IT NEWS

KeePass vulnerability allows attackers to access the master password

KeePass is a free open source password manager, which helps you to manage your passwords and stores them in encrypted form. In fact, KeePass encrypts the whole database, i.e. not only your passwords, but also your user names, URLs, notes, etc.

That encrypted database can only be opened with the master password. You absolutely do not want an attacker to get hold of your master password, since that is basically the key to your kingdom—aka “all your passwords are belong to us.”

However, a researcher has worked out a way to recover a master password, and has posted KeePass 2.X Master Password Dumper on GitHub.

The description of the vulnerability (CVE-2023-32784) says:

“In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.”

The issue was reported to the developer of KeePass on May 1, 2023 and relies on the way that Windows processes the input of a text box. 

Since the developer has fixed the issue, this would normally be the place where we tell you to update KeePass. Unfortunately, a release for the new update (2.54) is not expected for a few months, since the developer is still working on a few other security related features.

However, there is no reason for most KeePass users to immediately panic and switch to a different password manager, because it would be very difficult for an attacker to get their hands on a memory dump of your system without you noticing. That being said, the gravity of the situation is different for people that are afraid their system might be confiscated and submitted to forensic analysis.

Protection

There are a few things you can do if you’re worried about this vulnerability.

  • KeePass can be used with YubiKey. A YubiKey is a USB stick which, when inserted into a USB slot of your computer, allows you to press the button and the YubiKey will enter the password for you. This keeps the password out of the text box and it doesn’t end up in the system memory.
  • Scan your system for malware. It is feasible that malware could be used to remotely fetch a memory dump from an infected system.
  • Turn on device encryption to keep unauthorized users from accessing your system.

For those with the more serious threat model of system confiscation that we mentioned earlier, the researcher that found the issue posted the advice to follow these steps:

  • Change your master password
  • Delete hibernation file
  • Delete pagefile/swapfile
  • Overwrite deleted data on the HDD to prevent carving (e.g. Cipher with /w on Windows)
  • Restart your computer

Or just overwrite your hard disk drive (HDD) and do a fresh install of your operating system (OS).

That looks a bit over the top for most users, and most will not need to do it. However we do advise all KeePass users to keep an eye out and to update to KeePass 2.54 or higher once it is available.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

PharMerica breach impacts almost 6 million people

US pharmacy giant PharMerica has notified over 5.8 million people about a security incident in which it says personal information and medical information may have been obtained by cybercriminals. The Data Breach Notification lists the total number of persons affected as 5,815,591.

An investigation was started after PharMerica noticed suspicious activity on its network. The investigation showed that an unauthorized party accessed PharMerica computer systems on March 12-13, 2023, and that this party may have had access to certain personal information. The incident was noticed on March 14, and a week later PharMerica identified that the personal information accessed included names, dates of birth, Social Security numbers, medication lists and health insurance information.

Ransomware group Money Message has claimed responsibility for the attack. The gang claims that they encrypted almost the entire PharMerica infrastructure, and has published parts of the stolen data to their leak site.

screenshot of Money Message leak site showing PharMerica

Image courtesy of BleepingComputer

Money Message is a new ransomware which targets both Windows and Linux systems. As we mentioned in our May ransomware review, Taiwanese PC parts maker MSI also fell victim to Money Message.

On its website PharMerica says:

“At this point, PharMerica is not aware of any fraud or identity theft to any individual as a result of this incident, but is nonetheless notifying potentially affected individuals to provide them with more information and resources. The notice will include information on steps individuals can take to protect themselves against potential fraud or identity theft. PharMerica has arranged for complimentary identity protection and credit monitoring services for potentially affected individuals.”

An extra point of concern is that a relative large part of the people affected by the breach have passed away, which makes it unlikely that relatives will regularly monitor their credit reports, making any cybercrime related to the stolen data even more difficult to detect and stop.

What to do if you’ve been caught in a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Leaked Babuk ransomware builder code lives on as RA Group

The bones of long gone ransomware group Babuk continue to rattle in the breeze, in the form of reused code. Researchers from Cisco Talos have named this new team the “RA Group”, a ransomware collective which may have only been up and running since last month.

Babuk famously threatened to leak law enforcement data, relented, and then had its ransomware builder tool leaked during the weirdest retirement ever. While some of these antics may sound faintly comical, the ransomware was no joke. Babuk popped up in all sorts of attacks, like being deployed via Microsoft Exchange exploits. Babuk code has also been reused prior to this latest group, for example as the basis for Rook ransomware at the end of 2021.

The leaked builder has proven to be very useful for those in the ransomware realm, and people wanting to get in on the act. Its versatility and relative ease of use ensures that—sadly—we’ll likely be seeing Babuk lurking at the edges of ransomware development for a long time to come.

Our latest Babuk beneficiary, the RA Group, already has four known compromises in the US and South Korea. According to Talos, like many other forms of ransomware, the attacks are based around double extortion tactics. This is where the target isn’t just stuck with encrypted, inaccessible files, they’re also threatened with the stolen data being leaked should the ransom not be paid.

In this case, RA Group is sticking with the tried and tested leak portal technique. Watching confidential information be spilled across the internet for download is certainly one way to encourage a business to pay up, and an effective tactic. Talos reports that the main leak site is undergoing various cosmetic tweaks and alterations, confirming the impression that this is all very new indeed.

If you’re unfortunate enough to end up on the leak portal, your details are organised like so:

  • Organisation name
  • A list of stolen data / file size
  • Organisation URL

Customised ransom notes are used for compromised entities, with three days given to pay up or risk the data being made public. When the three day mark is reached, “sample files” are made public. After 7 days, everything goes public.

A list of the stolen data is also provided in the ransom note, which isn’t something you see all the time. There’s no better way to show you mean business than explain exactly what you’ve done to supplier, tax, and financial information across every compromised desktop. Talos notes that the impacted organisation is also mentioned inside the code of the executable too.

Should your data eventually end up for sale, the below message may eventually provide lots of sleepless nights:

If you want to buy this data, please contact us by qtox

qTox is an instant messaging tool billed as being secure and private, particularly with regard to avoiding having your Government listening in on what you might be saying. Ransomware groups using instant message to communicate with victims is fairly common, and they often make use of secure tools to do so.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

3 reasons to use a VPN

There are many good reasons to use a Virtual Private Network (VPN), even if you are just casually scrolling. Privacy is a right that is yours to value and defend, and if you want to increase your online privacy then a VPN is one of the possible solutions. 

A VPN works like this: When you’re connected to the internet, all of your activity is logged and associated with your Internet Protocol (IP) address. Using a VPN creates an encrypted tunnel from your device to the VPN server, which is like creating a digital middleman between your device and the internet that blocks others from seeing what you’re doing. When you connect to a VPN, instead of your activity being associated with your IP address, now it’s the VPN server’s IP address that is associated with your data. Yours remains private.

Here are three reasons why you might want to use a VPN.

1. To stay private, at all times

Someone who is worried about being spied on — perhaps by their Internet Service Provider (ISP) or by someone that is on the same network, such as an employer or spouse — may choose to use a VPN. All these snoops will see when you are using a VPN is the fact that you are communicating with the VPN server. They are unable to see the content of the communications and where the traffic goes from there. Even if hackers are on the same WiFi network, that encrypted tunnel makes it impossible for them to capture any of your data.

2. To change your location

There are some basic reasons why someone would like to change their location. Some services have location-based restrictions and these services usually rely on your IP address to figure out where you are. So, if you want to evade such a restriction, you can pretend to be in a location where these restrictions don’t apply. Or the other way round if you want to restrict content: For example, if you don’t want your children to visit Pornhub you can set your location to Utah, because visitors from this state are blocked over an age verification law.

choosing a different location in Malwarebytes Privacy VPN

Switching your location is easy in Malwarebytes Privacy VPN

3. To protect when you need it the most

Some users only use a VPN when they feel they need its protection the most. For example, they might turn on the VPN when they are connected to a public WiFi, accessing their bank accounts, sending work-related or other sensitive information, or because they plan on visiting high-risk websites.

Malwarebytes Privacy VPN

Malwarebytes Privacy VPN helps protect your online privacy, shield your location, keep your data private even on public WiFi, and delivers speeds way faster than traditional VPNs. And it’s important to know that Malwarebytes does not log anything the user does. What you do is your business, not ours.

Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs

Along with six older vulnerabilities, the Cybersecurity and Infrastructure Agency (CISA) has added a vulnerability in multiple Ruckus wireless products to the Known Exploited Vulnerabilities Catalog. This means that  Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by June 2, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Ruckus vulnerability is listed under CVE-2023-25717, which indicates that Ruckus Wireless Access Point software contains a vulnerability in its web services component. If the component is enabled on the access point, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability reportedly impacts Ruckus ZoneDirector, SmartZone, and Solo Aps with Ruckus Wireless Admin panels version 10.4 and older.

The Ruckus security bulletin about the vulnerability, issued on February 8, 2023 and edited on May 11, 2023, displays a long list of affected devices. Several of these devices have reached end-of-life (EoL) which means they may not get patched against this vulnerability. Users of supported devices can find download links and install instructions by following the links behind their specific product.

One malware operator that has been found to exploit vulnerable Ruckus devices is the relatively new botnet, AndoryuBot. Infected devices are used to propagate the botnet malware to other devices and are used in DDoS attacks. To avoid detection and to bypass firewalls, the botnet uses the SOCKS proxying protocol. SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. This protocol is often used because it allows traffic to bypass Internet filtering to access content which would otherwise be blocked, but it can also be used to circumvent blocklists and firewall rules.

Protection

To protect your devices against the AndoryuBot botnet which seems to thrive on this vulnerability, you should install the available patches and replace the legacy devices that have reached EoL.

Other measures to protect your devices from falling prey to botnets are:

  • Use strong passwords and multi-factor authentication where possible.
  • Do not make your admin panels accessible from the internet if you can avoid it. If you can’t completely disable remote access, use very strict access policies.
  • Segregate your network so critical components are separated from vulnerable assets.
  • Apply active protection software and monitor network traffic.

The Malwarebytes web protection module blocks the download of the botnet malware:

Malwarebytes blocks 163.123.142.146

Malwarebytes blocks 163.123.142.146


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Windows 11 is showing its first signs of Rust

Some important changes are heading to Windows which should make the operating system quite a bit more secure than it is now. At the end of April, Microsoft’s VP of OS Security and Enterprise referenced upcoming changes to Windows involving the programming language Rust.

Rust matches the performance of languages like C and C++ while being easier to debug and maintain, and—most importantly—memory safe. It is highly desired by some programmers—you can see his excitement in the below talk from Blue Hat IL 2023:

At the time, he cautioned that “rewriting Windows in Rust isn’t going to happen anytime soon”. However, he also mentioned that Rust would be making an appearance in the operating system’s Kernel “in the next several weeks or months”.

That moment has now arrived for folks on the Windows 11 Insider program:

Why is this such good news? Well, the kernel is the core component of a computer operating system and is crucial to how it functions. It’s one of the first things to fire up when a computer is switched on, and then it sits in memory permanently, mediating between the computer’s applications and hardware.

If an attacker successfully compromises a kernel, they can expect to have full control over the device it’s running on, which is of course very bad indeed. These issues aren’t just Windows specific—you can end up with a kernel disaster on a Mac, or over in Linux land, too.

A big part of kernel exploitation is focused on memory management. Traditionally, the most popular coding languages for kernels have been C and C++, which provide excellent performance and lots of flexibility, and a lot of rope to hang yourself with when it comes to security. When people with bad intentions stroll into town, one of the key places they prod around is in the realm of memory. Bugs and errors in this area can lead to exploitation, and making the memory unstable can cause malfunctions or allow for malicious code.

A huge part of this is the dreaded buffer overflow attack, which has been around since the 1970s. This is when data written to a buffer spills out and overwrites nearby memory. When the system’s memory is tampered with in this way it can lead to all manner of exploitation.

Despite endless attempts to get programmers to write more secure code, improvements to the underlying languages, and mitigations like Windows Address Space Layout Randomization (ASLR), buffer overflows continue to be a huge problem. The only way to root them out completely is to switch away from C and C++ to a memory safe language like Rust that can manage memory automatically.

This approach has already proven to be more reliable than hoping programmers will do the right thing: The adoption of memory safe languages in Android, which predates Windows by several years, has lead to signficiant decline in memory safety vulnerabilities on that platform.

According to Google, in situations where Rust has been used on low-level Android components instead of C++, there have been “zero memory safety vulnerabilities discovered.”

The work of switching out C++ for Rust in Windows 11 has already begun. As per The Register, the Microsoft Windows graphics interface device is currently being ported to Rust to the tune of 36,000 lines of Rust code, and there’s a system call (SysCall) in the Windows kernel right now which is implemented in Rust.

