IT NEWS

Microsoft has warned that “multiple adversaries and nation-state actors” are making use of the recent Atlassian Confluence RCE vulnerability. A fix is now available for CVE-2022-26134. It is essential users of Confluence address the patching issue immediately.

Confluence vulnerability: Background

At the start of June, researchers discovered a vulnerability in Atlassian Confluence via an incident response investigation. Confluence, a Wiki-style collaboration tool, experienced a “critical unauthenticated remote code execution vulnerability”. It affected Confluence server and Confluence Data Center.

The attack discovered during the investigation revealed web shells deployed on the server. These web shells allow for Persistent access on compromised web applications. The web server process and its child processes ran as root and full privileges. This is very bad news, and allowed for execution of commands even without valid credentials.

Worse, the web shell found is one commonly used by various Advanced Persistent Threat (APT) groups. This almost certainly isn’t the kind of thing admins discovering an attack want to hear mid-investigation.

Unfortunately, mitigation advice was somewhat limited. It veered between restricting access to just turning off Confluence Server and Data Center instances. On June 3, Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contained a fix for this vulnerability.

The current situation

Here’s the latest observations from Microsoft:

Microsoft continues:

In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware.

A mixed bag of attacks

Industrious malware authors really have been having a grand time of things with this vulnerability. As noted by Microsoft, several varied approaches to compromise and exploitation are being used. AvosLocker Ransomware and Linux botnets are getting in on the action. Cryptomining jumping on the bandwagon is an inevitability across most scams we see, and this is no exception.

Microsoft also noticed the Confluence vulnerability being exploited to download and deploy Cerber2021 ransomware. The Record observed that Cerber2021 is a “relatively minor player”, with both Windows and Linux versions used to lock up machines. Here’s an example of the ransomware, via MalwareHunterTeam:

Having the fixes to address this issue is great, but organisations need to actually make use of them. This is still a serious problem for anyone using unpatched versions of affected Confluence installations.

If you don’t want to run the gauntlet of APT groups, cryptomining chancers, botnets and more, the message is loud and clear: get on over to the Confluence Download Archives and patch immediately.

The post “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft appeared first on Malwarebytes Labs.

What would you do if a friend of yours set up a NSFW account, and then used it to follow you on Instagram? Would you check it out?

We recently learned of a group of friends who had to ask themselves exactly that. Fortunately, they realised that something was off. The account wasn’t the real owner’s, it just used her identity and left her with a mess to clean up.

We learned about the scam from Malwarebytes’ former social media guru, Amanda, who was one of its targets. She graciously allowed us to use her screenshots in this article in the interests of teaching others about the scam.

It started with Amanda’s real Instagram account, her name, her pictures, and her followers. The scammers used them to create a simple “NSFW” Instagram account designed to look like it belonged to her, and then tried to lure her friends into visiting it by following them.

Friends who checked out the new account saw a face they recognised in a context they didn’t: An Instagram account that promised it’s “NOT SAFE FOR WORK” and “FOR YOUR EYES ONLY”. The public account had no posts, just a story with another stolen picture and a caption urging visitors to “VISIT MY PROFILE ON NAKED SITE”, where they were promised access to a limited number of slots for “exclusive content”. The profile included the URL of a Wix.com website that described itself as “my secret account”.

Scammers know that their websites are unlikely to stay up for long before being blocked, so services like Wix that make it easy to create professional-looking sites quickly, for free, are used to create “burner” websites that are here today and gone tomorrow.

The site featured another photo stolen from Amanda’s Instagram account as its profile picture, surrounded by NSFW and pornographic stock art.

Of course, this wasn’t a “secret account”, there were no “FREE LIVE SHOWS”, and there was no “private content”. In fact there was barely a site. There was just enough to lure in anybody whose curiosity had got the better of their critical thinking skills.

Click on a link (any link at all) and you’d end up at a different domain, at an unbranded “age verification” page hungry for an email, username, and password, so you could “JOIN NOW”.

If you’d found yourself here and wondered why it looks nothing like the site you started on, the clue is in the URL: The long SID parameter is likely an affiliate code. This tells the owner of this site which affiliate sent the traffic here (and who they should pay for providing it). The affiliate stole Amanda’s identity to get you here, but the owners of this site may not know about that, and may not care.

Eagle-eyed readers will also have noticed that an email, username, and password don’t say anything about how old you are, and this rabbit hole didn’t end here.

What the scammers really wanted, all they ever wanted, was your credit card number. Underneath the bold “Free Verification” banner, the small print reveals what this is really all about—tricking people into joining expensive subscription services.

Your access to Nightly Encounter includes a 2 day free trial promo to Locating Someone Special Nearby. If you choose to remain a member of Locating Someone Special Nearby beyond the trial period, your membership will renew at thirty nine ninety nine.

Fortunately for us, a fake credit card was enough to get us through the door and explore a bit further without rewarding the scammers.

If you’d got this far, the scammers would have known a number of very important pieces of information about you. Your ID and credit card details, obviously, but also something else that’s valuable too—that you are willing to hand those things over.

And if they got you to do it once, why not try to do it again?

Handing over your credit card wouldn’t get you to the long-ago promised NSFW content starring your friend, or even Nightly Encounter or Locating Someone Special Nearby, whatever they are.

Instead, you’d find yourself on a different site, entering yet another username, password and email into a different “Secure Billing Platform” so another affiliate gets paid for serving you up on a platter.

Your reward? Another request for your credit card details, for another subscription you didn’t need.

At this point (and to no small relief) our fake credit card details lost their magical powers of persuasion and would couldn’t go any further.

It’s not unusual for victims to double down as doubts start to creep in, and the scammers are ready to squeeze every last penny, and every last vestige of hope, from their victims.

If you are the victim of an ID theft like this, report the scam accounts and sites to the platforms operating them. The Instagram account used in this scam is gone and, to its huge credit, Wix removed the scam site within literal seconds of being alerted to it.

If photos you own are used without your permission then the scammer has violated your copyright. You can take action by filling in a DMCA takedown form.

Unfortunately we can’t offer you much for the shock and alarm of finding your public persona twisted by scammers in search of a few affiliate dollars, but you have our sympathy.

The post Instagram scam steals your selfies to trick your friends appeared first on Malwarebytes Labs.

The FBI (Federal Bureau of Investigation), together with CISA (Cybersecurity and Infrastructure Security Agency) and other federal agencies, recently released a joint cybersecurity advisory (CSA) about the Karakurt data extortion group (also known as Karakurt Team and Karakurt Lair).

Like RansomHouse, Karakurt doesn’t bother encrypting data. Instead, it just steals the data and demands a ransom. If the victim organization refuses to pay up, the stolen data is auctioned off or leaked to the public for anyone to scrape and misuse for personal gain.

One may wonder why federal agencies decided to focus on Karakurt when it is a relatively obscure group. It has no prolific attacks attributed to it and doesn’t appear to have a high number of attacks under its belt.

According to Bleeping Computer, Karakurt is said to be the “data extortion arm” of the Conti ransomware syndicate. Further evidence from two blockchain traffic firms, Chainalysis and Tetra Defense, can back this up. In a report last month, they assessed “with a high degree of confidence” that Karakurt is “operationally linked to both Conti and Diavol ransomware groups”.

Karakurt extortion group

The Karakurt group got its name from a type of black widow spider. Researchers have pointed out that the group liken its extortion tactics to a karakurt spider’s bite.

Karakurts poison is very toxic and dangerous. Don't waste your time.
What would you do? Of course you will have to take an antidote.
In your situation it means that you still have a chance to survive. But it will cost as double.
All you need is to accept our terms and conditions without any sort of bargain.

The NCC Group’s Cyber Incident Response Team (CIRT) spotlighted Karakurt activities in February 2022. However, Karakurt, known initially as the Karakurt Hacking Team (KHT), has been around since June 2021. This also marked the creation of domains and accounts associated with the group, namely its dump sites and, later on, its Twitter account in August 2021.

Per a report from Accenture Security, Karakurt wasn’t actively extorting until September 2021. After two months, the extortion group had already bagged 40 organizations across multiple industries. However, experts from Digital Shadows seem to dispute this number, claiming that the victim number is more than 80.

Regarding victimization, it’s clear that Karakurt isn’t picky with what to target. Regarding target locations, the extortion group prefers small organizations based in the US, the UK, Canada, and Germany.

The extortion group targets organizations using single-factor Fortigate VPN (Virtual Private Network) servers using legitimate Active Directory credentials. It is unknown how the group obtains these credentials; however, it’s no surprise that they get administrative access and privileges on compromised servers.

