IT News

In April 2024, the FBI warned about a new type of smishing scam.

Smishing is the term we use for phishing attacks sent via text message. This particular smishing scam tries to trick users into clicking a link by telling them they owe a “small amount” in toll fees.

The scammers send a text claiming that the recipient owes money for unpaid tolls.

“PA Turnpike Toll Services: We’ve noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00 visit [URL to fake site] to settle your balance.”

It looks as if the targets are chosen randomly, but if you’ve been on a recent summer trip or will be visiting your relatives during the holiday season the chances are higher that you will believe this type of text. Nobody is going to fool you into paying (extra) for your daily commute, right?

Because of the relatively low amount, people may decide to settle the payment before the amount rises.

One of the URLs we tracked for this campaign was myturnpiketollservices[.]com which was active from early April until late May. Some others have only been active for a few days.

On the fake website, which is a really convincing copy of the original, visitors are asked to fill out their details like phone numbers, email addresses, full name, address, and their credit card details. Scammers will happily abuse any information that you enter for other malicious activities like identity theft and financial fraud.

These attacks are not just increasing in numbers in the US, smishing scammers are also targeting people in Australia, Canada, and Japan now.

How to avoid falling for a smishing scam

• Check the phone number that the text message comes from. Some of the scams above were easy to dismiss because they came from telephone numbers outside the US.
• Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
• If you decided to pay, an alarm should go off if you don’t receive confirmation. Official toll agencies will send confirmation after collecting payments. If you don’t receive confirmation, it’s time to investigate and maybe freeze your credit card.
• Never interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
• If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
• The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

Involved domains

myturnpiketollservices[.]com

nytollservices.com

tollsinfosny[.]com

tollsinfonyc[.]com

bayareafastraktollservices[.]com

intollroadacc219[.]com

toll-sunpass[.]com

tollnyezpassweb[.]com

indiana260roadtollac[.]com

inweb-tollroadtrust[.]com

in-tollroadgouv1[.]com

newyorktollroadtrust1[.]com

nyserviceezpass[.]com

intrust-tollroadweb[.]com

sunspass[.]com

sunspasstollsservices[.]com

sunpasstollservices[.]com

tollsbymailsny[.]com

Several of these were hosted at the IP:

45.8.92[.]38

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The Texas Dow Employees Credit Union (TDECU) has filed a data breach notification, reporting that the data of 500,474 people has been accessed in an external system breach.

TDECU is the largest Houston-area credit union, and the fourth largest in the state of Texas. The credit union was founded by employees of Dow Chemical Company in December 1954 and membership was initially limited to Dow and Ethyl-Dow employees. Since then it has gone through several mergers and acquisitions

According to the data breach notification, the breach occurred on May 29, 2023, but wasn’t discovered until July 30, 2024.

TDECU has sent personal notifications to those individuals it suspects might have been affected. In this notification and on its website, TDECU explained that the incident was related to the MOVEit vulnerability that impacted many other organizations last year. Due to the attacks that used this vulnerability, over 20 million individuals were impacted, says TDECU. The vulnerability also allowed the attackers to view or take certain TDECU data.

“There was no compromise of TDECU’s broader network security.”

After learning of the vulnerability, TDECU launched an investigation and found that certain files containing personal information of TDECU members were potentially stolen from MOVEit by cybercriminals between May 29 and 31, 2023.

Affected individuals are being offered complimentary access to identity monitoring for 12 months.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

This week on the Lock and Code podcast…

Every age group uses the internet a little bit differently, and it turns out for at least one Gen Z teen in the Bay Area, the classic approach to cyberecurity—defending against viruses, ransomware, worms, and more—is the least of her concerns. Of far more importance is Artificial Intelligence (AI).

Today, the Lock and Code podcast with host David Ruiz revisits a prior episode from 2023 about what teenagers fear the most about going online. The conversation is a strong reminder that when America’s youngest generations experience online is far from the same experience that Millennials, Gen X’ers, and Baby Boomers had with their own introduction to the internet.

Even stronger proof of this is found in recent research that Malwarebytes debuted this summer about how people in committed relationships share their locations, passwords, and devices with one another. As detailed in the larger report, “What’s mine is yours: How couples share an all-access pass to their digital lives,” Gen Z respondents were the most likely to say that they got a feeling of safety when sharing their locations with significant others.

But a wrinkle appeared in that behavior, according to the same research: Gen Z was also the most likely to say that they only shared their locations because their partners forced them to do so.

In our full conversation from last year, we speak with Nitya Sharma about how her “favorite app” to use with friends is “Find My” on iPhone, the dangers are of AI “sneak attacks,” and why she simply cannot be bothered about malware. 

“I know that there’s a threat of sharing information with bad people and then abusing it, but I just don’t know what you would do with it. Show up to my house and try to kill me?” 

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Many people turn to their favorite search engine when they are facing an issue with their computer. One common search query is to look for the telephone number or contact form for Microsoft, Apple or one of many other brands.

Scammers have long been interested in pretending to be Microsoft technical support. Years ago, inbound unsolicited calls were one of the most common techniques to bring in new victims. In more recent times, fake alerts that take over the browser claiming your computer is infected with viruses have been the dominant vector.

Today, we take a look at two subtle and extremely deceiving campaigns that leverage Google ads and Microsoft’s own infrastructure to create perfect scam scenarios that fooled us for a minute.

Trick #1: Fake Helpdesk page via Microsoft Learn

We found this ad while looking for Microsoft support live agents. The top (sponsored) result looks like it was bought by Microsoft itself with its official logo and URL.

Users who click on the ad are redirected to a legitimate Microsoft website (learn.microsoft.com) showing Microsoft’s “official” phone number. This page has the look and feel of a genuine knowledge base article especially since it appears to be posted by “Microsoft Support”:

Clicking the 3 dots beside the ad reveals that it actually doesn’t belong to Microsoft at all, but instead was paid for by an advertiser from Vietnam. This does not mean this is the actual scammer, simply that this account may have been compromised and is being used to create malicious ads.

As for the Microsoft page, it was created by a scammer via a fake Microsoft Support profile using Microsoft Learn collections.

Microsoft Learn Collections is a feature available to anyone with a Microsoft Learn profile. Collections allow you to create curated lists of Microsoft Learn content to share with your followers. A collection can include documentation articles, training modules, learning paths, videos, code samples, and more.

Here’s the profile for “Microsoft Support” that actually belongs to the scammer, using the profile id JamesKing-8561:

Trick #2: Microsoft Search query hijack

The second (unrelated) ad campaign we saw is using a different tactic but also starts with a Google ad. When victims clicking on it, it will launch a search query page via microsoft.com/en-us/search/explore.

This clever trick works by passing the following parameters to the URL:

Call+%2B1+%28844%29+327-5425++Microsoft+Support+%28USA%29

When the page finishes loading, it will display what looks like a contact number from Microsoft. In a way, this is a form of advertisement that totally abuses what the Microsoft search feature was intended for:

Fraudsters sitting in a far away call center pretending to be Microsoft technicians will trick victims into letting them onto their computers using remote access programs. The damage these scammers can do ranges from stealing a few hundred dollars as part of a “repair”, to emptying entire savings accounts.

Needless to say, you do not want to call these crooks, let alone grant them access to your computer.

Getting real support

Scammers are well aware that many people, especially the elderly, aren’t in a position to take their computers to a brick and mortar shop. Looking for help online from the convenience of their home is often the only option.

Here are some tips:

• Never call a phone number that you see in an ad (search ad, or display ad).
• To visit an official website, refrain from clicking on sponsored links. Instead, scroll further down and look for the organic search result.
• Tip above does not take into account SEO poisoning, where scammers game search engines’ results. If you can, type in the website directly into the address bar.
• Tip above does not take into account ‘typosquatting’ which is when you make a mistake in the spelling of the website and are redirected to a malicious site instead. This is something you should be aware of as well.
• Perhaps there is help available locally, which you may get by asking a friend or acquaintance.

Finally, keep your computer up-to-date and secure with protection against malware and malicious websites. Malwarebytes‘ offering includes the free Browser Guard extension which secures your online browsing experience.

In the meantime, the real Microsoft website can be accessed at support.microsoft.com and it looks like this (in the U.S.):

Last week on Malwarebytes Labs:

• Millennials’ sense of privacy uniquely tested in romantic relationships
• Hacked GPS tracker reveals location data of customers
• “We will hold them accountable”: General Motors sued for selling customer driving data to third parties
• Why you need to know about ransomware
• Toyota confirms customer and employee data stolen, says breach at third party to blame
• National Public Data leaked passwords online
• Man certifies his own (fake) death after hacking into registry system using stolen identity
• My child had her data stolen—here’s how to protect your kids from identity theft
• Fraudulent Slack ad shows malvertiser’s patience and skills
• Google patches actively exploited zero-day in Chrome. Update now!
• Hundreds of online stores hacked in new campaign
• Fake funeral “live stream” scams target grieving users on Facebook

Last week on ThreatDown:

• Ransomware payments on track to smash $1.1 billion record
• https://www.threatdown.com/blog/after-ransomware-how-nello-revamped-its-security-in-the-aftermath-of-a-devastating-cyberattack/

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Some scammers have the morals of an alley cat. But some sink even lower.

Over the last few months, Malwarebytes Labs has discovered scammers active on Facebook that prey on bereaved people by using stolen images and phony funeral live stream links to steal money and/or credit card details.

These scammers are becoming more active and new cybercriminals are picking up the method as well, which is something we see very often. When some scheme works, more lowlifes join in.

Currently, we are aware of two different approaches. One uses fake live stream links of the funeral. It asks people to follow a link where they can watch the funeral service and to share the link among their friends and family. The other asks for donations on behalf of the family of the deceased.

We followed the flow of one such scam, but you should be aware that there are several variations.

Usually, this type of scam starts with a comment on Facebook below the notification of a funeral home.

“UPDATE POST:

If you can afford you can donate.

Please share family and friends

Watch [name] Loveing Memory & Funeral ServiceLive Stream Online

WATCH LIVE [link]”

The domain the comment links to is not unique. Malwarebytes Premium blocks at least 4 other domains involved in the same type of scam. And there were more which have been taken offline by the time you read this.

If you follow the link, you’ll end up on a landing page similar to this one.

All the buttons on this site pointed to a domain which we block for phishing.

Adding the domain to the exclusion list allowed me to follow through, and I ended up on a site that wants you to sign up for your “favorite movies” so that I could allegedly get full access. Remember, I came here following links to the live stream of a funeral—not because I wanted to watch my “favorite movies.”

After feeding the scam site a bogus email address, I was allowed to move on.

Here I am invited to activate my membership by providing my credit card details. Why do they need my credit card details for a free service?

This is the reason the site provides:

“WHY YOUR CREDIT CARD?

We have streaming licenses for our content for certain countries only. That’s why we need to verify your geographic location using a valid credit card. Your membership entitling you to all our content is only 2.00€, unless you decide to switch to premium mode at the end of the 3-day trial membership, or do not cancel your membership within the trial period.”

But the real reason can also be found if you look closely. Did you spot that tiny pre-checked line at the bottom of the left-hand pane?

I enlarged it, so you can read what the small print says.

“I consent and accept the conditions of the membership and would like a secondary membership. 2X recurring payments every 14 days, current rate (64 €). Cancel anytime.”

In March of 2024, the BBC warned that these cybercriminals sometimes respond to a posted memorial message within minutes. Using a fake profile and including the photograph and personal details of the dead person in their post.

The cybercriminals are good at making these Facebook posts look real. They often copy and paste real photographs of the deceased person taken from a funeral director’s site or a genuine tribute site. But they are fake and could turn out very costly for those that fall for them.

Protect yourself and others

Several funeral homes have started adding a note that “this funeral is not being live streamed” to their online notices to reduce the chance of people falling victim to them.

The National Association of Funeral Directors says:

“You shouldn’t have to pay to view a funeral live stream and official links will be provided via the funeral director to the bereaved family.”

Be aware of strange friend requests. They may be from scammers looking for a way to comment on your post.

When you see a comment with these links, please report them to Facebook immediately. They will be removed as soon as possible so others may be spared of falling victim.

Never provide your credit card details unless you are 100% sure who you are dealing with. And even then, filling out this type of information online always comes with a risk.

Associated domains

Fake streaming sites:

Qtvlivestreamhd[.]com

Hqonlivestream[.]xyz

Visitpageaus[.]com

Auseventstream[.]com

Phishing sites:

pbg4jptrk[.]com

paperpadpen[.]com

Whenever you shop online and enter your payment details, you could be at risk of being a victim of fraud. Digital skimmers are snippets of code that have been injected into online stores and they can steal your credit card number, expiration date and CVV/CVC as you type it in.

We recently detected a new malware campaign targeting a number of online stores running Magento, a popular e-commerce platform. Due to the compromises looking similar, we believe the threat actors likely used the same vulnerability to plant their malicious code.

Within a few days, we identified over a dozen attacker-controlled websites set up to receive the stolen data. After adding those malicious sites to our security products, we were able to protect over 1.1K unique theft attempts from Malwarebytes users who happened to shop at one of a few hundred compromised stores.

Technical details

Each online store is injected with one seemingly harmless line of code, a simple script tag loading content from a remote website. Interestingly, across different hacked websites we noticed the same naming pattern:

{domain}.{shop|online)/img/

Below is an example of such an injection for the online store of a popular European beer manufacturer:

Here’s another example for a Canadian university, also compromised in a similar way. In the image, we can see the content of the remotely loaded JavaScript:

This loader contains a simple function that will retrieve information from the site it is being called from. For example, the website’s domain name is being passed as a parameter (‘s’) into another URL meant to retrieve the actual full skimmer code, which consists of a huge blob of obfuscated JavaScript:

During checkout, the payment flow is seamlessly altered such that a fake “Payment Method” frame is inserted within the store’s page. What’s interesting to note is that this particular store externalized their payment process to a company called Quickpay. However, the skimmer code takes precedent by being shown first to victims.

As you enter you credit card number, expiration data and CVC into the page, that data is being transmitted in real time and stored in a criminal’s database.

Mitigations

Digital skimmers are often impossible to recognize due to how they blend into a website. Unless you are inspecting network traffic or debugging the checkout page with Developer Tools, you simply can’t be sure that a store has not been compromised.

The critical moment happens when you need to enter your credit card number. This is when malicious code has the chance to grab that information directly from your browser.

In just a few days, our telemetry recorded 1,121 unique blocks from Malwarebytes users who had visited a compromised store. The chart below shows those blocks per malicious skimmer domain:

Malwarebytes antivirus and its browser extension (Browser Guard), both can detect and block the malicious infrastructure used by the criminals in this campaign. If you were to visit a compromised store, you would see a warning such as those below. Access to the store won’t be blocked, and while you could in theory shop safely (the skimmer code did not get a chance to be loaded), we’d still advise to refrain from making any purchases.

We contacted the stores featured in this blog post, and they have already taken action to either remove the malicious code or temporarily suspend their website. We did not reach out individually to each of the other compromised stores but we reported the malicious infrastructure to Cloudflare who already took action in flagging it as phishing.

Most credit card companies can quickly reissue a new card after it’s been stolen. However, we have seen skimmers that often collect more than just your financial data but also your email, home address and phone number, information typically required when buying anything online.

If you suspect that you recently made a purchase that resulted in your credit card company alerting you, check out our Identity Protection included in Malwarebytes Premium Security.

Indicators of Compromise

Malicious domains used by the skimmer:

codcraft[.]shop
codemingle[.]shop
datawiz[.]shop
deslgnpro[.]shop
happywave[.]shop
luckipath[.]shop
pixelsmith[.]shop
salesguru[.]online
statlstic[.]shop
statmaster[.]shop
trendset[.]website
vodog[.]shop
artvislon[.]shop
statistall[.]com
analytlx[.]shop

Google has released an update for its Chrome browser which includes a patch for a vulnerability that Google says is already being exploited, known as a zero-day vulnerability.

Google has fixed that zero-day with the release of versions 128.0.6613.84/.85 for Windows/macOS and 128.0.6613.84 for Linux that will be rolled out to all users over the coming weeks.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Besides the zero-day, this update contains 37 other security fixes, as well as Google Lens for desktop. This means you’ll be able to search anything you see on the web without leaving your current tab.

Google Lens will be available on every open tab. Here’s how to use it:

1. Open the Chrome menu (three stacked dots).
2. Select Search with Google Lens .
3. Select anything on the page by clicking and dragging anywhere on the page.
4. Refine the answers by typing in the search box in the side panel.

Keep in mind though that Google will receive a screenshot of every Google Lens search you do.

Technical details on the zero-day vulnerability

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The zero-day vulnerability which is being fixed here is referred to as CVE-2024-7971: a type confusion in V8 in Google Chrome which allowed a remote attacker to exploit heap corruption via a crafted HTML page.

JavaScript uses dynamic typing which means the type of a variable is determined and updated at runtime, as opposed to being set at compile-time in a statically typed language.

V8 is the JavaScript engine that Chrome uses and has been a significant source of security problems.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

So, an attacker will have to convince a target to open a specially crafted HTML file, which usually means visiting a website. This will cause the unpatched browser to accept an unexpected value for a variable that will cause an overflow of the reserved memory location. The attacker is able to abuse that overflow for their own malicious purposes.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Recently, I received a letter in the mail from a company about a data breach. 

The letter said that the company had been a victim of a cyberattack back in March in which files were scrambled (what we know as ransomware). The attacker had also accessed sensitive files and customer health data. 

Sadly, this is a pretty normal occurrence these days. However, this time it wasn’t my own data that was stolen. It was my 9-year-old’s health data, stemming from a breach at the medical company that provides her wheelchair. 

She didn’t fill in her details to a phishing site. She didn’t download malware. She doesn’t even have an email account. Yet her data had already been stolen. 

The data included her name, date of birth, Social Security Number, medical documentation, insurance information, and more. 

And this isn’t the first time. She’d actually already had her data stolen three times before her 10^th birthday. 

There isn’t anything we could have done differently in this situation. If you don’t use a service anymore, you can ask the organization to delete your personal information. However, in the case of medical companies—who have access to your most sensitive data—you can’t easily change providers, and they often need to store your data for longer for compliance reasons.

However, there are things you can do to prevent identity theft happening in general, some even after your kids’ data has been taken in a breach like this. 

How to protect your kids from identity theft 

• Freeze your child’s credit report: You need to do this at all three major credit bureaus (Equifax, Experian, and Transunion), and it’s free to do. Freezing restricts access to your child’s credit report, and means fraudsters cannot use your child’s identity to get credit.  

• Use fake data wherever you can: In some places, like medical facilities, you do need to use your child’s real data. But whenever you’re signing up for something less official, try using dummy data. 

• Review privacy settings on apps your kids use: Keep things as private as you can. For example, don’t use their photo for profile pictures, remove statuses that let others know when they’re online, set as much as possible to “private,” and give the least amount of personally identifiable information (eg. home address, phone number, etc) as you can. 

• Squat on their digital assets: Buy their domain name, create emails for them, and sign up for key platforms. Then lock all these accounts down with strong, unique passwords and two-factor authentication, and set them to private or inactive. 

• Keep your devices updated and use security software: Infostealers are a type of malware that steal data from your device. This data can then be sold on the dark web to identity thieves. 

• Talk to your kids about digital safety: Make sure they know how to set strong passwords, what dangers to look out for online, and how to stay safe.  

• Set up identity monitoring: This alerts you if you or your family’s information is being traded online, and helps you recover afterwards. 

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In the past year alone, we have reported almost five hundred unique malvertising incidents related to Google search ads. While it can be difficult to attribute each incident to a specific threat actor, we usually notice similarities between campaigns.

Some malvertisers go to great lengths to bypass security controls, while others know they will get caught and are willing to burn their accounts and infrastructure. Having said that, we have generally observed stealthier attacks and the one we are covering in this blog is one of them.

Targeting the popular communication tool Slack, a threat actor is relying on several online tools to narrow down their victims’ list and most importantly evade detection.

Context is everything

For several days we noticed a suspicious ad for Slack that appeared when you googled the search term for it. The ad actually looks quite legitimate and is listed above the organic search result for the official site. Despite its appearance, we knew it was likely malicious, even though clicking on it at the time would only result in being redirected to slack.com.

Almost every Google ad contains additional information about its advertiser and why it was displayed to you. This is accessible by clicking on the 3 dots beside the ad URL and it brings you to the Google Ads Transparency Center.

What we notice is that this advertiser is promoting products that look targeted at the Asian market, and then there’s this Slack ad that appears in the middle of nowhere.

We’ve mentioned before how contextualized detection could be a good way to identify an advertiser account that has been compromised. We don’t know whether Google’s algorithms are trained on this or not, but it has certainly helped us many times in the past to find new malicious ad campaigns.

Slow cooking

For days, clicking on this Slack ad would only redirect to a price page on Slack’s official website. Ads aren’t always weaponized right away; in fact it is a common practice for threat actors to let their ad ‘cook’ such that it does not immediately become detected.

Eventually, we saw a change in behavior. Rather than redirecting to slack.com, now the ad first started redirecting to a click tracker. This is one of the weaknesses in the Google ad ecosystem as such services can be abused to filter clicks and essentially send traffic to a domain of anyone’s choosing. Tracking templates as they are known, are a built-in feature that has become synonym with fraud for us.

Playing games of hide and seek

Now the ad’s final URL had become slack-windows-download[.]com an interesting choice for a domain name created less than a week ago. While it is obvious that this page was automatically generated, perhaps using AI, there is nothing malicious on it. For whatever reason, the server side checks determined that we should only be seeing this decoy page at the time:

After tweaking various settings, we finally saw the malicious page, meant to impersonate Slack and offer a download link to unsuspecting victims. It is the same domain as the one above, but the content is completely different. That type of behavior is known as cloaking, where different users are shown different content:

Below is a network traffic capture showing what was required to get to this page. There are a few things worth noting:

• The Google ad URL redirects to a click fraud detection tool, followed by a click tracker. There is no way for Google to know where users are going at this point.
• The click trackers themselves are blinded on what happens next, thanks to a singular link/tracking link followed by one more cloaking domain.

This deep layering makes it incredibly difficult to evaluate an ad without resorting to specific tooling and knowledge of the threat actors’ TTPs.

Malware payload

The download button triggers a file download from another domain that may hint at a parallel campaign targeting Zoom. A key is passed to the server to request the malware binary to users who went through the delivery chain.

Dynamic analysis in a sandbox shows a remote connection to 45.141.87[.]218, a server previously used by SecTopRAT, a remote access Trojan with stealer capabilities. This payload was previously dropped in other malvertising chains, one of them impersonating NordVPN.

Conclusion

Malwarebytes was already blocking that command and control server and we’ve improved our detection coverage by adding the supporting and delivery infrastructure used in this campaign. In addition, we’ve reported the malicious ad to Google and Cloudflare has now flagged the decoy domains that were abusing its services, as phishing.

We expect malvertisers to continue to exploit free and paid platforms to help them avoid detection, but we also should be aware that they may be more patient and wait for the right moment to unleash a new campaign.

Indicators of Compromise

Link redirect

slacklink[.]sng[.]link

Cloaking

haiersi[.]com

Decoy sites

slack-windows-download[.]com
slack-download-for-windows[.]com

Payload download

zoom2024[.]online

Payload SHA256

59e5e07ffa53ad721bc6b4c2ef435e08ae5b1286cda51415303978da474032d2