While the “wouldn’t it be nice” dream of replacing all pieces of C and C++ in Windows with safer, better alternatives is likely impossible, big and important strides in memory safety are finally being made. What we have here is yet another good reason to finally make the leap from Windows 10 to 11.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A week in security (May 8-14)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Why we should be more open about ransomware attacks

The UK’s National Cyber Security Centre (NCSC) has published an article that reflects on why it’s so concerning when cyberattacks go unreported, saying:

…we are increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones.

One of the main reasons is that with visibility, it is easier to get a good picture of what is going on, what methods the criminals are using, and maybe even who they are. Another argument is that paying the ransom and keeping quiet about the fact that you have been attacked has a few negative consequences:

  • Paying the ransom funds the criminal ecosystem.
  • Not doing a thorough, third-party investigation could leave the access method used by the criminals wide open for the next attack.
  • If the news of the cyberattack gets into the public domain later it can be much more damaging than communicating about it straight away.
  • Good backups often restore encrypted systems faster and more effectively than paying a ransom for a decryptor provided by the criminals. Decryptors can be slow, and they have been known to fail (even though the criminals will tell you they work seamlessly).

Depending on the country an organization is based in, whether they handle data under GDPR regulations, whether they are a government contractor, what sector they are active in, or whatever other reasons, some organizations have a legal obligation to notify one or more authorities about a cyberattack.

This has led to some misconceptions in the past. For example, for some time researchers were under the impression that SamSam ransomware, one of the earliest “big game” ransomware gangs, specifically targeted healthcare providers. Later it turned out that most of its victims were in the private sector, but because a lot of the healthcare victims were obliged by law to report the attacks and none of the private sector victims were, the reported incidents painted a skewed picture of what was actually happening.

There are some obvious reasons why organizations would want to keep attacks under wraps. One of them is the fear of the fines involved in a data breach. Some ransomware gangs actually use these fines as an argument to persuade victims to pay a ransom. The NCSC provided an example of a ransomware message that stated:

The ransom demand is £50 million. If you pay, you’ll avoid a regulator fine of £600 million which is 0.5% of your annual profit.

The NCSC goes on to say that a data leak isn’t the only reason for a fine, and you won’t always be fined if data is leaked. From what we have seen, trying to cover a data leak up and then getting exposed later on, will drive the penalty to the max.

The stats in our monthly ransomware reports are based on known ransomware attacks, published by ransomware gangs on their Dark Web sites and Telegram channels. This means we only have visibility on successful attacks where the victim refused to pay. Estimates by experts like Allan Liska are that this is just the tip of the iceberg. We might be seeing only 10% of what is really going on. While there are no reasons to believe that this could change the proportions, in some cases it might.

  • If there are still ransomware gangs without a leak site, we would lack visibility. (At the moment we do not believe any of the major players operate without a leak site or a Telegram channel to leak stolen data.)
  • Ransomware gangs may not publicise attacks that fail to steal valuable data—news of failures would likely put off affiliates and have a negative impact on their income.

Basically, the NCSC is asking victims to do the right thing and allow us to learn from successful attacks, which can help others to avoid falling victim to the same methods. We do understand that some organizations feel they have no other choice but to pay. But even then, investigate the incident and share your findings so others may learn.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Sponsored Twitter post uses fake BBC News site to boost slippery oil trading app

A sponsored post on Twitter promises to offer the benefits of obtaining citizenship, but really just wants to lure you into some form of Forex trading AI scheme. This tangled web also includes faked BBC web pages and suspicious-looking website reviews to round the whole thing off. Shall we take a look?

Sponsored posts are adverts in the form of a Tweet. They’re paid for by the advertiser, and can end up in a variety of locations on your Twitter timeline. As the sponsored post FAQ mentions, you won’t necessarily find them on the profile page of the advertiser. This is something scammers may take advantage of, as rogue ads become a bit of a needle in a haystack to find.

This particular sponsored Tweet has been impacted by Twitter’s community notes feature, where users can add collaborative corrections to mis / disinformation and scams. The tweet is also from a Twitter Blue subscriber, which can grant additional visibility as a subscriber perk.

A sponsored tweet claiming to illustrate the benefits of being British.

The Tweet reads as follows:

“Check out what benefits you can get if you are British”

The Community Notes added to this tweet state:

The link, via many redirects, goes to a fake BBC news page promoting an ‘automated trading platform’ scam.

Clicking the link while using a VPN or the TOR browser, which places you outside the UK, results in an “advertorial” for an article promoting a UK-based immigration advice firm. It is listed on the UK’s Law Society website as a recognised legal practice so that, at least, is on the level.

Clicking the link while appearing to be located in the UK gives an entirely different result, in the form of the previously mentioned fake BBC news article. This kind of scam page has been popular with fraudsters for years. Nothing beats the appearance of credibility like aping a major news organisation!

The focus of the fake site is a get rich quick scheme, via the medium of big oil profits and a supposedly withheld TV show. From the article:

“Dragons’ Den” makes Brits rich with oil! The episode may not be broadcast – the broadcaster is furious!

The popular program Dragons’ Den—the UK equivalent of the US show “Shark Tank”, a talent show-style competition for inventors and business people in the UK—is the initial hook.

A fake BBC website using the show Dragon's Den to promote an oil AI app

From the site text:

(BBC) – The Dragons Den Series 17 is over and viewers can once again look forward to very interesting products and ideas. However, one episode of the show may not be broadcast. This episode is about a system with which Brits people can easily earn £7393.39 from home – and that PER DAY. Yes, you read that right – per day.

BBC has the video footage of this programme and we will explain exactly what this is about and why the station was banned from broadcasting this episode.

BBC met Steven Bartlett, one of the investors on “Dragons’ Den”, and he was quite enthusiastic about this system. “It’s an absolute disgrace that politics is intervening again and wants to keep the system secret. Nevertheless, I hope it goes viral on the internet and as many Brits as possible will use it for financial prosperity,” Steven Bartlett said in an interview with our editorial team.

How are you supposed to make this kind of money? Via something called “Oil Trader AI”, which allows you to generate vast wealth from “coronavirus induced” oil price fluctuations. The site then walks you through the steps of how it all works, and the supposed answer is “You have to deposit $314 into another website and the AI takes care of the rest”.

At the bottom of the page is a form to fill in and secure one of the “few” places available to make use of the AI tool.

A sign up form asking for name, email, and phone number

Once you’ve entered your email and phone number, you’re redirected to a second website. The site shows you as being logged in, and whatever email address you used is now displayed as a username.

Below your own details is a screen purporting to show your balance.

A page claiming to show your trading balance from a trading website, which includes a deposit button.

On the right is the “Deposit Funds” button referenced on the fake BBC page. If you click it, the site displays the following message:

Dear client,

In order to deposit funds to your trading account, your account manager will contact you via the phone in the following minutes, please be available to take the call. If you encounter any issues feel free to contact our support department.

A page on the trading site walking through the steps of making a deposit.

We never received a call, so we don’t know if it involves taking someone through the steps of making a deposit on site or something else.

Reviews for the site are peculiar, however. On the Trustpilot review site, there are 69 reviews and 40 are positive with reviews beginning to appear from April 7 onward. This is unusual for a trading site which was only created in February of this year, and with little visibility in search engine results. This can often be one sign that something may be amiss with a site’s reviews.

Here’s a particularly odd review, considering the site is just a few months old:

A review which claims to have been using the service in question for "several years now".

“I have been with them for several years now and have never experienced any issues. They are a reliable and trustworthy broker”.

This person claims to have used them for years. It’s possible this individual followed them to a new site. However, it seems unlikely that the trading portal wouldn’t mention their last site and Internet presence generally. Plus, we also have the below almost identical review from another user:

A review similar to the first which says "I have been using (the site) for several years now".

I have been using [the site] for several years now, and I have never had any issues with withdrawals or deposits. They are highly reliable and trustworthy, which is critical when it comes to choosing a forex broker.

One other user who gave a five star rating claims “I have been trading with them for a year”.

In fact, there isn’t a single positive rating from anyone with more than one review. Each account has made one review of this one specific site, and then never returned. Meanwhile, there are several one star reviews from people with a varied posting history. As you might expect, they advise you to avoid the site completely.

Seeing all of this, the fake BBC page, and the bogus sponsored Twitter post which started the whole thing does not make me confident about wanting to invest. Maybe I could leave a review?

How to avoid dubious trading offers

Sponsored ads may not be what they seem. Twitter is experiencing several issues currently, due to the new checkmark system and bogus ads running wild. Fake death claims leading to scam sites are a particular problem at the moment. Always read the replies, and the Community Notes if present.

Avoid fake BBC sites. A tried and tested tool of scammers everywhere, this is especially the case where offers and get rich quick schemes are being served up. The real BBC news site can be located here.

Be careful with your data. A get rich quick page asking for personal details should be treated with caution. If you must sign up for something, use a tool to mask your email address or phone number.

Review those reviews. Check the age of the site using a Whois tool, look for links in search engines, and count the reviews. Too many over a short period of time may be suspicious, especially if all of the reviewing accounts are new / have one review each only.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

YouTube is testing ad blocker detection

YouTube is dipping a toe into the muddy waters of ad-blocker blocking, with ad-blocker using Redditors complaining about a popup that warns “Ad blockers are not allowed on YouTube,” when they visit the site.

An adblock warning popup on YouTube
(Image source: Reddit user Sazk100)

The popup message explains that “Ads allow YouTube to stay free for billions of users worldwide,” and invites users who want to be ad-free to take out a YouTube Premium subscription.

Despite the “Ad blockers are not allowed on YouTube” claim, only a select group of individuals currently see this messaging. A YouTube spokesperson confirmed this is currently just a test, though there’s no information with regard to how many people are seeing it or which regions its being seen in:

“We’re running a small experiment globally that urges viewers with ad blockers enabled to allow ads on YouTube or try YouTube premium”.

They also note that ad detection isn’t a new thing, and publishers often ask site visitors to disable ad-blocking tools. Everyone reading this very blog has almost certainly experienced a “Please turn off your ad blocker to view this site” notification on a website at some time.

The big problem is that these messages tend to be unpopular, and can turn visitors away from a site. If the content you want to see or read is available elsewhere, why go to the hassle of altering your settings?

In recent years, many sites have adopted a more cautious popup method in an effort to not aggravate visitors. A typical example might say “Support our content, funded by adverts which are used to pay the writers”. Underneath you’ll be given the option to turn off the blocker, or visit the site without doing so this time around. Whether repeat visitors actually do turn off the blocker on the next visit is something only the site owners could know.

In terms of how this is going down with YouTube users, it’s not great. Here’s a typical reaction from the Reddit post where this test was first revealed:

Seriously, watching a recorded stream as we speak and I’ve been timing it. I got an ad, then four minutes later, another pair of ads, six minutes after that, another pair of unskippable ads. Ridiculous.

Ouch. 

A big issue for YouTube users is frequency of adverts, but also length. Users are tired of rapid fire short ads which require a constant supply of clicking to skip. They’re also not fans of the long format adverts, which can hit 30 minutes, an hour, or in one extreme case 4 whole hours!

If you stray into the wacky world of content for children, other types of ad are a problem too. The 20 minute+ adverts which are essentially glorified toy adverts dressed up as cartoons can be a pain to have to keep skipping on a television.

As you’d expect, people have already figured out how to bypass or skip the YouTube ad-block testing in the form of tools such as uBlock origin.

While “These videos can only exist with the support of ads” may be a good point, there are very good reasons why so many people now block ads by default in the first place. Those reasons would include scam ads, and malvertising—the delivery of malware via ad content.

Ad networks have been given chances time and time again to clean up the rogues, fix the malware drive-by antics, and shut down the malvertisers. Despite this, the problem refuses to go away and so some of us would like to stay protected until it is.

The sites using those ad networks are ultimately collateral damage. If YouTube takes a hard line on this, it runs the risk of the biggest YouTubers moving elsewhere. Direct funding, Patreons and other methods of revenue generation are out there and they don’t run the risk of alienating fans with advert-related demands.

Blocking ads is a personal choice, and it’s hard to argue in favour of trusting ad networks when bad ads land in front of millions of people on a regular basis. As I said earlier: this isn’t an “us” problem, it’s a “them” problem. People don’t block ads for the sake of it; they do it because they find them to be annoying, intrusive, or potentially dangerous. This is the consequence of years of bad ad practices, and it’s up to the networks behind them to put in some heavy lifting.


Malwarebytes protects against annoying ads and scams while blocking trackers that spy on you.

TRY NOW