IT NEWS

Last week on Malwarebytes Labs:

• 4 over-hyped security vulnerabilities of 2022
• Chasing cryptocurrency through cyberspace, with Brian Carter: Lock and Code S03E26
• Restaurant platform SevenRooms confirms data breach
• Adult popunder campaign used in mainstream ad fraud scheme
• Malwarebytes earns AV-TEST Top Product awards for fourth consecutive quarter
• Millions of Gemini cryptocurrency exchange user details leaked
• Play ransomware group claims to have stolen hotel chain data
• The pitfalls of blocking IP addresses
• BEC scammers go after more than just money
• Lego’s Bricklink steps on cross site scripting blocks
• Sharing Netflix, Disney+, other passwords is illegal, according to new guidance
• The Guardian hit by “ransomware attack”
• Godfather Android banking malware is on the rise

Stay safe!

When did technology last excite you? 

If Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy, is to be believed, your own excitement ended, simply had to end, after turning 35 years old. Decades ago, at first writing privately and later having those private writings published after his death, Adams had come up with “a set of rules that describe our reactions to technologies.” They were simple and short: 

1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.
2. Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.
3. Anything invented after you’re thirty-five is against the natural order of things.

Today, on the Lock and Code podcast with host David Ruiz, we explore why technology seemingly no longer excites us. It could be because every annual product release is now just an iterative improvement from the exact same product release the year prior. It could be because just a handful of companies now control innovation. It could even be because technology is now fatally entangled with the business of money-making, and so, with every one money-making idea, dozens of other companies flock to the same idea, giving us the same product, but with a different veneer—Snapchat recreated endlessly across the social media landscape, cable television subscriptions “disrupted” by so many streaming services that we recreate the same problem we had before. 

Or, it could be because, as was first brought up by Shannon Vallor, director of the Centre for Technomoral Futures in the Edinburgh Futures Institute, that the promise of technology is not what it once was, or at least, not what we once thought it was. As Vallor wrote on Twitter in August of this year: 

“There’s no longer anything being promised to us by tech companies that we actually need or asked for. Just more monitoring, more nudging, more draining of our data, our time, our joy.”

For our first episode of Lock and Code in 2023—and our first episode of our fourth season (how time flies)—we bring back Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to ask: Why does technology no longer excite them? 

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

H-Hotels, a large hospitality chain with 60 hotels across several countries including Germany and Switzerland has announced it has fallen victim to a ransomware attack. The incident, which took place on December 11, is allegedly a double whammy of hijacked devices and data theft…if a ransomware group is telling the truth.

Another day, another ransomware press release

From the H-Hotel release:

“…unknown persons carried out a cyber attack on the IT network of the hotel company H-Hotels.com, which led to restrictions in digital communication. The cyber attack was discovered by the hotel company’s IT security systems on Sunday. According to initial findings by internal and external IT specialists, cybercriminals managed to break through the extensive technical and organizational IT protection systems in a professional attack.”

The release goes on to say that although bookings are still taking place, email is unavailable as H-Hotels examines all systems to ensure they are no longer compromised. Importantly, H-Hotels claims that there is “no indication” that personal data has been stolen as a result of the attack.

Sadly, this may no longer be the case if what a ransomware gang claims to be true turns out to be accurate.

Play time

Play ransomware is a fairly new addition to the ransomware scene, most notably causing mayhem for the city of Antwerp not so long ago with major digital systems coming to a standstill. When the group claims a juicy target, they post up the details to their leak site alongside the data they claim to have stolen. The typical game plan is to encrypt files, and then threaten to leak files if their demands are not met.

If you’re caught out by Play ransomware, you’ll know quite quickly on account of your files suddenly displaying the .play extension and a ReadMe.txt file containing little more than the word “Play” and an email address.

Play has indeed claimed responsibility for this attack, with H-Hotels joining the growing list of guest appearances on the leak page. There is no indication how much data has been stolen, but the listing mentions “Private, personal data, clients documents, passports, ID, etc”. The proposed publication date for some or all of these files should demands not be met is currently tagged as December 27.