From there, Karakurt can use the various tools it has at its disposal. Depending on the goals, the group can do a “living off the land” approach in its tactics, toolset, and intrusion techniques. It can also use common post-exploit tools like Cobalt Strike, AnyDesk, and Mimikatz.

Once Karakurt has the data it wants to exfiltrate, it uses 7zip and WinZip to compress the files before sending them to Mega.io via FileZilla or Rclone.

Karakurt demands a ransom ranging from $25,000 to $13M in Bitcoin. The payment deadline is typically seven days after the victim contacts the extortion group.

Splintering into cells

Ransomware groups have been undergoing a new phase for a few months now. If they’re not splitting into smaller groups (“cells”) to join other criminal groups, they are rotating their use of malware to avoid the growing US sanctions and pressure from law enforcement.

Since the US officially sanctioned Evil Corp, the Russian group behind the Dridex banking Trojan, things started changing, both on the side of ransomware victims and affiliates that use ransomware. Victims began refusing to pay to comply with sanctions, and these groups started rotating the use of ransomware variants in their campaigns to avoid getting associated with a sanctioned group.

With Conti “gone,” a splintering also happened within the syndicate. Researchers from Advanced Intel have data showing members of the former ransomware syndicate dispersing from the core group to join smaller ransomware groups.

Conti is not affiliated with Evil Corp, but both groups are in a similar bind that affects their profit margins but not enough to make them completely give up a criminal life. Unfortunately, members and affiliates gain from splintering and distancing themselves from these groups.

In an interview with the Wall Street Journal, Kimberly Goody, Mandiant’s director of cybercrime analysis, said that these changes obscured Evil Corp hackers’ identities “at the point of attack, throwing off investigators and sanction-compliant victim companies”. The same can be said about former actors associated with the Conti syndicate.

Keep Karakurt away from your network and data

We advise organizations to prioritize mitigating steps to keep extortion groups like Karakurt from successfully infiltrating your network. Here are some ways to do that.

• Implement multi-factor authentication (MFA) in every business access point, including single-factor VPN access
• Ensure that all domain control servers are kept updated with the latest patches
• Disable unused ports
• Install an efficient and effective endpoint security solution that focuses on a layered approach to protecting systems and business assets
• Create and implement a recovery plan (if your business doesn’t have one already), including how to maintain and retain backups
• Segment your network to keep bad guys from reaching destinations that house your organization’s most sensitive and proprietary data
• Audit high-privileged accounts regularly

The federal agencies have more mitigation points in the advisory, which you can find here.

Stay safe!

The post Karakurt extortion group: Threat profile appeared first on Malwarebytes Labs.

Researchers at MIT’s Computer Science & Artificial Intelligence Lab (CSAIL) found an attack surface in a hardware-level security mechanism utilized in Apple M1 chips. The flaw is unpatchable, but attackers would need to chain it with other vulnerabilities to make use of the attack method.

The hardware attack can bypass Pointer Authentication (PAC) on the Apple M1 CPU. The researchers gave a brief description on a dedicated site and will present full details on June 18, 2022 at the International Symposium on Computer Architecture.

The M1 chip

Until the recently announced M2, the M1 chip was the most powerful chip that Apple had created. The Apple M1 series of ARM-based system-on-a-chip (SoC) works as a central processing unit (CPU) and graphics processing unit (GPU) for Apple’s Macintosh desktops and notebooks, as well as the iPad Pro and iPad Air tablets.

Macs and PCs normally incorporate several chips for their Central Processing Unit (CPU), Input/Output (I/O), and security. The M1 was the first SoC for Macs that combined these technologies, which led to better integration and improved performance and power usage.

Security

The researchers have dubbed it PACMAN, a vulnerability in what they call the last line of security for the M1 chip. The flaw could theoretically give threat actors a door to gain full access to the core operating system kernel.

Both the researchers and Apple stated there is no cause for immediate alarm, since the system under attack needs to have an existing memory corruption bug to exploit the vulnerability.

PAC

The PAC in PACMAN is short for pointer authentication codes. The PAC is a cryptographic signature that confirms that an app wasn’t maliciously altered. With pointer authentication enabled, bugs that could normally compromise a system or leak private information are stopped dead in their tracks.

This feature makes it much harder for an attacker to inject malicious code into a device’s memory and provides a level of defense against buffer overflow exploits. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

The researchers found a vulnerability which allows PACMAN to find out the PAC. To understand how they pulled this off we need to understand speculative execution. The computer processor guesses several directions a computation may go in by using a technique called speculative execution. To use an analogy, they do this to have the answers ready for several following questions.

How it fails

The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. But the researchers found that the number of possible PACs has its limits and by using speculative execution they could use a trial and error method without causing any crashes. This allowed them to brute-force the PAC value without triggering any alams.

Another advantage that speculative execution provides an attacker with is that there is no known way of finding out whether your system is or has been the victim of such an attack.   

More targets

The PACMAN attack combines a software attack with a hardware attack to exploit a flaw in a security feature. The researchers expressed that they expect to see more attacks of this type in the future. This particular attack, while it was only tested against the M1 chip, is expected to work in a similar way on every architecture that uses PAC.

Apple has implemented pointer authentication on all of its custom ARM-based silicon so far, including the M1, M1 Pro and M1 Max, and a number of other chip manufacturers, including Qualcomm and Samsung, have either announced or expect to ship new processors supporting the PAC security feature.

Mitigation

Current users of M1 based systems don’t need to take immediate action at this point.

Apple thanked the researchers for their work and for sharing their findings. Apple gave the following comment:

“Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”

Since the PACMAN attack only works when chained with an existing bug and exploits the hardware architecture there is not much a user can do but be vigilant. Since the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be, so those are the ones to look out for.

The post Don’t panic! “Unpatchable” Mac vulnerability discovered appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• FBI warns of scammers soliciting donations for Ukraine
• Microsoft autopatch is here…but can you use it?
• Prometheus ransomware’s flaws inspired researchers to try to build a near-universal decryption tool
• Rotten apples banned from App store
• Hackers can take over accounts you haven’t even created yet
• Ransomware Task Force priorities see progress in first year
• Coffee app in hot water for constant tracking of user location
• SSNDOB stolen data marketplace shut down by global law enforcement operation
• 5 Linux malware families SMBs should protect themselves against
• Awful 4chan chat bot spouts racial slurs and antisemitic abuse
• MakeMoney malvertising campaign adds fake update template
• Apple’s passkeys attempt to solve the password problem
• Update now! Patch against vulnerabilities in Meeting Owl Pro and Whiteboard Owl devices
• BlackBasta is the latest ransomware to target ESXi virtual machines on Linux
• Facebook users targeted in massive phishing campaign
• ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
• Cloud data breaches: 4 biggest threats to cloud storage security
• WhatsApp spam offers up “B&Q Father’s Day Contest 2022”

Stay safe!

The post A week in security (June 6 – June 12) appeared first on Malwarebytes Labs.

Dutch research group DIVD has identified multiple vulnerabilities in ITarian products. In cooperation with DIVD, ITarian has made patches available to deal with these vulnerabilities for its SaaS platform.

Software as a service (SaaS) is a software distribution model in which a cloud provider hosts applications and makes them available to end users over the internet.

ITarian

ITarian is a remote access and IT management solution, which helps organizations connect and communicate with their clients and employees. It’s typically the sort of tool that Managed Service Providers (MSPs) use to remotely manage their clients.

DIVD

The Dutch Institute for Vulnerability Disclosure (DIVD) reports vulnerabilities it finds in digital systems to the people who can fix them. It has a global reach, and tries to resolve the vulnerabilities by collaborating with the affected parties. Its services are free and most of the staff work in their free time.

You may have heard about DIVD in our reports about the Kaseya supply chain attack, or when Victor Gevers, chair of DIVD, appeared as a guest in our Lock and Code podcast about Kaseya.

Affected products

The vulnerabilities affect the following products:

• ITarian SaaS platform (version < 3.49.0): CVE-2022-25151,  CVE-2022-25152 and a Cross-Site Scripting (XSS) vulnerability in the helpdesk function.
• ITarian on-premise (version 6.35.37347.20040): CVE-2022-25151 and CVE-2022-25152.
• Endpoint Manager Communication Client (version < 7.0.42012.22030): CVE-2022-25153

The vulnerabilities

CVE-2022-25151: Within the Service Desk module of the ITarian platform (both SaaS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful XSS attack on a user.

CVE-2022-25152: The ITarian platform (both SaaS and on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version prior to 6.35.37347.20040, a malicious actor, with a valid session token, can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents.

CVE-2022-25153: The ITarian Endpoint Manage Communication Client, prior to version 6.43.41148.21120, is compiled using insecure OpenSSL settings. Due to this setting, a malicious actor with low privileges access to a system can escalate his privileges to SYSTEM abusing an insecure openssl.conf lookup.

OpenSSL is an open source implementation of the SSL/TLS protocol. Applications use this library to secure communications over computer networks against eavesdropping, or to identify the party at the other end.

Cooperation and responsible disclosure

The consequences of these vulnerabilities could have been severe. By chaining the XSS in the helpdesk function with CVE-2022-25152, an attacker would theoretically be able to create a service desk ticket that, when viewed by a user with a valid session token, would execute a workflow on all clients with superuser privileges.

It took a bit of back and forth, but once the DIVD researchers and ITarian’s software engineering team connected directly, a solution for the issues quickly came about. On 18 Feb 2022, the vulnerability in the Endpoint Manager Communications Client was resolved. The other vulnerabilities saw a solution come to live on May 19, 2022.

Planning for the full disclosure by DIVD indicates a date of July 1, 2022. The waiting time before full disclosure is to give users enough time to take appropriate measures.

Mitigation

Version v3.49.0 includes patches for the vulnerabilities in the SaaS service. ITarian controls the upgrade to this version, so it requires no user action.

It is important to note that CVE-2022-25151 and CVE-2022-25152 are still present in the on-premise version of the ITarian platform. Even though ITarian still offers the software for download, this version of the software was discontinued over 2 years ago and ITarian has informed DIVD that it will not be updated. Given the severity (9.9 out of 10) of the vulnerability listed as CVE-2022-25152, users of the on-premise version should look for alternative solutions since this solution has reached end-of-life (EOL).

The post Serious vulnerabilities found in ITarian software, patches available for SaaS products appeared first on Malwarebytes Labs.

Users of Chrome have been advised to apply updates as soon as possible related to seven security vulnerabilities. CISA has also warned that the vulnerabilities could be used to take control of affected systems. Although no detailed explanation of how these vulnerabilities work has been released, there is enough out there to encourage users to apply the patches.

Chrome 102.0.5005.115 is due to roll out over the coming days/weeks. This is for all users regardless of whether they use Windows, Linux, or Mac.

The vulnerabilities

Four of the seven issues have been rated as high risk.

CVE-2022-2007: Use after free in WebGPU. This can allow manipulation of the memory layer of the browser, with the possibility of remote code execution as per an older example.

CVE-2022-2008: Out of bounds memory access in WebGL.

CVE-2022-2010: Out of bounds read in compositing. According to reports, the attack may be initiated remotely and no form of authentication is required for exploitation, but some form of user interaction is required.

CVE-2022-2011: Use after free in ANGLE. Almost Native Graphics Layer Engine (ANGLE) is an “open source, cross-platform graphics engine abstraction layer” which was developed by Google.

Next steps

More details likely won’t be forthcoming for a while yet, so it’s crucial to apply updates as soon as possible.

In Chrome, click the More icon, then Help -> About Google Chrome. From here, you’ll be able to see your current update status and apply the update as required.

This should be all you need to do to keep the above security vulnerabilities at bay.

The post Update Chrome now: Four high risk vulnerabilities found appeared first on Malwarebytes Labs.

Tech support scams follow a simple business model that has not changed much over the years. After all, why change a recipe that continues to yield large profits.

We see countless such campaigns and block them indiscriminately to protect our customers from being defrauded by a fraudulent tech support agent over the phone. Every now and again, our attention is caught by one that is larger in volume due to upstream traffic.

Their modus operandi is as classic as it comes: To target users to adult sites and redirect them to fake warning pages via malicious ads. The threat actors behind this malvertising business appear to have been quite successful at following the same pattern over and over.

In this blog, we break down what we call the IP2Scam tech support scheme, by going back in time to track previously used infrastructure. We highlight that these fraudsters have been active for quite some time and how we found a way to track them more closely and identify their next move.

Why bother with domain name registration?

This tech support scam campaign has been seen by many people (victims and scambaiters alike) and can be recognized by its URL scheme because it always consists of an IP address, instead of a registered domain name.

http://155.138.141[.]187/systemerror-win-chx/?phone=.&

Everything is a commodity when it comes to malicious infrastructure and scammers know quite well that their domain names will be blacklisted pretty quickly. In this case, they simply buy a new virtual server and rotate ad infinitum.

There is nothing particular about this fake notification also known as a ‘browlock’, for browser locker. It is customized based on the browser’s user agent to display a slightly different template for Windows, Mac and the choice of Chrome or Firefox.

Browlocks IP space

We took about 10 months’ worth of telemetry and sorted all the servers’ IP addresses associated with this scam. This gave us a better idea of where the scammers like to host their infrastructure. We have shared our data with both Digital Ocean and The Constant Company (Choopa) and thank them for their help in this effort.

New servers come up as needed and are pushed dynamically via ongoing malvertising campaigns.

Malvertising flow

As with many other malvertising campaigns, the scammers prey on visitors to adult websites and perform a very simple cloaking technique to hijack traffic and redirect it to their browser locker.

The cloaking part consists of a decoy website named after a known brand whose purpose is to filter traffic and redirect if the user matches a certain set of criteria. For example we see bongaecams[.]xyz impersonating BongaCash and being used to redirect to the browlock

Other impersonated brands include Tom’s Guide and the New York Post. When a potential mark is identified, they are redirected to the browlock, otherwise they simply see some other content.

Those cloaking sites tend to remain active for longer periods of time probably because they aren’t malicious in and of themselves. One way to track this campaign is to follow these domains and simply attempt to get the redirect to the browlock IP du jour. We also identified another mechanism (that we won’t share publicly as to not give it away) that can programmatically retrieve new browlock server IP addresses as they come.

Reporting and take down

Tech support scammers are well aware that a number of people are after them and yet they often feel safely out of reach.

While not as good as actual arrests by local police, we hope to make it as difficult as possible for them to bring up new servers and defraud victims by disrupting their lead generation flows.

We would like to thank DigitalOcean and the Constant Company for their help.

Indicators of Compromise

Cloaking domains

Browlock IPs by ASN and timestamp

DigitalOcean
Choopa

The post Taking down the IP2Scam tech support campaign appeared first on Malwarebytes Labs.

Father’s Day in the UK (June 19) is almost upon us, and scammers are taking advantage of it—and the fractional possibility of some nice weather—using a barbeque-themed lure.

A mysterious WhatsApp message

The barbeque bait arrives out of the blue, from a somebody who has your number, as a random message bringing word of a supposed “B&Q Father’s Day Contest” with what looks like a very nice barbeque set up for grabs. What could go wrong? (B&Q is a British multinational DIY / home improvement company and exactly the kind of place someone in the UK might buy a nice barbeque set from.)

The message is plausible, and the only clue that something is amiss, other than it being unsolicited, is the Russian .ru domain name.

Regular readers would know to steer clear of this missive, perhaps even ask the sender via other means if they meant to send the message. The problem with this one is that they probably did intend to send it (you’ll see why later).

If your name’s not down, you’re not coming in

The linked site really does not like you visiting from anything other than a mobile browser. Try to access from a desktop, and you’ll be told “Access Denied”. Firing up VPNs or Tor Browser, designed to help keep your online activities anonymous, seem to have a similar end result. All they want you to do is click the original link from your mobile.

As it happens, there is a reason for this. It wouldn’t be cost-effective for promotions to allow non-mobile visitors onto a mobile themed offering. This is because said mobile offerings want to take advantage of something your desktop won’t have. It could be a feature specific to Android or iPhone, or perhaps they have a certain app in their sights.

Click the link on your mobile from the correct geographic region and you’ll make it to the landing page. If not, you’ll probably be turned away.

The Father’s Day Contest landing page

Visitors are greeted by what appears to be a B&Q-themed page.

The site says

Welcome to the B&Q Father’s Day Contest!

Take the quiz, find the hidden prize and win the new Weber gas barbeque

The Weber is a fancy bit of kit, retailing for around $1,200. Small wonder that people would be happy to take the quiz. The quiz itself is a collection of 4 questions including:

• Do you know of B&Q?
• How old are you?
• How would you rate B&Q?

With these out of the way, it’s competition time.

Best out of 3?

Visitors are presented with 9 gift boxes, and have 3 chances to select the correct one.

Sadly I failed on my first box opening, but hit the barbeque-shaped jackpot on my second attempt. Do I get my barbeque set? Not yet:

First, the scammers tell you to “share with 5 groups / 20 friends on WhatsApp” to claim your gift, with the offer only being valid for 500 seconds. This is why you get the message from a friend, and this is how it spreads.

Try as I might, the site wouldn’t let me progress past this stage. If you refresh the page, the number of gifts resets to the original amount of 250 and then stops at a low number. Just enough to make you think there’s a few left. Does anybody really think they’re giving away around $300,000 of barbeque equipment every few minutes?

There’s also multiple Facebook-style comments at the bottom of the page, complete with inactive Like and Reply options underneath each one of the other supposed winners.

Based on how these things usually go, you probably have to hand over personal information to an advertiser. There’s no FAQ, EULA, competition rules, or privacy policy on the landing page; merely a copyright notice at the bottom listed as “Advertorial”.

As tempting an offer as this sounds, we’d advise anyone looking for a gift this Father’s Day to keep shopping around.

The post WhatsApp spam offers up “B&Q Father’s Day Contest 2022” appeared first on Malwarebytes Labs.

Facebook is once again the launchpad for a large-scale phishing campaign, according to researchers at PIXM. The campaign, which first shows signs of life back in September 2021, has generated millions of page views and ad referral revenue “estimated to be millions of USD at this scale of operation”.

Credential harvesting on a grand scale

Researchers claim the threat actors stole one million credentials in four months to help achieve the above potential level of revenue. Aspects of the phish campaign are fairly typical of what you can expect to see from a Facebook phish, and the tactics used to spread bogus links are not particularly original. What matters most of all is that it works. When basic phishing tactics pull in so many accounts and clicks, there’s no need to overcomplicate things.

One of the scam pages from 2021 attracted no fewer than 2.7 million users, with the number rising to about 8.5 million in 2022. This is a huge ramp-up of already significant numbers, and also perhaps a little surprising that the site avoided being taken down for abuse.

This is one phishing campaign that isn’t messing around.

How the phish worked

Unfortunately specifics are absent in a few areas, but it works as follows.

A Facebook user receives a notification in Messenger. This is, at its most basic, a rogue link. There’s no information around whether a message accompanies it, and if so, what it says. However, something as simple as the below messages are routinely used in Facebook scams:

• Seen this?
• Is this you in the photo?
• Guess who died?
• Check this out!

The link is shortened to help bypass any Facebook spam filters. The shortening services used are commonplace, popular and entirely legitimate. This makes it trickier for Facebook to figure out if the link is potentially good or bad.

The link takes potential victims to a variety of sites but a phishing page will be the primary destination. Once phished, the victim is sent elsewhere. It could be a promotion, a survey scam, or pretty much anything else that’s ad-centric. There’s also the mention of potential malvertising pages, on top of the threat of being phished. All these links have ad trackers and other ad-related forms of revenue generation buzzing away in the background.

Current state of play

According to PIXM, the campaign is still alive and kicking. Many of the sites involved have been taken down, and one website listed in the landing page code has been “seized” in relation to an investigation. What that investigation is, and who is doing it, isn’t clear.

What is clear, is that without dedicated resources and probable law enforcement involvement, something like this will never fully go away. It’s simply too easy to keep creating spam domains, signing up as an affiliate, and generating endless shortened URLs. The (potentially exaggerated) claims of $150 for every thousand visits from the US alone from the threat actor is all the incentive they need to keep doing it. As researchers note, this figure would result in a theoretical revenue of $59M from the end of 2021 to now.

Tips to avoid Facebook phishing

• Be wary of messages which don’t follow the natural flow of a conversation. Messages sent at unusual hours or out of the blue with a link should be treated with caution.
• If you’re presented with a “Login to view content” box, take a deep breath before going any further. If you’re already logged in, there should be no reason why you’d be asked to login again. Check the URL. Are you on Facebook.com, or an unrelated website?
• If you’re able to, ask the sender about their message away from Facebook. Their Facebook account may have be compromised, but you probably don’t have to worry about sending them a text.
• Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. Keep in mind that some phishing sites will also try to steal your 2FA codes.
• Add login alerts to your Facebook account. If someone does compromise your login credentials and access your account, you’ll be notified by Facebook as soon as this happens.

The post Facebook users targeted in massive phishing campaign appeared first on Malwarebytes Labs.