IT NEWS

Last week on Malwarebytes Labs:

• Dozens of Google products targeted by scammers via malicious search ads
• Microsoft patches bug that could have allowed an attacker to revert your computer back to an older, vulnerable version
• We’re making it easier for you to protect your identity
• X accused of unlawfully using personal data of 60 million+ users to train its AI
• Malwarebytes awarded Parent Tested Parent Approved Seal of Approval
• Data theft forum admins busted after flashing their cash in a life of luxury
• AI girlfriends want to know all about you. So might ChatGPT (Lock and Code S05E17)
• Google Manifest V3 and Malwarebytes Browser Guard

Last week on ThreatDown:

• Ransomware payments on track to smash $1.1 billion record
• Ransomware review: August 2024
• Malwarebytes expands protection to ARM-powered Windows devices with ThreatDown product portfolio
• Update now! August Patch Tuesday covers several zero-days
• Patch now! Microsoft Office flaw could leak NTLM hashes

Stay safe!

In a previous blog, we saw criminals distribute malware via malicious ads for Google Authenticator. This time, brazen malvertisers went as far as impersonating Google’s entire product line and redirecting victims to a fake Google home page.

Clearly not afraid of poking the bear, they even used and abused yet another Google product, Looker Studio, to lock up the browser of Windows and Mac users alike.

We describe how they were able to achieve this, relying almost exclusively on stolen or free accounts and leveraging Google’s APIs to create rotating malicious URLs for the browser lock.

All malicious activities described in this blog have been reported to Google. Malwarebytes customers were proactively protected against this attack via the Malwarebytes Browser Guard extension.

Malvertising {keyword:google)

The following image is a collage of malicious ads that all came from Google searches each consisting of two keywords: google {product}. They all tie back to the same advertiser, which we believe may be unaware that their account was compromised. In fact, we previously saw that same advertiser in two other unrelated incidents at the end of June 2024 for Brave (malware download) and Tonkeeper (phishing).

While brand impersonation is commonly done via tracking templates, in this instance the fraudsters relied on keyword insertion to do the work for them. This is particularly useful when targeting a single company and its entire portfolio. Notice how all the ads follow the same pattern with a display URL showing lookerstudio.google.com (a Google product also later abused in this scheme).

Shortly after we reported this initial wave of ads, we saw the same scammers (the final URL after clicking on the ad is also going to lookerstudio.google.com) register a new advertiser account. In this case, despite their identity not having been verified yet, their ad still showed up for a standard “google maps” search. This time, the ad’s display URL mirrors the product (maps.google.com):

Fake Google Search page via Looker Studio

Originally intended as a tool to convert data into dashboards, the scammers are misusing Looker Studio to display a dynamically generated image instead. The image is stretched across the screen to give the illusion that you are at the Google home page, ready to make a new search.

Opening Developer Tools in Chrome, we can see that the “Google search page” is indeed just one large image:

What’s interesting is how this image is used as a lure that requires some user interaction to trigger an action. Leveraging the Looker Studio API, the scammers are embedding a hidden hyperlink that will be launched as a new tab when a victims clicks on the image:

Tech support scam

The embedded linkUrl cddssddds434334[.]z13[.]web[.]core[.]windows[.]net redirects to a fake Microsoft or Apple alert page that will attempt to hijack the browser by going in full screen mode and play a recording. These fake alerts are the most common way innocent people fall victims to tech support scams. In such a situation, many people will assume there is something wrong their computer and will follow the instructions they are given on screen.

Calling the phone number for assistance will kickstart a conversation with a call center often located overseas. Fake Microsoft or Apple representatives will persuade victims to buy gift cards or log into their bank account to pay for the ‘repairs’.

The scam URL is part of web[.]core[.]windows[.]net which belongs to Microsoft Azure and is commonly abused by scammers. In this particular instance, the Looker Studio API provides a new malicious URL (rotated at regular intervals) to make any blocking via conventional means futile.

Conclusion

As we saw in this blog, malicious ads can be combined with a number of tricks to evade detection from Google and defenders in general. Dynamic keyword insertion can be abused to target a larger audience related to the same topic, which in this case was Google’s products.

Finally, it’s worth noting that in this particular scheme, all web resources used from start to finish are provided by cloud providers, often free of charge. That means more flexibility for the criminals while increasing difficulty to block.

As we were investigating this campaign, we checked that Malwarebytes customers were protected. Despite the malicious URLs being hosted on Microsoft Azure and rotating regularly, Malwarebytes Browser Guard was already blocking this attack thanks to its heuristics engine.

Indicators of Compromise

Google advertiser accounts

08141293921851408385
Dhruv
06037672575822200833

Looker Studio URLs

lookerstudio[.]google[.]com/embed/reporting/fa7aca93-cabd-47bf-bae3-cb5e299c8884/
lookerstudio[.]google[.]com/embed/reporting/42b6f86d-2a06-4b38-9f94-808a75572bb8/
lookerstudio[.]google[.]com/embed/reporting/fbd88a24-af73-4c76-94dc-5c55345e291d/

Microsoft has released a patch for a bug for a “downgrade attack” that was recently revealed by researchers at security conferences Black Hat and Def Con.

What does that mean in layman terms?

You: Let me check whether my system is fully updated

Windows: Sure, all’s well

Attacker: *Chuckles and deploys an attack against a vulnerability for which you could have been patched long ago*

With a downgrade attack, the victim may have done all they can to keep their computer and software up to date, but an attacker can force it to revert to an older, vulnerable version and then use a known bug to infect your device.

With this particular attack, the researcher built a tool called “Windows Downdate” that takes over Windows Updates to turn a completely patched Windows system into a system which is exploitable by thousands of vulnerabilities from the past.

Microsoft has now patched the two vulnerabilities in Windows (CVE-2024-38202 and CVE-2024-21302) that the researcher used to create Windows Downdate. To manually check whether you have received this update:

• Click Settings in the Start menu
• Click Windows Update
• Select Update History

You should see this entry (KB5041585 successfully installed) for Windows 11:

If you don’t see this, you can start the update by clicking the Check for updates button from the Windows Update menu, or download the relevant update from the Microsoft Update Catalog.

For Windows 10 systems the method is the same, but the KB number is KB5041580 and the update catalog can be found by following this link.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Things have changed in cybersecurity. 

Gone are the days when our only worry was downloading a virus. Now, 71% of people say having their data leaked and identity stolen is one of their biggest fears about being online. Sadly, they’re right to be concerned: Fraud losses hit $10 billion in 2023 (up 14% from 2022). 

But as the threats have evolved, so have we, and over the last year we’ve added products that protect your entire digital life. Now we’re making things even easier: We’re embedding our identity solutions into our Malwarebytes dashboard so you can manage everything in one place.  

Our all-new identity module lets you: 

• Scan for your exposed personal data for free 

• Upgrade or manage your identity theft protection (active alerts and insurance) 

Available now for Windows. More platforms on the way. 

Try it yourself: Simply open Malwarebytes, or if you don’t have our app you can download it here. 

In what may come as a surprise to nobody at all, there’s been yet another complaint about using social media data to train Artificial Intelligence (AI).

This time the complaint is against X (formerly Twitter) and Grok, the conversational AI chatbot developed by Elon Musk’s company xAI. Grok is a large language model (LLM) chatbot able to generate text and engage in conversations with users.

Unlike other chatbots, Grok has the ability to access information in real-time through X and to respond to some types of questions that would typically face rejection by other AI systems. Grok is available for X users that have a Premium or Premium+ subscription.

According to European privacy group NYOB (None Of Your Business):

“X began unlawfully using the personal data of more than 60 million users in the EU/EEA to train its AI technologies (like “Grok”) without their consent.”

NOYB decided to follow up on High Court proceedings launched by the Irish Data Protection Commission (DPC) against Twitter International Unlimited Company over concerns about the processing of the personal data of European users of the X platform, as it said it it was unsatisfied with the outcome of those proceedings.

Dublin-based Twitter International Unlimited Company is the data controller in the EU with respect to all personal data on X.

The DPC claimed that by its use of Grok, Twitter International is not complying with its obligations under the GDPR, the EU regulation that sets guidelines for information privacy and data protection.

Despite the implementation of mitigation measures—after the fact–the DPC says that the data of a very significant number of X’s millions of European-based users have been and continue to be processed without the protection of these mitigation measures, which isn’t consistent with rights under GDPR.

But NOYB says the DPC is missing the mark:

“The court documents are not public, but from the oral hearing we understand that the DPC was not questioning the legality of this processing itself. It seems the DPC was concerned with so-called ‘mitigation measures’ and a lack of cooperation by Twitter. The DPC seems to take action around the edges, but shies away from the core problem.”

For this reason, NOYB has now filed GDPR complaints with data protection authorities in nine countries (Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Poland, and Spain).

All they had to do was ask

The EU’s GDPR provides an easy solution for companies that wish to use personal data for AI development and training: Just ask users for their consent in a clear way. But X just took the data without asking for permission and later created an opt-out option referred to as the mitigation measures.

It wasn’t until two months after the start of the Grok training, that users noticed X had activated a default setting for everyone that gives the company the right to use their data to train Grok. The easiest way to check if you are sharing your data is to visit https://x.com/settings/grok_settings while you are logged in to X. If there is a checkmark, you are sharing your data for the training of Grok. Remove that checkmark and it stops.

In a similar case about the use of personal data for targeted advertising, Meta argued that it has a legitimate interest that overrides users’ fundamental rights. This counts as one of the six possible legal bases to escape GDPR regulations, but the Court of Justice rejected this reasoning.

Many AI system providers have run into problems with GDPR, specifically the regulation that stipulates the “right to be forgotten,” which is something most AI systems are unable to comply with. A good reason not to ingest these data into their AI systems in the first place, I would say.

Likewise, these companies always claim that it’s impossible to answer requests to get a copy of the personal data contained in training data or the sources of such data. They also claim they have an inability to correct inaccurate personal data. All these concerns raise a lot of questions when it comes to the unlimited ingestion of personal data into AI systems.

When the EU adopted the EU Artificial Intelligence Act (“AI Act”) which aims to regulate artificial intelligence (AI) to ensure better conditions for the development and use of this innovative technology, some of these considerations played a role. Article 2(7)) for example calls for the right to privacy and protection of personal data to be guaranteed throughout the entire lifecycle of the AI system.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

We’re delighted to say Malwarebytes has been awarded the Parent Tested Parent Approved Seal of Approval for product excellence. 

The Seal of Approval is given to products that have earned the trust of families, and serves as a quick and reliable indicator of quality and dependability for parents and caregivers. 

Malwarebytes Plus, our Premium Security + Privacy VPN bundle, was tested and reviewed by a group of parents, and scored high in areas of ease of installation and use, value for money, and effectiveness.  

Reviewers noted that Malwarebytes Plus not only enhanced their device security, but also provided them with peace of mind, making them feel more confident about their family’s online safety. 

100% of the reviewers said they found it “very easy” to set up Malwarebytes on their device, with 94% saying they would continue using Malwarebytes after the testing period. 

They also praised the user friendliness of the program:

“Malwarebytes Plus is hands down the best antivirus system on the market. You don’t have to be a rocket scientist to run it – it does all the work for you!” 

94% said Malwarebytes was “very easy” to use for protecting their privacy online. One reviewer highlighted the peace of mind it offers: “I think every parent would feel safe about their children’s computer use after installing this software.” 

Sharon Vinderine, Founder and CEO of Parent Tested Parent Approved said:

“The Parent Tested Parent Approved Seal of Approval is much more than an award; it’s the at-a-glance symbol of trust and reliability for millions of families.” 

Protect your—and your family’s—devices by using Malwarebytes.

Two men without a clear source of income landed cyberfraud charges after being so flash with their ill-gotten cash that it gained the attention of the authorities.

In 2022, Russian national Pavel Kublitskii and Kazakhstan national Alexandr Khodyrev arrived in Florida and requested asylum, which was granted by the Department of Homeland Security (DHS).  Both provided DHS with the same residence address in Hollywood, Florida.

However, their lavish lifestyle was unusual. For example, Kublitskii opened a Bank of America account with a cash deposit of $50,000 and rented a luxury house, while Khodyrev purchased a 2023 Corvette with approximately $110,000 cash. All while appearing to not have a job.

The investigation indicated that the two men were involved in the activities of the dark web platform WWH Club and related forums Skynetzone, Opencard, and Center-Club.

WWH Club and the other forums are Dark Web marketplaces where cybercriminals buy, sell, and trade login credentials, personal identifying information (PII), malware, fake identification documents, and financial credentials. The forums even provide training for aspiring cybercriminals.

The FBI was able to determine the IP addresses of the WWH Club site’s administrators after obtaining a search warrant for the US-based Cloud company Digital Ocean. Based on the information derived from the logs, the FBI agent concluded:

“In addition to the forum owner and creator, it appears there are several other top administrators who operate the site and receive a portion of the generated revenue. One of those top administrators operates under the usemame “Makein.” The FBI agent provides details which show there is probable cause to believe that Kublitskii and Khodyrev both serve as administrators of WWH and share the Makein username.”

Makein is also the handle of the owner and primary administrator of Skynetzone.

Part of the offered training at WWH was a scheme that recruited and taught users to purchase items with stolen credit card data. An FBI covert online employee registered for an account on WWH and paid approximately $1,000 in bitcoin to attend the WWH training.

While on the forums, the agent saw an post where a user was selling stolen PII of people and businesses in the US. Buyers could choose how many people’s PII they wished to buy and specify the particular US state of residence, gender, age, and the credit score of their desired victims. In exchange for $110, paid in Bitcoin, the WWH seller sent the undercover agent a folder containing 20 files, each of which contained the name, date of birth, Social Security Number (SSN), state of residency, address, credit score, credit report, and account information from LendingTree.com for a US citizen.

The lead FBI agent explained:

“I know, based on my training and experience, that the presence of account information from LendingTree.com suggests that this stolen PII derived from a February 2022 breach of LendingTree that compromised the data of over 200,000 customers.”

The FBI researched domain registrations, exchanged messages, Bitpay transactions, blockchain analysis, and other digital evidence and came to the conclusion that the suspects shared the Makein account and were responsible for the cybercrimes committed by that persona.

Agents obtained records from Google which revealed that messages from and to their accounts often contained stolen PII and credit card information and which tied the account to the suspects.

With probable cause provided, the FBI agent requested the court to authorize the requested criminal complaint charging the suspects with conspiracy for trafficking in unauthorized access devices and possession of 15 or more unauthorized access devices.

Kublitski has been placed under arrest. It is not clear if Khodyrev was arrested as well. The WWH forums are running as usual and the current administrators acknowledge that the suspects were involved, but only as moderators.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This week on the Lock and Code podcast…

Somewhere out there is a romantic AI chatbot that wants to know everything about you. But in a revealing overlap, other AI tools—which are developed and popularized by far larger companies in technology—could crave the very same thing.

For AI tools of any type, our data is key.

In the nearly two years since OpenAI unveiled ChatGPT to the public, the biggest names in technology have raced to compete. Meta announced Llama. Google revealed Gemini. And Microsoft debuted Copilot.

All these AI features function in similar ways: After having been trained on mountains of text, videos, images, and more, these tools answer users’ questions in immediate and contextually relevant ways. Perhaps that means taking a popular recipe and making it vegetarian friendly. Or maybe that involves developing a workout routine for someone who is recovering from a new knee injury.

Whatever the ask, the more data that an AI tool has already digested, the better it can deliver answers.

Interestingly, romantic AI chatbots operate in almost the same way, as the more information that a user gives about themselves, the more intimate and personal the AI chatbot’s responses can appear.

But where any part of our online world demands more data, questions around privacy arise.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Zoë MacDonald, content creator for Privacy Not Included at Mozilla about romantic AI tools and how users can protect their privacy from ChatGPT and other AI chatbots.

When in doubt, MacDonald said, stick to a simple rule:

“I would suggest that people don’t share their personal information with an AI chatbot.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

We wanted to update you on some changes that Google’s making, and what we’re doing in Browser Guard to keep you protected. 

Some of our customers have recently reported seeing messages that say Browser Guard may soon no longer be supported in their browser. Luckily, there’s no need for you to worry: You’ll continue to get the same Browser Guard protection and experience, we’ve just had to make some adjustments in how we build the extension. 

Today, we brought out the new version of Browser Guard which addresses Google’s changes. If you want to read more of the technical details then you can do so below, or you can head straight over to the Chrome or Edge stores now to update. 

A similar change in Firefox is coming soon and we’ll let you know when it’s ready. 

What is Google changing? 

For those not familiar with the terms, Google’s Manifest V2 and V3 are the “rules” that browser extension developers are required to follow if they want their extensions to get accepted into the Chrome Web Extension Store.  

Google says Manifest V3 was brought in to improve the security, privacy, performance, and trustworthiness of the extension ecosystem, while still protecting existing functionality. 

The phasing out of Manifest V2 began at the end of May, and the Chrome Web Store no longer accepts Manifest V2 extensions, although browsers can still use them for the time being. 

How does Manifest V3 affect Browser Guard? 

One of the new changes that impacts Browser Guard and many other ad (and malicious content) blockers is that extensions will be limited in the number of rules they can include. That’s a problem because ad blockers historically rely on a large number of rules. 

Cybercriminals have the habit of setting up new domains by the dozen, and, generally speaking, each blocked domain or subdomain requires one rule. So if ad blockers want to keep up, they too have to continuously create new rules. 

Google has made some compromises after objections were raised when the company first announced Manifest V3, but there are still limitations which have an effect. 

How Malwarebytes has dealt with this 

The new limitations of Manifest V3 meant we had to develop a different way to block content for our users that use Chromium based browsers like Google Chrome and Microsoft Edge.  

The new Browser Guard uses a mix of static and dynamic rules to protect our users. 

Static rules are rules that are contained in the ruleset files which can be seen as block lists. These files are shipped with each version release. 

Dynamic rules are rules that can be added and removed at runtime. Chrome allows up to 30,000 dynamic rules. Browser Guard uses dynamic rules for two purposes: 

• Session rules are dynamic rules that can be added and removed at runtime, but they are session-scoped and are cleared when the browser shuts down and when a new version of the browser is installed. 

• Dynamic rules can be used to store allow lists, user blocked content, and general rules that block more than one domain. Take, for example, the IP address of a server that is known to host nothing but phishing sites. 

To deal with urgent situations we can use ruleset overrides, which are a mechanism by which we can override the static rules shipped with Browser Guard without requiring our users to add exclusions. 

Your version of Browser Guard will be automatically updated to the latest version, but if you want to get it now you can do so for Chrome or Edge. 

Thanks for continuing to choose Malwarebytes to protect you. 

Last week on Malwarebytes Labs:

• Security company ADT announces security breach of customer data
• Stolen data from scraping service National Public Data leaked online
• Android vulnerability used in targeted attacks patched by Google
• Men report more pressure and threats to share location and accounts with partners, research shows
• Magniber ransomware targets home users

Last week on ThreatDown:

• Ransomware group disguises SharpRhino trojan as Angry IP Scanner
• Don’t touch TP! How ransomware gangs are unplugging your EDR
• What is a path traversal vulnerability?

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.