Assuming this is true, it remains to be seen what H-Hotel’s next steps are.

Keeping ransomware at bay

Tackling ransomware can feel overwhelming, especially as even the biggest of organisations fall victim to double or triple threat tactics. Even so, there are many options available to your organisation.

1. A little recovery time

   Don’t wait until ransomware is in your network and encrypting everything to ask if someone has a backup. Get ahead of the curve, and see if you can come up with a suitable and cost effective way to recover your data and prevent further encroachment on your network. When an attack happens, who is contacted first? Who is the emergency response? Which data is the most crucial and sensitive? Has it already been encrypted by your business to prevent network intruders taking a peek?

   You should also have an idea of who to make outreach to after an incident, and in what order. Law enforcement, cyber insurance (if you have it), external security contractors may well be some of the first entities on your list.

2. Testing for timeliness

   It’s always a good idea to keep your systems updated, along with your security tools. However: just like those businesses which only consider backups once the damage has been done, there are many out there not running regular scans or ensuring everything is working as it should be. You don’t want to be in the middle of an incident and then find out your licences expired three months ago.

   On a similar note, it’s the obvious attack targets which don’t receive enough care and attention from admins. So many compromises are as a result of unsecured Remote Desktop Protocol brute forcing. Make sure you set those passwords in the first place, and limit the rate that individuals can keep trying to log in before being locked out.

   3. A valuable set of tools

   As you’ve gathered, speed and a calm head is of the essence when dropped into a ransomware incident. You want your Endpoint Detection and Response (EDR) tools to work fast, and with as little friction as possible. Identifying and isolating infected devices, spotting behaviour which resembles ransomware activity, and assisting with file recovery where possible are all extremely useful when that alarm bell starts to ring.

   Additional assistance in the form of rogue website blocking, prevention of exploits and malvertising, and brute force protection will all serve you very well.

We have a lot more information with regard to simplifying the fight against ransomware, alongside multiple reports and guides for best practice and overviews of the ransomware landscape generally.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In August 2022, the Austrian court ordered the block of 11 IP addresses for copyright violations on 14 websites. Sadly, there was an undesirable side-effect—thousands of websites were rendered inaccessible to internet users in Austria for two days.

There are many possible reasons why governments would order Internet Service Providers (ISPs) to block specific IP addresses—from censorship to several different illegal activities like copyright infringements, fraud, and selling banned substances.

For the sake of the article we will focus on blocking for illegal activities in democratic countries, because censorship in more dictatorial states falls under very different considerations.

The problem

Blocking an entire IP address because there are one or a few unwanted sites hosted on that IP address is unfair at one level to those that happen to be on the same IP address but are unaware of the illegal activities. Compare it to issuing a search warrant for an entire block because the owner of one house is suspected of doing something illegal.

But even though courts have an obligation to consider the rights of those not contributing to the illegal activities, blocking by IP address is something that happens too often according to content delivery network Cloudflare that investigated the matter.

“Freedom House recently reported that 40 out of the 70 countries that they examined – which vary from countries like Russia, Iran and Egypt to Western democracies like the United Kingdom and Germany –  did some form of website blocking.”

Sharing your IP

While it is easy to say that you shouldn’t share your IP with illegal, fraudulent, or even compromised sites, this is not how the internet works for the average user. For starters, there is a huge difference between the number of available IP addresses and the number of existing domains, let alone the possible number of domains. Even when you take IPv6 into account, which allows for more unique IP addresses.

A regular website owner registers a domain and hosts the website on the server of a provider which is often the same one that registered the domain for them. They do not have a say over which other sites will be on the same server. The provider will decide this based on availability and load balancing. All a website owner can do is find a provider that is quick to respond in case there is a complaint about a site.

Cloudflare

The problem in Austria was magnified because the court ordered the ISPs to block the IP addresses owned by Cloudflare that pointed to the websites they wanted to block. This rendered thousands of websites inaccessible.

“In a network like Cloudflare’s, any single IP address represents thousands of servers, and can have even more websites and services — in some cases numbering into the millions — expressly because the Internet Protocol is designed to enable it.”

Better blocking

Better blocking should be based on blocking closer to the source. If you have a problem with a domain, you should first try to block that particular domain.

The designs of IP and domain name resolution (DNS) are independent of each other, but despite that, a one-on-one relationship is often assumed.

The first clue for the Austrian court that IP addresses and domain names don’t have a one-on-one relationship should have been the fact that they only needed to block 11 IP addresses to tackle 14 offending domains.

Another problem with blocking an IP is the lack of transparency for the internet user. When someone tries to visit a blocked IP, the connection fails without providing them with a reason. And an innocent website owner on the same IP does not realize anything is wrong until they receive complaints that their website is unreachable, or they see their visitor numbers drop for no apparent reason.

Inevitable

But sometimes IP blocking is inevitable. At Malwarebytes, we block IP addresses that are scanning other IP addresses for vulnerabilities, simply because there is no domain that can be blocked in these cases. We do try to limit the block to certain ports where possible. We also know the risks of blocking by IP address, but since we have an obligation to protect our customers, the choices are sometimes hard and mistakes are occasionally made.

In a joint Cybersecurity Advisory (CSA) the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) recently observed incidents of Business Email Compromise (BEC) with a new twist. In these incidents the threat actors didn’t go for money, instead stealing whole shipments of food products and ingredients valued at hundreds of thousands of dollars.

Business Email Compromise

Up until recently, BEC attacks were almost exclusively targeted at money transfers. Malwarebytes’ own glossary entry for BEC says:

“A business email compromise (BEC) is an attack wherein an employee, who is usually the CFO or someone from the Finance department, is socially engineered into wiring a large sum of money to a third-party account.”

We may have to revise that entry since threat actors are now targeting physical goods as well.

In May 2022 we discussed some numbers published by the FBI. A few highlights:

• $43 billion were stolen between June 2016 and December 2021. There were 241,206 domestic and international incidents between those two dates.
• The FBI observed a 65% increase in losses suffered between July 2019 and December 2021, which feels like a significant ramp-up.
• The overwhelming number of organizations filing victim complaints to the IC3 between October 2013 and December 2021 were based in the US.

This new type of attack will most certainly boost those numbers even more.

Methods

The tactics, techniques, and procedures have stayed very much the same. For the best results, attackers can use every bit of knowledge about the target and the legitimate company they are pretending to be. With this information they can:

• Deploy email accounts and websites that closely mimic those of a legitimate company.
• Use spear phishing and other techniques to get access to a legitimate company’s email system and send fraudulent emails from there.
• Use the names of actual officers or employees of a legitimate business to communicate with the victim company to add extra credibility.
• Copy company logos to lend authenticity to their fraudulent emails and documents.
• Deceive the victim company into extending credit by falsifying a credit application. The scammer provides the actual information of a legitimate company so the credit check results in an approval of the application.

In the end, the victim company ships the product but never receives a payment.

Targets

While this type of fraud can happen in many industries, the CSA specifically points out recent events in the food and agriculture sector. In the listed examples, attackers used email addresses that were slightly different from the ones they were mimicking and seem to be predominantly after milk powder. But they also tried stealing a truckload of sugar. During investigations it also became clear that some legitimate companies were impersonated on more than one occasion.

Domain mimicry

There are many ways to mimic a domain so that the unsuspecting receiver of an email or web portal request might miss. To be proactive, you should look for additional punctuation, changes in the top-level domain (i.e. “.com” vs “.gov”), added prefixes or suffixes, and the use of similar characters (i.e. “close” vs “c1ose”) or a minor misspelling of the domain.

Mitigation

The FBI, FDA, and USDA urge businesses to use a risk-informed analysis to deal with this type of crime. Some of the tips they gave are worth repeating:

• Verify contacts by independents means. Do not trust logos and branding for they can easily be copied.
• Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners.
• Check for spelling errors, strange wording, and other grammatical abnormalities.
• Encourage managerial double checks when employees find something suspicious or out of the ordinary.
• Be skeptical of unexplained urgency or last-minute changes, especially in shipping destination.
• Educate your employees to raise awareness of BEC, phishing, and other types of fraud.
• Immediately report any online fraud or BEC activity to the FBI Internet Crime Complaint Center at ic3.gov/Home/BEC.

To avoid being used as a bait company, you can regularly conduct web searches for your company name to identify results that return multiple websites that may be used in a scam.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If you’re a user of the Gemini cryptocurrency exchange, it’s time to be on your guard against phishing attacks. Gemini says its own systems have not been compromised, but an unnamed third party has become the focal point for a breach.

On December 13 or some point before, rogues gained access to just shy of 6 million email details and “incomplete” phone numbers (thanks to partial redaction) belonging to users of the Gemini service. It’s claimed there are duplicate email records in the breach, so the actual impact is probably not quite as severe as initial numbers may suggest. All the same, if we’re talking millions of records then it’s still very much a bad thing.

(Failing to) monetise data for fun and profit

There have been several attempts to monetise this data on underground forums over the last couple of months, from September onward, with little evident success. This eventually resulted in someone offering up all of the data for free.

Gemini is now offering security advice and tips to guard against phishing attacks for anyone contained in the data. From Gemini’s post on the subject:

Some Gemini customers have recently been the target of phishing campaigns that we believe are the result of an incident at a third-party vendor. This incident led to the collection of Gemini customer email addresses and partial phone numbers. No Gemini account information or systems were impacted as a result of this third-party incident, and all funds and customer accounts remain secure.

Locking down your Gemini account

Breaches in cryptocurrency land are always a major issue. Some folks have their life savings and investments in these realms, and cryptocurrency/Web3 phishing generally has been running riot for some time now. If it’s not stolen apes and coins, it’s fake social media giveaways and “double your money” scams.

If you’re a Gemini user, the advice is to

• Be on the look out for emails pretending to be from Gemini. It may well be a phishing attempt. Don’t click on links in any emails and navigate to the site itself instead.

• Sign up to 2FA, to give phishers an additional mountain to climb should they manage to obtain your password. You can use your mobile phone for this, or even more secure forms of protection like a physical hardware key.

Cryptocurrency attacks will continue into 2023

No matter which platform you use, no matter what smart wallets you dabble in, someone out there is happy to steal whatever you have. Exploits, platform owners going rogue, rug pulls, insecure platforms: something big can go wrong at any time. While it may still be one of the hottest things around, cryptocurrency is a huge bullseye for anyone up to no good. Take the time to learn as much as you can about your platform of choice, scams common to your particular cryptocurrency corner, and ways you can try and mitigate those threats. Once your digital money is gone, there’s often no coming back so forewarned is most definitely forearmed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

SevenRooms, a “guest experience and retention platform” for food establishments and hospitality organisations, has confirmed it has fallen victim to a third party vendor data breach. Mostly known for its customer management platform, Seven Rooms’ breach came to light after stolen data was seen for sale on an underground forum.

Sample selection

SevenRooms confirmed to Bleeping Computer that the data, samples of which were posted on the forum on 15th December, is real. This data selection contained “thousands of files” containing data on SevenRooms customers.

The database, weighing in at 427GB, contained promo codes, payment reports, reservation lists and more, alongside folders named after well known restaurant chains.

When file transfer goes wrong

A “third party vendor file transfer interface” is the source of SevenRooms’ current woes. This tool or program was accessed without permission by the data thief, which means that certain documents sent to or from SevenRooms were pilfered.

What has been taken?

There isn’t a great amount of additional detail available in relation to this question so far. The point of note for most people will be data related to individuals. What SevenRooms has told Bleeping Computer is that “some” guest data was obtained, which could include names, emails, and phone numbers.

What was not taken includes bank account data, social security numbers, credit card details, or anything else along the lines of “highly sensitive information”.

Of course, depending on your circumstances, making names or phone numbers tied to email addresses public could still be a threat or concern. The only bright spot here is you don’t have to worry about cancelling your cards right before Christmas and the New Year.

No direct breach of SevenRooms

SevenRooms claims that nobody managed to directly breach their own systems; everything that went wrong was down to the transfer tool. With access to the tool disabled, the organisation investigated and found no evidence of its systems being accessed or otherwise tampered with.

There is no word of which businesses were impacted by this breach, and frustratingly little detail on who may have been affected individually, but we can expect outreach very soon along these lines.

No guest for the wicked: if you think you’ve been caught in the breach…

Until more information is released, it’s tricky to give specific advice. All you can really do for now is be on your guard against phishing and social engineering.

• Anything related to places you’ve stayed or eaten at, especially offers or discounts, should be treated with caution. You can always contact the business directly if you’re not sure that what you’ve been sent is genuine.

• Direct phone calls may be suspicious, especially if you remember opting out of outbound contact and marketing or other promotions. As with email or any other form of contact, don’t feel bad about going directly to the source. You won’t miss out by taking a few moments to confirm that tempting offer you’re interested in is the real thing.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

AV-TEST, a leading independent tester of cybersecurity solutions, has just ranked Malwarebytes as a Top Product for consumers and businesses for the fourth quarter in a row.
Every two months, experts at AV-Test evaluate Windows antivirus software across three categories:

• Protection against malware infections such as viruses, worms or Trojan horses.
• Performance or the average influence of the product on computer speed in daily usage.
• Usability or the Impact of the security software on the usability of the whole computer.

All products can achieve a maximum of 6 points each in of the three categories, making 18 points the best possible test result. At 17.5 points or higher, AV-TEST issues the “Top Product” award.

Each security product gets tested against 23,000 unique malware attacks, such as zero-day threats and widespread malware and must pass multiple false positives tests that include over 1 million clean files and websites.

For the latest Sep-Oct/2022 results, Malwarebytes received Top Product awards for both Malwarebytes Premium and Malwarebytes Endpoint Protection. These results mark the fourth consecutive quarter we have received Top Product awards for both products, stretching back to December 2021.

• Full Malwarebytes Premium results: https://www.av-test.org/en/antivirus/home-windows/windows-10/october-2022/malwarebytes-premium-4.5-221511/ 
• Full Malwarebytes Endpoint Protection results: https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2022/malwarebytes-endpoint-protection-1.2-222515/

Let’s take a deeper dive into the results from Sep-Oct/2022, starting with the protection category.

Real-world threats no match against Malwarebytes cyberprotection

Malware infections show no signs of slowing down. According to Malwarebytes research, malicious software increased by 77 percent in 2021 compared to 2020.

Needless to say, personal users and businesses alike need strong anti-malware to prevent the costly consequences of infection.

For the Prevention category, AV-TEST tested protection against real-world threats launched by cyber criminals—including 0-day malware attacks from the Internet, inclusive of web and email threats. It also tested the detection of widespread and prevalent malware discovered only in the last 4 weeks.

Both Malwarebytes Premium and Malwarebytes Endpoint Protection successfully prevented and detected 100% of malware threats for Sep-Oct 2022, proving that Malwarebytes can fend off the latest malware and defend against the pathways of infection used most often.

Industry-leading performance

Good cyberprotection shouldn’t have to come at the cost of system performance—the last thing you want in your security product is a slowing down of typical operations for daily work on computers.

For the Performance category, experts at the AV-TEST laboratory examined the effect security products had on performance, placing special attention to four categories:

• Slowing-down when launching popular websites
• Slower download of frequently-used programs
• Slower launch of standard software programs
• Slower installation of frequently-used programs
• Slower copying of files (locally and in a network)

Both Malwarebytes Premium and Malwarebytes Endpoint Protection scored 100% on the performance test for Sep-Oct 2022, by and large meeting or beating the industry average in each of the four categories.

Saying sayonara to false-positives

When it came to the number of false-positives generated, neither Malwarebytes Premium nor Malwarebytes Endpoint Protection disappointed.

AV-TEST recognizes that false alarms can disturb the work routine just as much as malware attacks can. That’s why, for the Usability category, AV-TEST tested the number of false positives in three stages:

• Stage 1: False alarms or blocking when visiting websites
• Stage 2: False detections of legitimate software as malware during a system scan
• Stage 3: False alarm test for standard software: false warnings concerning certain actions and blocking of these actions carried out while installing and using legitimate software

Malwarebytes Endpoint Protection had 0 false-positives out of the over 500 websites and 1+ million files used for the assessment. Malwarebytes Premium only had four false-positives.

Nothing but gold for Malwarebytes on the latest AV-TEST assessment

With the latest AV-TEST results, we’re adding yet another notch to our string of successes on leading independent assessments.

Whether it’s MITRE, MRG-Effitas, or G2, our track-record demonstrates that Malwarebytes has what it takes to keep both personal users and businesses safe from today’s most pressing cyberthreats—and do so with high performance and low false-positives.

Learn more about what experts and customers are saying about Malwarebytes:

Malwarebytes recognized as endpoint security leader by G2

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes outperforms competition in latest MRG Effitas assessment

This blog post was authored by Jérôme Segura

Online advertising is a multi billion dollar industry with projected spending to reach over 600 billion U.S. dollars for 2022. It’s not surprising that criminals are trying their hardest to abuse this ecosystem in any way that they can.

One of the biggest threats and always top of mind for advertisers is bot traffic as it is the equivalent of throwing money down the drain with ads that will never be seen by real eye balls. However, ad fraud is more than bots and in fact, even when traffic is seemingly real, there can still be abuse.

Case in point, we came across a clever ad fraud scheme where a fraudster is running a cost-effective popunder campaign on high-traffic adult websites and then making money via Google Ads. What originally caught our attention was seeing a Google advert on what appeared to be an adult page, as it is strictly against the search giant’s acceptable content policy. It turned out to be a clever way to hide a bogus blog loaded with many more ads, most of them hidden behind a fullscreen pornographic iframe.

As unaware visitors trigger the popunder landing page and continue browsing in their other tab, the decoy website is constantly refreshing with new content and of course new ads, generating millions of ad impressions per month.

We reported this invalid traffic and would like to thank Google for quickly shutting down this ad campaign.

Popunder campaign on top adult sites

It is no secret that adult websites generate a lot of traffic. Did you know that 3 of the top 20’s most visited websites are from the adult industry, the more popular one getting an estimated 2.8 billion monthly visits?

A fraudster has set up an ad campaign with one of the major adult ad networks using an ad format known as a popunder, which is one of the most cost efficient. Depending on the visitor’s geolocation and other parameters, the CPM (cost per thousand impressions) can be as low as $0.05.

A popunder is like a ‘pop-up’ in that it is triggered when a user clicks anywhere on a web page, except that the resulting ad will appear behind the open window. It’s also not like a typical banner ad, it’s actually an entire page, often referred to as a landing page whose goal is to provide clear and interesting information in order to have a high conversion ratio. Examples of common popunders for the adult industry include online dating services, adult webcams, or simply an adult portal.

At first, it appears that this popunder is simply promoting another adult website called Txxx. But a couple of things don’t add up: the page’s title and address bar show something completely unrelated and we can see what appears to be a Google ad at the bottom of the page.

The problem is that Google’s advertising policies state that sexually explicit content such as text, image, audio, or video of graphic sexual acts intended to arouse is not allowed. Technically speaking, the adult content is merely an iframe placed on top of a WordPress blog and the ad at the bottom should really have been hidden in the background.

To avoid detection, the code is heavily obfuscated and the iframe is built dynamically:

SEO-friendly content to place ad banners

The fraudster is actually deceiving Google by loading legitimate content (i.e. how to fix your plumbing issues) under a fullscreen XXX iframe. Not only that, but the page also refreshes its content at regular intervals, to serve a new article, still hidden behind with the XXX overlay to further monetize on Google Ads. This happens without the user’s knowledge since the tab was launched as a popunder.

This is no ordinary landing page, it’s actually a full blog with dozens of articles that were stolen from other sites.

• 10-home-heating-tips
• 10-ways-to-style-your-kitchen-countertops-like-a-pro
• 4-main-benefits-of-installing-gutter-protection-systems
• 8-most-common-roof-leak-causes-in-california
• before-you-plan-to-build-your-own-house-work-out-your-budget
• build-your-own-home-in-3-days
• build-your-own-home-in-the-country
• does-your-home-in-california-need-roof-ventilation
• homeowner-s-guide-to-the-best-outdoor-lighting
• how-much-does-a-mortgage-to-build-your-own-house-cost
• how-much-does-it-cost-to-build-a-new-house-in-los-angeles-area
• how-snow-and-ice-impact-your-roof
• how-solar-panels-can-make-your-roof-last-longer
• how-to-adhere-drywall-to-a-concrete-block
• how-to-build-modern-dining-room-in-california

On average (when scrolling through the entire page), there are about 5 Google ads and sometimes even video ads which are more lucrative.

Millions of ad impressions

Looking at high level metrics (taken from Similarweb) for that one decoy website we see some interesting figures. The total number of visits per month is close to 300K (and doubling based on previous month data). But the more interesting metric is the number of pages viewed per visit, which is over 51.

How can a human actually browse and read 51 articles in an average of 7 minutes and 45 seconds? The answer is simple: they don’t. The user is most likely busy minding their own business on the other active tab while the popunder page constantly reloads new articles along with Google Ads. We ran a quick capture of what this looks like based on the ad requests made to Google’s servers:

While numbers will vary based on demographics and other settings, we estimate that the page generates an average of 35 ad impressions every minute. If we do the math and multiply the total number of monthly visits (281.9K) and average duration (7:45 min or 465 seconds), we get a total ad impressions of 76,465,375 per month. Calculating the exact revenue made will depend on different factors but with a CPM of $3.50, this scheme could theoretically generate $276,629 a month.

Since these ads are not going to be seen by anyone, we could consider that all those impressions are purely driven by invalid traffic (IVT). This is not typical bot traffic though, because the unwilling participants are real users with genuine IP addresses, cookies and other browser settings. However, there are giveaways such as an unexpectedly high number of pages per visit. For comparison, the most popular adult site has an average of 9 pages and 9 minutes per visit.

There is one more twist to this ad fraud scheme that comes in the form of clickjacking. Once a user gets the tab into focus (it was a popunder), suddenly the page rotation stops and what the user sees is what looks like another adult website (the iframe). A click anywhere on the page (the user may want to select one of the thumbnails and watch a specific video) triggers a real click on a Google ad instead.

Based on the previous stats, the popunder quietly cycles through blogs and ads for an average of 7 minutes and 45 seconds before the user either closes that tab or clicks on the page which would increase the advertiser’s cost-per-click (CPC).

(Fake) real news sites

The decoy site used fairly complex and obfuscated code to defraud Google which likely was not developed for a one-off. We wrote a signature based on a string of text that stood out called ‘povtor’ and ran a retrohunt search on VirusTotal. Povtor is Russian for ‘repeat’ which aligns with our understanding of the threat actor likely being Russian.

The retrohunt search returned a number of hits for sites that had something in common: news portals registered on previously expired domains. While we have seen influence campaigns before, pushing only biased news stories for a certain political party, we don’t believe this is the case here. The news articles look balanced and real which would indicate another motive.

Last week on Malwarebytes Labs:

• Indiana sues TikTok, describes it as “Chinese Trojan Horse”
• Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
• Electronic Sales Suppression Tools are cooking the books
• Silence is golden partner for Truebot and Cl0p ransomware
• iPhone user watches as stolen phone travels from UK to China
• Play ransomware attacks city of Antwerp
• Introducing Quarantine for Cloud Storage Scanning in Nebula
• Update now! Two zero-days fixed in 2022’s last patch Tuesday
• Is an outsourced SOC worth it? Looking at the ROI of MDR
• Uber data stolen via third-party vendor
• Is Apple about to embrace third-party app stores?
• Update now! Apple patches active exploit vulnerability for iPhones
• Worldwide law enforcement action takes down major DDoS booter services
• Virtual kidnapping scam strikes again. Spot the signs
• InfraGard infiltrated by cybercriminal

Stay safe!