IT NEWS

Malwarebytes Browser Guard introduces three new features

Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. It’s the world’s first browser extension to do this while also identifying and stopping tech support scams. 

An often heard misconception is that people think they don’t need Browser Guard since they already have Malwarebytes Premium or a firewall, but since Browser Guard comes in the form of a browser extension it can offer protection to the browser that other means of protection do not have access to.

new Browser Guard dashboard

This is also true the other way around: It can only protect the browsers that have it installed as an extension. It can’t protect other parts of the system or other applications. So while there is an overlap, you need both to optimize protection.

New features

The Malwarebytes engineers have been hard at work to make Browser Guard even better, and we can now announce three new features for Premium users:

  • Content Control: With this, you can dial up your control of your browsing experience and define what’s appropriate for you. Fully customize the content you want to block while you – or your kids – are browsing.
  • Import and Export: Use your preferences and customized rules with all your browsers, even on other devices. This helps you to experience a consistent and clean web experience. Discover on this video how to transfer Malwarebytes Browser Guard settings to another browser.
  • Historical Detection Statistics: View past detections and see what we’ve protected you from.  

 screenshot of the new statistics feature

Please note that these new features are only available for Windows systems.

MOVEit Transfer fixes three new vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has warned about three new vulnerabilities in Progress Software’s MOVEit software. A cybercriminal could exploit some of these vulnerabilities to obtain sensitive information.

In the advisory, CISA encouraged users to review Progress’ MOVEit Transfer article and apply the updates.

The MOVEit file transfer software has been making headlines over the last two months. Earlier vulnerabilities in the software have been used by the Cl0p ransomware gang to make hundreds of victims, and new victim names are published on the Cl0p leak site every single day.

Since the alarm was first raised, the software has been under scrutiny and more vulnerabilities have since been found. This, unfortunately, is not unexpected, and no doubt many software packages would reveal vulnerabilities with so many researchers looking at them.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in this update are:

CVE-2023-36934 (Critical): In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

CVE-2023-36932 (High severity): In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

CVE-2023-36933 (High severity): In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.

Before implementing the fix it is important to make sure you are on MOVEit Transfer 2020.1.6 (12.1.6) or later version of 2020.1 (12.1) and follow the instructions in the MOVEit article.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

A week in security (July 3 – 9)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Solar monitoring systems exposed: Secure your devices

Researchers who go looking for devices exposed to the Internet report “tens of thousands” of solar photovoltaic (PV) monitoring and diagnostic systems can be found on the web. The systems are used for everything from system optimization to performance monitoring and troubleshooting.

No fewer than 134,000 products from an assortment of vendors were found to be exposed, though as Bleeping Computer notes, this does not necessarily mean they’re all vulnerable right now.

However, new vulnerabilities are discovered all the time and anything that’s attached to the Internet when a vulnerability is discovered represents a serious risk (and at least some of the products on display have been impacted by vulnerabilities in the past.) Devices left exposed online can lead to all manner of other issues too. Whether people poking around to get an idea of how your systems work, or directly tampering, it’s almost never good.

While many of the currently discovered devices may not be vulnerable to a remote takeover, there may be enough information to hand to figure out some of the workings of the systems in question.

Indeed, the research highlights that around 7,000 devices belonging to one particular brand are in the list. A separate report linked by Bleeping Computer found 425 examples of said device making use of a firmware version known to be vulnerable to attack. As per said report, which cleverly makes use of a copyright string on the product’s landing page to work out which versions are vulnerable:

It turns out that less than one third of the internet-facing SolarView series systems are patched against CVE-2022-29303.

This, in addition to mention of other issues affecting this brand of device like being able to upload PHP web shells (allowing for remote access), does not make for great reading. Especially when we consider that this is just one product, while the products left exposed include:

Solar-Log, Danfoss Solar Web Server, SolarView Contec, SMA Sunny Webbox, SMA Cluster Controller, SMA Power Reducer Box, Kaco New Energy & Web, Fronis Datamanager, Saj Solar Inverter, and ABB Solar Inverter Web GUI.

Exposed devices can end up being a pretty serious issue. Even in cases where the device isn’t exposed online, things can still go awry. A few years back, Australia’s early warning network was compromised (most likely by a targeted phishing attack) and messages galore were fired out by SMS, email, and phone announcing that the service had been hacked.

Road signs and other forms of public communication are often found wanting in the security stakes. It’s such a problem that it’s not unusual to see the Department of Homeland Security issuing warnings about the need to update Emergency Warning Systems. Last August, FEMA was similarly banging the drum for the swift application of software updates.

If you’re responsible for deploying any of the above systems, it may well be beyond time to check what (if anything) is exposed online and whether or not you need to start patching.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

How kids pay the price for ransomware attacks on education

Modern ransomware attacks are as much about stealing data and threatening to leak it as they are about encrypting data. Which means that when a school or hospital is attacked, it’s often students’ and patients’ data that’s leaked if the ransom demand isn’t met.

We have to wonder how greedy any person would need to be to show such a blatant disregard for how painful sharing that kind of information can be.

In our recent report on the state of ransomware in education we saw an 84% increase in known attacks on the education sector.

Known ransomware attacks against education, June 2022-May 2023
Known ransomware attacks against education, June 2022-May 2023

And, while ransomware attacks against education are a global phenomenon, the USA and the UK saw far higher rates of attacks than other countries.

Although the attacks were carried out by a large number of different ransomware gangs, one in particular stood out: Vice Society. The Vice Society ransomware gang specializes in attacking education, with almost half of its known activity (43%) directed against the sector—almost ten times the average for ransomware groups.

Vice Society has also been known to take their demands directly to college students (we talked about this tactic in the case of the University of Manchester.)

The documents stolen from schools and dumped online by ransomware gangs can contain very private information that goes beyond what we normally see in leaked files. But apparently it’s getting harder to convince victims to pay the ransom, so the cybercriminals are trying new tactics.

What they seem to forget, or not care about, is that they are not just extorting money from institutions, but ruining young lives in the process.

An Associated Press article talked to the families of six students who had their sexual assault case files exposed by a ransomware gang. The leaking of private records like that on both the Dark Web and the open Internet could have a lasting impact on those young people long after their school has recovered from the attack.

The ransomware groups are to blame, of course, but the education sector can improve a few things to lessen the impact of a ransomware attack.

It’s prudent to assume that at some point your organisation will fall victim to a ransomware attack. That being the case, it might be better to resort to paper records for highly sensitive information, or to store it securely encrypted on a non-networked system.

It also seems to be a problem to inform the students and their family about what has happened and what might have been stolen. The families contacted by AP said they first learned about the leaked information from the journalist instead of from the school.

Another matter to consider is the fact that identity thieves sometimes target children because the crime can go undetected for years, often until the child applies for their first loan or credit card. Even more reason for schools to inform the families of students about stolen data.

As a Vice Society representative wrote in an email to students of a victimized school:

“Additionally all of your SSN and Medical records will be put for sale, for every hacker to gain access and use your data in whatever illegal activity they want. To us, this is a normal business day. For you, it’s a sad day where everyone will see your personal and private info.”

Which goes to show that appealing to their decency is likely to fall on deaf ears, so the best defense is protection.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update Android now! Google patches three actively exploited zero-days

In July’s update for the Android operating system (OS), Google has patched 43 vulnerabilities, three of which are actively exploited zero-day vulnerabilities.

The security bulletin notes that there are indications that these three vulnerabilities may be under limited, targeted exploitation.

If your Android phone is at patch level 2023-07-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs listed as actively exploited are:

CVE-2023-26083: a memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 – r32p0, Bifrost GPU Kernel Driver all versions from r0p0 – r42p0, Valhall GPU Kernel Driver all versions from r19p0 – r42p0, and Avalon GPU Kernel Driver all versions from r41p0 – r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.

ARM was warned about this vulnerability on March 31, 2023 and stated:

“There is evidence that this vulnerability may be under limited, targeted exploitation.”

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged user to achieve access to freed memory, leading to information disclosure or root privilege escalation. This affects Bifrost r16p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r28p0 through r30p0.

Both of the above vulnerabilities are present in the ARM Mali GPU, which is the graphics processor of many Android phones. A patch for both vulnerabilities had been issued by ARM, but Google has decided to include them in this month’s Android update.

CVE-2023-2136: An integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

This vulnerability is affecting the Skia 2D graphics library used in Android systems. Skia is an open source 2D graphics library for drawing Text, Geometries, and Images.

It is likely that attackers would use the vulnerability in Skia as a first stage and then use one of the Mali vulnerabilities to complete a device takeover.

Another vulnerability that caught our eye was CVE-2023-21250: a critical vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed and no user interaction is needed for exploitation. Further details were not revealed to give users a chance to install the patch first.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Warning issued over vulnerability in cardiac devices

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability that could result in remote code execution or a denial-of-service (DoS) condition impacting a healthcare delivery organization’s Paceart Optima system.

Paceart Optima is a software application that runs on a healthcare delivery organization’s Windows server. The application collects, stores, and can be used to retrieve cardiac device data from programs and remote monitoring systems from all major cardiac devices. The Paceart Optima product consists of multiple components that work together to deliver product functionality. This vulnerability impacts the Application Server component.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as:

CVE-2023-31222 (CVSS score 9.8 out of 10): Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic’s Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.

Deserialization is the process of extracting data from files, networks or streams and rebuilding it as objects—as opposed to serialization which involves converting objects to a storable format.

The affected versions are Paceart Optima application versions 1.11 and earlier. If a healthcare delivery organization has enabled the optional Paceart Messaging Service in the Paceart Optima system, an unauthorized user could exploit this vulnerability to perform remote code execution and/or denial-of-service (DoS) attacks by sending specially crafted messages to the Paceart Optima system. Remote code execution could result in the deletion, theft, or modification of Paceart Optima system’s cardiac device data, or use of the Paceart Optima system for further network penetration.

Medtronic states it has not observed any cyberattacks, unauthorized access to, or loss of patient data, or harm to patients related to this issue.

Information about mitigation can be found in the Recommended actions section of the Medtronic security bulletin about this vulnerability.

In essence, the security bulletin says to contact Medtronic to schedule an update and disable the messaging service and message queuing until the update has been completed.

With the additional attention of ransomware operators towards healthcare providers we would like to urge users of the affected Medtronic Paceart Optima device to follow those mitigation instructions.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Self-driving cars are a privacy issue, says security expert

Self-driving cars peel off an extra layer from our privacy, says security expert Bruce Schneier.

Theoretically, if you know the location of all the closed-circuit television (CCTV) cameras in a neighborhood, you might be able to move around without one of them ever catching a glimpse of your face. Although depending on where you live, that might already be hard to accomplish.

But dashcams and the recordings made by self-driving vehicles are an entirely different matter. Their locations and camera angles are unpredictable, so they may catch us off-guard at any given moment. Waymo’s sensor suite, for example, works together to construct a detailed 3D picture of the world, showing moving and still objects. You could be one of those objects without realizing it.

Schneier quotes a Bloomberg article which highlights a few cases where serious crimes and accidents were the reason for law enforcement to request camera recordings from self-driving fleets such as Waymo and Cruise. In addition to a San Francisco homicide, Bloomberg’s review of court documents shows police have sought footage from Waymo and Cruise to help solve hit-and-runs, burglaries, aggravated assaults, a fatal collision, and an attempted kidnapping.

And many will point that out as the positive side of this privacy dilemma. We want these criminals to get caught, but on the other hand we don’t like the idea of being followed around. Police have already used footage from CCTV cameras to monitor the movement of people around crime scenes and help identify suspects. As the number of self-driving cars increases, so does the number of cameras that can be used to accomplish this.

If you look at Russia, where almost every car has a dashcam due to insurance fraud reasons, no major event happens outside that isn’t caught by multiple dashcams. But this is a different problem because the dashcam footage is stored locally and can be used at the discretion of the owner. That doesn’t increase your privacy, but lessens the chance of the footage being used.

The same is true for some video doorbells and security camera’s although there have been cases where the police went over the owner’s head and asked for footage directly from companies such as Amazon.

Self-driving fleets store the recorded data for long durations to help improve their capabilities. This makes requesting the data from all the self-driving cars in an area at a certain point in time a lot easier and more effective.

The continuous recording creates an enormous amount of stored data and it’s obvious why the police have begun tapping into them for law and order enforcement. But it has already become clear that employees can’t always resist the temptation to share such footage for much less noble causes.

Last year, the EFF said:

“There are always going to be situations in which it might be expedient for public safety to be able to get around some of the usual infrastructure and be able to get footage very quickly.”

But the problem is that the people who are deciding what constitutes exigent circumstances and what constitutes the type of emergency, all of these very important safeguards, are the police, who have already decided they need the data, and tech giants like Google and Amazon that already have a bad reputation when it comes to our privacy.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google plans to scrape everything you post online to train its AI

Additions to Google’s Privacy Policy are making some observers worry that all of your content is about to be fed into Google’s AI tools. Alterations to the T&Cs now explicitly state that your “publicly available information” will be used to train in-house Google AI models alongside other products.

From the Privacy Policy page:

In some circumstances, Google also collects information about you from publicly accessible sources. For example, if your name appears in your local newspaper, Google’s search engine may index that article and display it to other people if they search for your name. We may also collect information about you from trusted partners, such as directory services who provide us with business information to be displayed on Google’s services, marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertising partners to provide advertising and research services on their behalf.

You may be wondering where the reference to AI comes into play here. Me too! I’ve given talks on EULAs and privacy policies regarding some of the most excessive privacy policies around. I waded through every section tied to the privacy policy page, and I couldn’t find the relevant section. It eventually had to be pointed out to me that what look like hyperlinks leading off-site are actually links to pop open additional information on the terms used.

With this in mind, going back to the above extract, we need to click on “Publicly accessible sources” to see the following:

For example, we may collect information that’s publicly available online or from other public sources to help train Google’s AI models and build products and features, like Google Translate, Bard and Cloud AI capabilities. Or, if your business’ information appears on a website, we may index and display it on Google services.

Public sources

Given the controversy over AI use generally, it might not seem like the best idea to have this information be easily missed on a page where it should perhaps be a lot more prominent.

What does this mean in plain terms? In pre-AI times, if you posted something online, whether a blog, a photograph, a piece of music or something else, there’s a good chance it would end up scraped by a search engine. This is how search engines work, and this is how you find the content you’re looking for when entering search terms. 

But what Google is saying here is that from now on, all of the above will still happen. It’s just that the new addition means your text, photos, and music could end up helping to train its products and “AI models”.

As Gizmodo notes, previously it only referenced the popular Translate tool. Now Bard and Cloud AI are thrown into the mix. Bard is Google’s AI chat service, and if you were wondering: it does indeed make use of images. It ran into teething problems shortly after release, sharing false information in its own announcement. It’s no wonder that Google would try and make as much data as possible up for grabs with regard to feeding the ever-hungry AI tools with more information.

With so many AI tools doing things like falsely claiming that people have written articles or just running into copyright trouble generally, we have no real way to know if this will actually improve anything. You may have had some objections to search engines making bank from content you post online, but there is some positive return there in the form of your content being placed in front of people. Now we have AI spam posing a threat to said engines, while your content is potentially being monetised twice over with new AI policies coming into force.

Although the initial outlook for AI-generated content and scraping looks grim, it’s arguable if the current spam laden system is much better. The problem is we may just be trading one set of poor results and faulty tools for another.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Malicious ad for USPS fishes for banking credentials

We often think of malvertising as being malicious ads that push malware or scams, and quite rightly so these are probably the most common payloads. However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails.

Threat actors continue to abuse and impersonate brands, posing as verified advertisers whose only purpose is to smuggle rogue ads via popular search engines. In this blog post, we review a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.

A Google search returned an ad that looked completely trustworthy. Yet, it redirects victims to a malicious site that first collects their address, credit card details and, requires them to log into their bank account for verification.

This elaborate phishing scheme is a reminder that malvertising via search results remains an issue that affects both consumers and businesses who place their trust behind well-known brands.

Malicious ad looks 100% legitimate

This malvertising campaign was first spotted by Jesse Baumgartner, Marketing Director at Overt Operator. In his LinkedIn post, he shares several screenshots of his experience while attempting to track a package and instead ending up on a scam website.

We were able to immediately find this same campaign by performing a simple Google search for “usp tracking”. Incredibly, the ad snippet contains the official website and logo of the United States Postal Service and yet, the “advertiser” whose verified legal name is Анастасія Іващенко (Ukraine), has nothing to do with it.

A malicious ad on mobile device for USPS tracker

This fake advertiser had 2 different ad campaigns, one that appears to target Mobile and the other Desktop users:

Google Ads Transparency page for malicious advertiser

Address verification and update just a trick to get banking credentials

One may wonder how threat actors are able to use the official URL in the ad and redirect victims to their own different website. The URLs shown in the ad are pure visual artifacts that have nothing to do with what you actually click on. When you click on the ad, the first URL returned is Google’s own which contains various metrics related to the ad, followed by the advertiser’s own URL. Users never get to see this, and that is what makes malvertising via brand impersonation so dangerous.

Web traffic when clicking on the ad

Victims that click on the ad land on a website that asks them to enter their tracking number(s), just as they would expect it. However, upon submitting that information they receive an error stating “Your package could not be delivered due to incomplete information in delivery address.

It is not unusual to receive this kind of notification either. Users are then asked to enter their full address again but also need to pay a small fee of 35 cents by submitting their credit card information. This is the first clue that there is something amiss here.

Phishing steps

Victims are entering their credit card number into a phishing website. The small fee is completely irrelevant as there is much more damage that can be done by reselling this stolen data on criminal markets.

Malicious credit card form

The final step consists of asking users to enter their credentials for their financial institution. The phishing page is dynamic and will generate a template based on the card number previously inputed. For example, here we have a VISA card and the associated bank is JP Morgan:

Visa phishing page

For a different card such as MasterCard, here’s the associated phishing page:

MasterCard phishing page

Falling for malvertising remains too easy

In the security field, we often speak about and recommend user education and training. When it comes to malvertising, awareness is important but training can only go so far. The example from this blog post shows why: malicious ads often look entirely legitimate and we can’t expect users to run queries on domain names and infrastructure to discern any malfeasance.

Brand impersonation is a huge problem and the solution to combat it starts with search engines applying stricter controls. When it comes to software downloads, one solution that comes to mind is reserving a placeholder for the official download page and never allowing an ad to take this spot. Microsoft’s Bing has done that quite well for the most part and such a policy would have a drastic impact on the safety of millions of users.

Security vendors like Malwarebytes will continue to protect their users thanks to browser protection tools available for businesses and consumers. The malvertising killchain can be disrupted from the initial ad, all the way to the payload (malware, phishing or scam). Only a full protection suite with real time protection can target those critical distribution points.

We have reported this incident to Google and Cloudflare has already flagged the domains as phishing.

Cloudflare has interstitial'd this account

Indicators of Compromise (IOCs)

logictrackngs[.]com
super-trackings[.]com
web-trackings[.]com
tracks4me[.]biz
forgetrackng[.]com

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW