IT NEWS

Becky Holmes knows how to throw a romance scammer off script—simply bring up cannibalism. 

In January, Holmes shared on Twitter that an account with the name “Thomas Smith” had started up a random chat with her that sounded an awful lot like the beginnins stages of a romance scam. But rather than instantly ignoring and blocking the advances—as Holmes recommends everyone do in these types of situations—she first had a little fun. 

“I was hoping that you’d let me eat a small part of you when we meet,” Holmes said. “No major organs or anything obviously. I’m not weird lol.” 

By just a few messages later, “Thomas Smith” had run off, refusing to respond to Holmes’ follow-up requests about what body part she fancied, along with her preferred seasoning (paprika). 

Romance scams are a serious topic. In 2022, the US Federal Trade Commission reported that, in the five years prior, victims of romance scams had reported losing a collective $1.3 billion. In just 2021, that number was $547 million, and the average amount of money reported stolen per person was $2,400. Worse, romance scammers themselves often target vulnerable people, including seniors, widows, and the recently divorced, and they show no remorse when developing long-lasting online relationships, all bit on lies, so that they can emotionally manipulate their victims into handing over hundreds or thousands of dollars. 

But what would you do if you knew a romance scammer had contacted you and you, like our guest on today’s Lock and Code podcast with host David Ruiz, had simply had enough? If you were Becky Holmes, you’d push back. 

For a couple of years now, Holmes has teased, mocked, strung along, and shut down online romance scammers, much of her work in public view as she shares some of her more exciting stories on Twitter. There’s the romance scammer who she scared by not only accepting an invitation to meet, but ratcheting up the pressure by pretending to pack her bags, buy a ticket to Stockholm, and research venues for a perhaps too-soon wedding. There’s the scammer she scared off by asking to eat part of his body. And, there’s the story of the fake Brad Pitt:

“ My favorite story is Brad Pitt and the the dead tumble dryer repairman. And I honestly have to say, I don’t think I’m ever going to top that. Every time …I put a new tweet up, I think, oh, if only it was Brad Pitt and the dead body. I’m just never gonna get better.”

Tune in today to hear about Holmes’ best stories, her first ever effort to push back, her insight into why she does what she does, and what you can do to spot a romance scam—and how to safely respond to one. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

---

Looking to accelerate your business? Our 2023 State of Malware report will equip you with the cybersecurity strategies you need to protect against the five most dangerous cyberthreats facing businesses this year.

Download and read the report here at www.malwarebytes.com/som. 

And for a live discussion on the most important takeaways from the 2023 State of Malware, join our Threat Down webinar on March 15.

Register here

The Russia-linked ALPHV ransomware group, also known as BlackCat, has posted sensitive clinical photos of breast cancer patients—calling them “nude photos”—to extort money from the Lehigh Valley Health Network (LVHN).

This has triggered a chorus of accusations from the cybersecurity community, with some labeling the group as “barbarians” and others saying the group is “exploiting and sexualizing breast cancer“.

The leak page for data stolen from the Lehigh Valley Health Network. Apart from the clinical photos, ALPHV also leaked sensitive, personally identifiable information on passports and questionnaires.

“This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior,” LVHN spokesman Brian Downs said, Lehigh Valley News reported.

LVHN had previously said it fell victim to a BlackCat ransomware attack on February 20. The Network initially detected an intrusion within its IT systems on February 6 and said that initial analysis showed the attack was on a network supporting one physician practice located in Lackawanna County.

The ransom amount has never been made public, but we know that the Network decided not to pay ALPHV anyway. Lehigh’s website has remained offline since the attack.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

---

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

WhatsApp will not comply with the UK’s Online Safety Bill when it passes legislation as is. In fact, WhatsApp would rather cease serving UK users, which make up 2% of its global market, than weaken its end-to-end encryption (E2EE).

Will Cathcart, head of WhatsApp at parent company Meta, made these claims in a briefing with the UK press on Thursday, March 9. He reportedly met with legislators to discuss the Bill, which Cathcart described as the most concerning online regulation in the Western world.

“The reality is, our users all around the world want security,” said Cathcart, The Guardian reported.

“Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users.”

The Bill includes a provision requiring companies to use “accredited technology” to scan messages for anti-terrorism and child protection purposes. It doesn’t say how such scans could be done, yet companies are liable for the content shared on their platforms.

At the moment, organizations cannot scan end-to-end encrypted messages. So, the only way they can comply with the Bill is to make private messages scannable. This means breaking E2EE.

And breaking E2EE in order to scan for terrorism and child sexual abuse images, also means breaking encryption for the crooks too, as it will likely introduce backdoors that create vulnerabilities for attackers and hostile states to exploit. This also precedes state-mandated surveillance on a mass scale, with privacy and security risks affecting entire societies.

“If a country like the UK pushed for that [breaking encryption] on the internet, that would shape what other countries all around the world ask for on different topics on different issues,” Cathcart said, reports Politico.

Client-side scanning (CSS), a technology that can intercept and filter messages before being sent, was seen as an alternative to weakening end-to-end encryption. Still, a study argued it doesn’t guarantee “efficacious crime prevention nor prevents surveillance”. Akin to wiretapping, CSS can give governments access to private content. Its potential for abuse will not be left unnoticed.

WhatsApp refusing to comply would subject it to fines of up to 4% of Meta’s annual turnover. However, this wouldn’t happen if WhatsApp pulls out of the UK market—a possibility that Signal, another popular private messaging app, has already threatened to do.

Wired reports that WhatsApp has reported more CSAM to the National Center for Missing and Exploited Children (NCMEC) than all other tech giants combined. Internet Watch Foundation’s head of policy and public affairs, Michael Tunks disagreed: “There’s a problem with child abuse in end-to-end encrypted environments.”

“The bill does not seek to undermine end-to-end encryption in any way,” he said. “The online safety bill is very clear that scanning is specifically about CSAM and also terrorism. The government has been pretty clear they are not seeking to repurpose this for anything else.”

The Online Safety Bill will be returning to Parliament this summer.

---

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• 8 cybersecurity tips to keep you safe when travelling
• National Cybersecurity Strategy Document: What you need to know
• Intel CPU vulnerabilities fixed. But should you update?
• Warning issued over Royal ransomware
• Play ransomware gang leaks City of Oakland data
• DoppelPaymer ransomware group disrupted
• DeepStreamer: Illegal movie streaming platforms hide lucrative ad fraud operation
• Ransomware review: March 2023
• Update Android now! Two critical vulnerabilities patched
• TikTok “a loaded gun” says NSA
• Malware targeting SonicWall devices could survive firmware updates

Stay safe!

---

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

America’s TikTok-addicted youth is playing with a “loaded gun” according to General Paul Nakasone, Director of the National Security Agency (NSA). Speaking at a US Senate hearing on Wednesday, the general said “one third of Americans get their news from TikTok”, adding “one sixth of American youth say they’re constantly on TikTok. That’s a loaded gun.”

TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s enjoyed explosive growth since it first appeared in 2017, and now it claims to have 1 billion users, an estimated 100 million of them in the US.

Unique among major social media apps, TikTok is owned by a Chinese company Bytedance. Due to its ties with China and the ruling Chinese Communist Party (CCP), the platform has been under a national security review by the government’s Committee on Foreign Investment in the US, or CFIUS, and will soon be banned on federal devices.

A loud chorus of concern has surrounded the app for some time now. 

One of the earliest signs of trouble occurred in 2020 when retail giant Amazon sent a memo to employees telling them to delete TikTok from their phones. In the same year, the app escaped a total ban in the US after rumors that it was sharing the data of US citizens with the Chinese government.

Things picked up again in 2022, when Federal Communications Commissioner (FCC) Brendan Carr called for TikTok to be banned in America, months after deeming it an “unacceptable security risk“, and called for Apple and Google to remove the app from their respective stores.

TikTok has also been scrutinized by the European Union (EU), Canadian privacy protection authorities, and on Wednesday the White House backed legislation introduced by a dozen senators that gives President Biden’s administration new powers to identify and stop any technology from China or other adversaries from entering the US if it is deemed a national security risk. The bill would give the Commerce Department the ability to ban TikTok and other foreign-based technologies.

At the same hearing attended by General Nakasone, FBI Director Christopher Wray spelled out the agency’s three concerns:

• The algorithm. The FBI is concerned that the CCP’s control of the TikTok algorithm, which decides which posts are shown to which users, could be used to conduct hard-to-detect influence operations against Americans.
• Access to data. The Director explained that TikTok’s vast database of information about individuals in the US could be used to conduct traditional espionage operations.
• Control of the software. TikTok is installed on millions on devices, where it has access to location data, cameras, microphones and other sensors.

Fundamentally though, his concern with TikTok is a concern about who controls those three things: “it’s the ownership of the CCP that fundamentally cuts across all those concerns,” he told the hearing.

Wray used dividing Americans on the subject of Taiwan’s independence as an example of how TikTok’s reach could be used.

When asked about a situation in which China wanted to invade Taiwan, Wray agreed that the platform could be used to show Americans videos arguing why Taiwan belongs to China and why the US. should not intervene. He added that it could be difficult to see “the outward signs of it happening, if it was happening.”

Just last week, the White House issued an order requiring all federal agencies to remove TikTok from government devices within 30 days, citing security risks the app poses to sensitive government data. Now, another step has been taken towards a complete ban. If it weren’t for the popularity of the app, it is questionable whether these decisions would take so long. Even though the app is more popular among younger people (under 35 years old), a majority of its users are old enough to vote.

---

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Researchers at Mandiant have identified a malware campaign targeting SonicWall SMA 100 Series appliances, thought to be of Chinese origin. The malware was likely deployed in 2021, and was able to persist on the appliances tenaciously, even surviving firmware upgrades. The malware was able to steal user credentials and provide shell access.

The SMA 100 Series is an access control system that lets remote users log in to company resources. It offers a combined single-sign-on (SSO) web portal to authenticate users, so intercepting user credentials would give an attacker that is after sensitive information a huge advantage.

The Mandiant researchers reportedly worked with the SonicWall Product Security and Incident Response Team (PSIRT) to examine an infected device.

The analysis of the files found on the device showed that harvesting the (hashed) user credentials of all logged in users was the primary purpose of the malware. A number of scripts and a TinyShell variant provided the attacker with readily available, high-privileged access. The original TinyShell is a python command shell used to control and execute commands through HTTP requests to a web shell. A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. In other words, it acts as a backdoor on affected systems.

The researchers noted that the attackers put significant effort into the stability and persistence of their tooling and showed a detailed understanding of the appliance.

The malware checked for the presence of a firmware upgrade every ten seconds. When found it unzipped the package, copied the malware into the upgrade and put the zip back in the original place, now including the malware, so after the upgrade it could continue to harvest credentials.

Mitigation

SonicWall is urging SMA 100 customers to upgrade to version 10.2.1.7 or higher, which includes hardening enhancements. In a blog post from March 1, 2023 SonicWall describes the patch and states that:

SonicWall has taken the approach of incorporating security enhancements in their products, such as the SMA 100 series, which helps identify potentially compromised devices by performing several checks at the operating system level and baselining normal operating system state. In addition, SonicWall sends anonymous encrypted data to backend servers, including device health data, to detect and confirm security events and release new software to correct the issue.

As part of this upgrade, SMA100 customers on versions 10.2.1.7 or higher will receive notifications in their Management Console about pending CRITICAL security updates.

The upgrades, and the instructions on how to upgrade to 10.x firmware versions from various older versions of the SMA 100 Series can be found in the SonicWall knowledge base article Upgrade Path For SMA100 Series.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The March security updates for Android include fixes for two critical remote code execution (RCE) vulnerabilities impacting Android systems running versions 11, 12, 12L, and 13. Users should update as soon as they can.

The March 2023 Android Security Bulletin contains the details of the security vulnerabilities affecting Android devices. Security patch levels of 2023-03-05 or later address all of these issues.

That means, if your Android phone is at patch level 2023-03-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 11, 12, and 13.

Android partners are notified of all issues at least a month before publication. However, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your Android’s version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Vulnerabilities

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that deal with RCE vulnerabilities which were patched in these updates are:

CVE-2023-20951 and CVE-2023-20954: both are critical RCE vulnerabilities in the System component. The most severe vulnerability could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2022-33213 and CVE-2022-33256 are vulnerabilities in Qualcomm closed-source components that could allow for remote code execution. CVE-2022-33213 is a memory corruption vulnerability in a modem due to buffer overflow while processing a PPP packet. And CVE-2022-33256 is a memory corruption vulnerability due to the improper validation of an array index in a Multi-mode call processor.

Google only sparingly gives out details about vulnerabilities, so everyone gets a chance to patch before cybercriminals can start abusing the vulnerabilities in attacks. But there are some pointers in the descriptions of the vulnerabilities.

Memory corruption vulnerabilities are vulnerabilities that may occur in a computer system when its memory is altered without an explicit assignment. The contents of a memory location are modified due to programming errors which enable attackers to execute arbitrary code.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

PPP is commonly used as a data link layer protocol between two routers directly without any host or any other networking in between.

One other vulnerability that grabbed my attention was CVE-2021-33655 a vulnerability that occurs when sending malicious data to kernel by ioctl cmd FBIOPUT_VSCREENINFO, kernel will write memory out of bounds. It jumped out not just because it was reported in 2021 but also because the security bulletin discloses that it is an elevation of privacy (EoP) vulnerability in the Kernel that could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

A little digging revealed that a user with access to a framebuffer console driver could cause a memory out-of-bounds write via the FBIOPUT_VSCREENINFO ioctl. The ioctl is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls. The fix for this vulnerability was to prevent switching to screen resolutions which are smaller than the font size, and to prevent enabling a font which is bigger than the current screen resolution. Thisseems trivial, but it goes to show how many details go into safe coding.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

This investigation was a joint effort between Malwarebytes Threat Intelligence’s Jérôme Segura, DeepSee’s Rocky Moss and Antonio Torres.

Key findings

• Over a dozen unique domains were found selling ad inventory through Google Ad Manager, even though the pages were embedded invisibly under the content of illegal movie & porn streaming sites

• Streaming sites in the DeepStreamer fraud ring generated an estimated 210,550,928 visits in January 2023, as measured by Similar Web

• There was not a single seller in common between each of the sites used for laundering (the “money sites”), but most offered their inventory for sale through Google Ad Manager

• Using extremely conservative estimates, which factor in a 50% ad-block rate & 70% ad-unit fill rate, we project advertiser spend on this scheme between $120k – $1.2 million in January 2023 alone

• Working with a leading ad buying platform, we were able to confirm there were hundreds of millions of bid requests generated for these domains between January and February 2023

Introduction

Online video streaming sites have always been some of the most visited destinations on the web. Legitimate ones will typically require a subscription fee or rely on advertising as part of their business model. Unfortunately, at any given point in time, there are thousands of sites that allow users to illegally stream pirated content, and they often manage to devise strategies that allow them to monetize their illegally sourced content with programmatic advertising.

Researchers at DeepSee and Malwarebytes have identified an invalid traffic scheme that has gone undetected for over one year via a number of illegal video streaming platforms. DeepStreamer used different techniques to evade detection and forge traffic by surreptitiously loading “money sites” (ad-monetized sites used to monetize/launder the human traffic to pirate sites) filled with Google ads completely hidden from view, while internet users were watching movies.

Not only are these streaming sites breaking the law by using copyrighted material, they are also defrauding advertisers to the tune of $1.2million per month, based on conservative estimates.

A deceptive business model

DeepSee researchers contacted Malwarebytes about a scheme they had observed recently via a video streaming website called moviesjoy[.]to. DeepSee’s crawlers had observed the site mikerin[.]com loading ads deep under the content of moviesjoy, but it wasn’t exactly clear how this was happening.

Interestingly, the site claims to offer free HD movies and TV series with “absolutely zero ads on our site. Once you hit the play button, you can start streaming right away, without any interruptions in the middle.”

On the internet if something is “free”, it usually means you are the product in some shape or form. Hosting and streaming costs money that needs to be recouped so the service can stay online.

What we identified was not entirely surprising but was quite clever. The platform does indeed rely on ads but rather than having them visible on the site, they are embedding and hiding them.

While the site owner could display ads to their visitors, there is no way legitimate advertisers (meaning those that would pay more) would accept traffic coming from a site offering pirated movies.

The trick consists of loading ads from seemingly regular websites and not showing them to anyone. Those “legitimate” websites are embedded and hidden into the page as iframes while users are watching movies.

There are 4 Google ads that load per page and the pages reload periodically. Advertisers are buying ad space for mainstream content but on websites that are inserted as invisible iframes into illegal video streaming platforms.

Anti-debugging tricks

Rather than using more simple techniques such as popunders, DeepStreamer relies on intermediary domains that create hidden iframe containers within the existing page.

The code that they use is highly obfuscated and detects the presence of debuggers. Capturing network traffic externally will only show some static elements, and not the dynamically created iframes.

Here is the overall traffic view, from the streaming site (moviesjoy) to the money site (mikerin):

There are several anti-debugging tricks being used, the first one actually from the online video streaming site itself:

The domain hosted at adtrue[.]top (or adtrue[.]info) plays an important role in loading the money domains by performing a HEAD /dynamic/ads/ HTTP request, and yet it shows an enigmatic 404 code response.

We were able to replay the attack by putting a breakpoint on adtrue[.]info using an external web debugger (Fiddler) and observed that it started loading the domain immediately responsible for rendering the money site.

It appears though that all these intermediary domains are connected and watching for each other.

Hidden iframe containers

Let’s look at the difference between static and dynamically rendered content with mikerin[.]ml which is related to mikerin[.]com (money site with ads) only appears to load jquery.js:

This has nothing to do with the popular jQuery JavaScript library, but instead is heavily obfuscated and debugger-proof code that contains the clues on how DeepStreamer is loading their iframe:

However, we can take a shortcut and see what the Document Object Model (DOM) looks like by saving the current webpage as a complete *.html,*.html file using the browser UI.

While the HTML saved from mikerin[.]ml showed very little information, the DOM provides a lot more useful information since it shows objects that have been rendered by the browser.

There is a new element called “containerIframeBlog____” that is referring to the money sites which are ordinary looking blogs with Google ads. The iframe’s properties make it so that nothing is visible to the user.

One way to confirm those iframes without triggering the anti-debugger code is by launching Chrome’s Task Manager:

Evasion techniques

What we refer to as the money sites are WordPress sites with a number of blog articles and Google ads. At first glance, everything looks legitimate but that is simply a decoy to fool everyone.

What we noticed are articles that are completely clean, while others contain ad fraud code. Of course, you will only get to the latter if your referer is one of the movie streaming sites.

There is one problem though. If visitors truly came from a pirated site, then ad networks would not allow their customer’s ads through. 

This is where referral forging comes into play. We can see that DeepStreamer is spoofing the referer and choosing from one of their own (Google, Bing or Facebook):

Another issue is that the invisible iframes will not reflect user activity, and yet it is important to pretend humans are scrolling and clicking on the articles. The next piece of code from the ad fraud script does just that:

If the money site was not hidden as an iframe, this is what it would look like while performing ad fraud:

Perhaps as a measure to avoid creating too many ad requests, these embedded pages do not often refresh ad units within the context of a single page-view. Instead, they generate a visit to a new spoofed page every 2-3 minutes, as demonstrated in this code snippet (looking at the interval object in particular for details on timing):

This is also confirmed by our packet captures from manually generated visits to these pirate sites; a new page is loaded every 2-3 minutes.

(Un)intended 3rd Party Measurement Evasion

One interesting side effect of embedding the money domain as DeepStreamer here has: estimates from SimilarWeb were completely thrown off! Take for example the SimilarWeb results for 2 money sites that generated hundreds of millions of ad opportunities in the same measurement period (Nov ‘22 to Jan ‘23):

Similarweb has no idea they exist & are generating these kinds of ad traffic volumes. This makes it seem like SimilarWeb measures traffic for domains that are navigated to in the browser address bar, and not accounting for hidden / embedded pages. This could be both a blessing and a curse. 

On the plus side: many ad exchanges check for 3rd party traffic metrics from tools like SimilarWeb before making a publisher’s inventory available, and organizations doing that basic check will protect themselves from exposure to sites like this. Put another way: a quality specialist would see that there’s no traffic to mikerin[.]com, or guiadosabor[.]com, and the sites would not be approved for the platform subsequently. 

• This begs the question: how were these publishers able to sell their inventory through Google’s ad exchange? What checks and balances were in place to ensure that the traffic volumes to those sites were believable?

One negative outcome of this measurement scenario is that researchers who rely on SimilarWeb insights can not know about the “money” sites’ connections to pirate domains; the connection from source -> “money” site is lost given the absence of SimilarWeb “related sites” data. 

DeepSee’s crawl data revealed ground-truth connections between the pirate & “money” sites, but it could not account for the volume of traffic directed at the “money” sites. Luckily, since these sites load every time someone visits the pirate sites, it’s possible to estimate the visit counts to the “money” domains by understanding traffic volumes to the pirate sites which embed them.

Monetization

The Roster of Embedded Sites

By working with the team at Malwarebytes, DeepSee was better able to profile the activity of a monetized site involved in this scheme, and set about the task of mapping the active ones to their pirate/source domains. What we found are 14 active content domains, loaded by 250+ unique pirate sites, which cumulatively generated hundreds of millions of visits in January:

In order to arrive at the estimated visit statistics, we used data from Similarweb. Not every pirate domain was found in their dataset due to recent registration, or low traffic volumes.

Now that we had identified a sample of ad-monetized domains, we needed to make sure these ad units were actually firing off impression trackers, meaning the advertiser would be charged for presenting their ads on the page. 

In order to confirm this, DeepSee analyzed data its crawlers had gathered when visiting the pirate sites in question, and compared the number of Google ad requests generated to the number of corresponding Google impression trackers fired. 

This dataset, composed of 6,748 crawls performed between January 1st and February 27th 2023 showed the following:

• Of the 35,269 Google ad requests measured, DeepSee measured 25,387 corresponding impression trackers, making for a fill rate of ~72%

• The “money” sites loaded a median 4 ad units per-page load; confirmed by manual inspection performed by Malwarebytes

• In DeepSee’s limited manual tests, generated by visiting the pirate sites & running packet capture software, there was a measured fill rate of ~80%

• Perhaps more troubling, ~98% of the sessions that DeepSee crawlers generated were from known data centers, performed without any attempt to cloak the IP.

(For more information on how to do this kind of auditing yourself, check out this explainer from MonetizeMore)

These data points in hand, we could now construct an estimate of how much advertisers might be spending on this inventory. For complete insights into the dataset we used to create these estimates, alongside the complete list of Source:Money domain mappings, check out our companion document

• After matching the pirate source domains to SimilarWeb data, and summing the visit counts, we counted 221,823,394 cumulative visits generated.

• Using the visit data, and the time-on-site metrics from SimilarWeb, we arrived at a weighted average time-on-site of ~7.75 minutes per visit

• Visitors immediately cause 4 ads to load upon a page load, and another 4 ads load on average each 2.5 minutes when the page reloads. This makes for an average 16.40 ad exposures per visit for each user

• Multiplying average exposures per user by the number of visits yielded a total of 3,636,840,849 estimated ad exposures in January, but we had to add a few modifiers to this figure:

  • According to data compiled by Statista, ~50% of desktop web users block ads, and that number is ~30% for mobile browser users. We chose to use the more conservative 50% figure, and removed half of the projected impressions from the pool, leaving 1,818,420,425 estimated ad exposures in January

  • As we previously mentioned, DeepSee crawlers measured a fill rate of ~72% for Google ad units on the money sites during our visits. Factoring in a slightly more conservative 70% fill rate left us with 1,272,894,297 estimated ad exposures in January

Given our final figure of 1,272,894,297 estimated ad exposures in January, the advertiser spend was estimated to be between $127k and $1.27 million, depending on the average price of these advertisements, which was never disclosed to us. We broke our estimates down across several probable price points for this media:

At this point, it was clear that advertisers were really buying this space, so we started asking around for evidence that could point us to who was selling the space.

The Non-Google DSP Perspective

The data in this section was provided to DeepSee by a leading DSP (demand-side advertising platform) with global reach, who agreed to participate under condition of anonymity (we’ll call them DSP “A”) . They provided reporting, from their perspective, on the count of bid requests generated by the money domains dating back to August of 2020. Most helpfully, they also provided the supply-path related to an opportunity, which tells us the exchange & seller name related to the opportunity.

As a disclaimer, there are a few limitations of this dataset:

• This is just the perspective of one DSP, and we can’t claim to know that these sellers created a similarly large share of opportunities presented to all other DSPs. We suspect they do, but without input from Google in particular, it can’t be confirmed.

• These sites seemed to monetize extremely poorly outside of Google; fewer than 1% of requests resulted in an ad being delivered via the DSP we polled.

  • That low fill rate was echoed by another non-google exchange we polled, who told us that only .1% of opportunities they created resulted in ads being loaded

  • On the other hand, we observed that the Google filled these ad units upwards of 70% of the time, implying spend was mainly coming from users of Google’s DSP

Understanding the above, the below table shows the top sellers offering space on these money domains, and the ad exchange the opportunity came through.

Google Was the Top Exchange Offering These Opportunities; There Was Not 1 Particular Seller in Common

Top Seller Per Domain, Ordered by Magnitude of Ad Opportunities Presented to DSP “A” Since August 2020

Summary

In this investigation, we uncovered a network of streaming websites and bogus domains created for the purpose of illicitly gaining revenue from advertisements by a threat actor we called DeepStreamer.

We were impressed by the technical complexity of the code and underlying infrastructure. The perpetrators took many steps to prevent reverse engineering and tracking metrics were not accurately representing the scale of the abuse at play.

We have notified Google and other industry partners and some actions have already taken place. Malwarebytes users are not participating in this invalid traffic scheme defrauding advertisers as we already block the fraudulent domains used.

About Malwarebytes

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes’ award-winning endpoint protection, privacy and threat prevention solutions and its world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe. 

The effectiveness and ease-of-use of Malwarebytes solutions are consistently recognized by independent third parties including MITRE Engenuity, MRG Effitas, AVLAB, AV-TEST (consumer and business), Gartner Peer Insights, G2 Crowd and CNET.

The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

About DeepSee

DeepSee uses highly sophisticated crawlers, combined with rigorous network analysis, in order to capture the behaviors websites present when visited by actual humans, and contextualize those behaviors within the graph of the internet.

DeepSee uses this data to arm advertising professionals with ground-truth signals about content appropriateness, ad-density, on-page technologies, backlink makeup, and more.

This dataset enables the sell-side to effectively & automatically moderate the quality of the inventory they offer, and empowers the buy-side to quickly generate robust blocking / targeting lists.

Indicators of Compromise

Domains launching invisible iframes:

adorablefurnishing[.]ml
awscloudfront[.]ml
bigcache[.]ml
brcache201[.]ml
brient[.]ml
cache33[.]ml
cdncache[.]ml
compactembed[.]ml
dbcache[.]fun
dcache[.]ml
embed123[.]ml
fcache[.]ml
filecache[.]ml
financeirocartao[.]ml
fishuflatinned[.]ml
fullcdn[.]ga
harateness[.]ml
honessity[.]ml
hypercdn[.]ml
hypercdn3[.]ml
investwell[.]ml
jestick[.]ml
journeywithvision[.]ga
jscache[.]live
kbyte[.]ml
livrosdereceita[.]ml
maxcache[.]ml
mbyte[.]gq
mcdn[.]ga
megacdn[.]ml
megacdn[.]top
megasearch[.]gq
melhoresdomomento[.]ml
mikerin[.]ml
myplayer[.]ml
newsworldcity[.]ml
poptube[.]fun
primesinfo[.]ml
satishmoheyt[.]ml
supercache[.]top
tapcache[.]ml
tcache[.]ml
tecnowebclub[.]ga
toptube[.]fun
uwatchtube[.]ml
video[.]your-notice[.]fun
videocdn[.]fun
videosdahora[.]fun
whatsappvideos[.]ml
wispields[.]ml
wpcache[.]ml
youbesttube[.]gq
yourtube[.]fun
ytcache[.]fun
pharmabeaver[.]ml
pharmabeaver[.]com
virvida[.]com
guiadosabor[.]com
techyclub[.]in
journeywithvision[.]com
newsworldcity[.]com
mikerin[.]com
primesinfo[.]com
investwell[.]site
streamix[.]tv
guerytech[.]online
brandingjoy[.]in
aitechgear[.]in
adorablefurnishing[.]com
satishmoheyt[.]in

Money domains:

brandingjoy[.]in
aitechgear[.]in
guiadosabor[.]com
mikerin[.]com
adorablefurnishing[.]com
journeywithvision[.]com
satishmoheyt[.]in
primesinfo[.]com
techyclub[.]in
streamix[.]tv
newsworldcity[.]com
pharmabeaver[.]com
guerytech[.]online
virvida[.]com

Malicious JavaScript (iframe):

1701f50afde2db48d58e6789cfa810f2fdfae74ad0b5de983ace21beb9542a4b
2405699d9b90c36950440d8dd0335d8da1574abda11ae9900cfb31a68f80a864
344550fd85db609434f9eb6838642df1e0283ce43b23c02859cb593b7331ef70
5f8598bdf64f2f3c7a6b9134cd80bb44ac46f546d4047d796278437b5c3485b7
86c160f073347d3c810a824ba90de66105882195dd607175a32fa7adffe31163
98d2cd6e4f3a3aa3200d53ac09750d192ca6ba546aba09a935fe4f38d878bc4c
af70188588c75165f919c9c155827eb458f26aed5288ef52bab532dc7bd38015
b6845734220755e8a163d27d30fb0470ac0aa0d6e57e52af38fe59619d4dd1fb
bcb9ee387efcd936e2abd1ede483fda13cfe40320af9df6462398f329e6aae1e
fc2006c24b6153bfeafb3e9dc6e5ffc4d239c021f1e1777265569f672b4e184b

---

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

It seems like LockBit wasn’t content with having us merely crown them as one of the five most serious cyberthreats facing businesses in 2023. In February, the most widely used ransomware-as-a-service (RaaS) posted a total of 126 victims on its leak site—a record high since we started tracking the leaks in February 2022.

Known ransomware attacks by country, February 2023

Companies attacked along LockBit’s warpath last month include financial software firm ION Group and Pierce Transit, a public transit operator in Washington state. LockBit claimed that ION Group had paid the ransom and demanded $2 million from Pierce Transit.

Speaking of ransom demands, it seems like that’s another area where LockBit broke records last month.

In early February LockBit tried to get $80 million out of the UK’s Royal Mail—the largest demand since asking Continental for $50 million in 2022. Royal Mail rejected the demand, calling it ‘absurd’, and LockBit consequently published the files it stole from the company—but not without also leaking a chat history showing the negotiations between the two parties, which featured the unusual sight of a Royal Mail negotiator giving the feared ransomware gang the runaround.

Confirmed attacks by Vice Society, the ransomware gang infamous for wreaking havoc on the education sector, reached their three-month low last month. The apparently Russian-based group tallied just two victims on its leak site in February, but—true to their modus operandi—both of them were educational institutions: Guildford County School, a specialist music academy in London, and Mount Saint Mary College, a liberal arts college in New York. Needless to say, we’re not banking on this persistent education sector threat going away anytime soon.

After LockBit, ALPHV (aka BlackCat) and Royal again topped the list of most known victims last month. But as it turns out, these two groups have more in common than just their high placements: Both are considered big dangers to healthcare organizations. The US Department of Health and Human Services (HHS) even released a detailed report on Royal and ALPHV in mid-January 2023 outlining the dual threat to the US health sector. Last month, however, Royal and ALPHV apparently only attacked one healthcare organization between them—ALPHV’s attack on the Pennsylvania-based Lehigh Valley Health Network. Their combined 48 leaked victims last month were across a range of industries, mainly centered around manufacturing, logistics, and services. It just goes to show that just because ransomware is used to target one sector in one month that doesn’t necessarily mean it won’t be used against a different industry in another month.

Ever since we first reported on it in November 2022, witnessing the emergence of the Play ransomware gang over the months has been one of those “Aw, they grow up so fast (and evil)” type of situations. After their surge in December activity fell by about 76 percent in January, it made something of a comeback last month with 11 known victims, including the City of Oakland, where an attack shutdown many of the city’s services. In fact, the situation was so bad in Oakland that the Interim City Administrator declared a state of emergency shortly afterwards.

New ransomware groups

Medusa

Not since we introduced Royal ransomware in November 2022 have we seen a new gang burst onto the scene with as much activity as Medusa did in February. The group published 20 victims on its leak site, making it the third most active ransomware last month. Among its victims are Tonga Communications Corporation (TCC), a state-owned telecommunications company, and oil and gas regulator company PetroChina Indonesia.

V is Vendetta

V is Vendetta is a newcomer that published three victims in February on a site that follows the not-so-new practice of branding itself with imagery ripped from a particular mid-2000s dystopian action film. The site is noteworthy not only for its awful “teenager’s bedroom” design but also for using a subdomain of the Cuba ransomware dark web site.

DPRK’s ransomware antics

In early February, CISA released an alert highlighting the continuous state-sponsored ransomware activities by the Democratic People’s Republic of Korea (DPRK) against organizations in the US healthcare sector and other vital infrastructure sectors.

The agencies have reason to believe cryptocurrency ransom payments from such operations support DPRK’s “national-level priorities and objectives.” The report states:

The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks,

In the last few years, two new ransomware strains from DPRK have surfaced: Maui and H0lyGh0st.

US Marshal Service ransomware attack

It seems ransomware attackers are going after the big fish again.

At least, it’s been a while since a federal agency like the US Marshals Service (USMS) was hit with ransomware. In late February 2023 a threat actor managed to infiltrate the agency and to get hold of sensitive information about staff and fugitives.

It’s far from rare to see a ransomware attack on governments, to be sure. State, Local, Tribal, and Territorial (SLTT) governments were hammered by ransomware throughout 2022. Attacks on the federal government, however, remain few and far between.

If there’s one thing this attack taught us, it’s that no organization is safe from ransomware—but that’s not all. It’s also the most eye-catching attack on the fabric of the US since the Colonial Pipeline attack by the DarkSide ransomware gang. There is no word about who is responsible for the attack or whether or not there has been a ransom demand.

If this is the work of a regular ransomware gang rather than a political statement, it’s a surprise that they’re this bold (or frankly, stupid, for thinking the federal government would ever pay them). Attacking a federal government paints a huge target on their backs.

We know there have been times where affiliates of ransomware gangs go rogue and attack an organization that’s off-limits according to the gangs’ rules—but until more information is released, many details about the USMS breach remain speculative.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

GET THE RANSOMWARE EMERGENCY KIT

As part of its StopRansomware effort, the Cybersecurity and Infrastructure Security Agency (CISA) has published a Cybersecurity Advisory (CSA) about Royal ransomware.

Royal ransomware is a Ransomware-as-a-service (Raas) that first made an appearance in January 2022. In September of that year, it began calling itself Royal ransomware, and then in November it really made a name for itself by boldly taking the lead in our monthly statistics.

After November, it handed back top place to Lockbit, but has remained one of the top five most prevalent ransomware strains. 

According to the CSA, the group behind Royal:

• Have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.
• Are known to disable anti-virus software on the affected systems.
• Have targeted numerous critical infrastructure sectors including manufacturing, communications, healthcare, and education.
• Steal data from infiltrated networks which they threaten to publicize on their leak site to increase the leverage on the victim.

Royal ransomware leak site

The Initial Access Brokers that cater to Royal are reported to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs. Other methods that are used to gain initial access to victim networks are:

• Phishing, by using emails containing malicious PDF documents, and malvertising
• Remote Desktop Protocol (RDP), by using compromised or brute forcing login credentials
• Exploiting public-facing applications. This could be through websites or other applications with internet accessible open sockets by exploiting known vulnerabilities or common security misconfigurations.

For those interested, the CSA contains a wealth of Indicators of Compromise (IOCs) and techniques used by Royal to gain persistence and for lateral movement.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

---

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED