[.]tv
newsworldcity[.]com
pharmabeaver[.]com
guerytech[.]online
virvida[.]com

Malicious JavaScript (iframe):

1701f50afde2db48d58e6789cfa810f2fdfae74ad0b5de983ace21beb9542a4b
2405699d9b90c36950440d8dd0335d8da1574abda11ae9900cfb31a68f80a864
344550fd85db609434f9eb6838642df1e0283ce43b23c02859cb593b7331ef70
5f8598bdf64f2f3c7a6b9134cd80bb44ac46f546d4047d796278437b5c3485b7
86c160f073347d3c810a824ba90de66105882195dd607175a32fa7adffe31163
98d2cd6e4f3a3aa3200d53ac09750d192ca6ba546aba09a935fe4f38d878bc4c
af70188588c75165f919c9c155827eb458f26aed5288ef52bab532dc7bd38015
b6845734220755e8a163d27d30fb0470ac0aa0d6e57e52af38fe59619d4dd1fb
bcb9ee387efcd936e2abd1ede483fda13cfe40320af9df6462398f329e6aae1e
fc2006c24b6153bfeafb3e9dc6e5ffc4d239c021f1e1777265569f672b4e184b

---

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED