IT News

A 39-year-old man has been sentenced to 81 months in jail after hacking governments systems to fake his own death to dodge paying child support.

Yes, you read that right. The press release by the US Attorney’s Office, Eastern District of Kentucky, paints a detailed picture of what went down.

In January of 2023, Jesse Kipf used several stolen identities to create a case for his own death, one of which was a doctor living in another state. He used the stolen username and password of this doctor to log in to the Hawaii Death Registry System and certify his own death, using the digital signature of the doctor.

Kipf admitted that one of the reasons he did this was to avoid having to pay child support. Reportedly, Kipf got a divorce in 2008 in California and owed more than $116,000 in child support obligations to his daughter and her mother, according to court documents.

This was not the only time that Kipf infiltrated other states’ death registry systems, private business networks, and governmental and corporate networks. Each time by using stolen credentials.

The access he gained to the systems and networks was subsequently sold on dark web forums.

The case was investigated by the FBI in Louisville. FBI Special Agent Michael E. Stansbury said:

“Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price.”

In an arrangement with prosecutors, Mr. Kipf pleaded guilty in April to one count of computer fraud and one count of aggravated identity theft. Under the deal, other charges against him were dropped.

Under federal law, Kipf must serve 85 percent of his prison sentence.  Upon his release from prison, he will be under the supervision of the US Probation Office for three years.  The damage to governmental and corporate computer systems and his failure to pay his child support obligations amounted to a total of $195,758,65.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Earlier this month, a huge trove of data from scraping service National Public Data was posted online. The dump made international headlines because it included data on hundreds of millions of people, and included Social Security Numbers.

As if that wasn’t bad enough, KrebsOnSecurity is now reporting on another National Public Data company found hosting a file online that included the usernames and passwords for the back-end of its website, including for the site’s administrator.

The website of this company, Records Check, is hosted at recordscheck.net, and is very similar to nationalpublicdata.com with identical login pages. The publicly-accessible file, which has now been taken offline, showed that all RecordsCheck users were given the same 6-character password with instructions to change that password. Which many failed to do.

National Public Data’s founder, Salvatore “Sal” Verini told Krebs that the exposed file has been removed from the company’s website, and that the entire site will cease operations “in the next week or so.”

But that’s a bit too little too late. As bad as we feel about companies like these scraping our data, it’s even worse to see how carelessly they handle our personal information.

Different

Back to the original NPD data dump, we now know a lot more now about this database.

Allegedly, the 277 GB set of data contained Social Security numbers and other sensitive data of about 2.9 billion people. That seems a stretch, so we looked into that.

The estimates from our researchers say that it contains 272 million unique social security numbers. That could mean that the majority of US citizens could be affected, although numerous people confirmed to BleepingComputer that it also included information about deceased relatives.

There are a few aspects in this case that make it very different from other data breaches.

For one, the data was “scraped,” meaning it was pulled from various sources and combined in a large database. So that means the data was already “out there.” Combining data sets often leads to duplicate records, for example, the same person but living at a different address will be listed twice.

However, combining the data in such a large database does allows those with access to amass a huge amount of data about each person.

Second, because of the scraping, there is no direct link between the breached entity and the people whose data is in the leaked database. Normally, businesses will inform their affected customers about what happened, offer credit monitoring services, and let them know what exactly was stolen.

Depending on the outcome of a complaint filed in the US District Court for the Southern District of Florida some of this might still happen, but it’s unlikely that it will be anywhere near what a company worried about it’s customers might be willing to do.

National Public Data has set up a website (only accessible with a US IP address, so from outside the US you may need to use a VPN) about the breach. According to that website:

“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

Last week, a cybercriminal using the handle ZeroSevenGroup dumped 240GB of data on the infamous stolen data site BreachForums, that they said came from a hack on the US branch of car manufacturer Toyota.

ZeroSevenGroup claims the dump includes customer and employee data.

“We have hacked a branch in United State to one of the biggest automotive manufacturer in the world (TOYOTA).
We are really glad to share the files with you here for free.
Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data.
We also offer you AD-Recon for all the target network with passwords
We’re not kidding, we have been on the network for a long time..”

Toyota told BleepingComputer that a breach at a third party had led to the data theft. After they looked at the files, BleepingComputer concluded that they had been stolen or at least created on December 25, 2022.

The car vendor has already notified impacted individuals, but it did not provide technical details about the incident. According to Toyota:

“We are aware of the situation. The issue is limited in scope and is not a system wide issue. We have engaged with those who are impacted and will provide assistance if needed.”

Toyota and Toyota Financial Services have suffered several breaches in the past, so it’s hard to tell where and when the information was obtained more precisely.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Last month, a strange thing happened in cybersecurity: a type of cyberthreat typically reserved for large businesses and critical services appeared on the computers of everyday people.

Starting on July 20, hundreds of individuals across the globe began reporting problems with ransomware. Ransomware is an existential threat to businesses everywhere, but for years, it has been understood as primarily that—a business threat.

By focusing their attacks on multimillion-dollar organizations and essential government and health services, ransomware gangs hope to force a payment from their victims who cannot risk shutting down. For some victims, like hospitals, such an impact to their services could be a matter of life and death.

But for the ransomware campaign in July, which involved a variant called Magniber, cybercriminals focused not at all on businesses, but on people. After victims had their computers infected, they received a ransom note and a demand for $1,000 in exchange for having their devices and files cleaned. If victims waited for more than three days to pay up, the demand shot up to $5,000.

The campaign lands during a devastating period of ransomware attacks against businesses, in which the frequency of attacks has steadily climbed up and up, annually, for several years. This increase in attacks is recorded and analyzed in the latest 2024 ThreatDown State of Ransomware report by Malwarebytes, which can be viewed below.

With a global increase in ransomware attacks against businesses, and with no decryption key in sight for victims of Magniber, it’s more clear than ever that ransomware is a must-know cybersecurity risk for people at home.

Why you need to know about ransomware

The most important services in your life are also the most attractive targets for ransomware gangs around the world, which is why your banks, grocery stores, hospitals, schools, government resources, and more could, without any fault of your own, suddenly grind to a halt. Because of ransomware attacks in the past, surgeries have been delayed, classes have been cancelled, and, more recently, a credit union’s customers had their direct deposit payments thrown into disarray.

In ransomware attacks, the pressure is the point.

For years, cybercriminals have focused their ransomware attacks against the types of organizations that are essential for everyday life, including hospitals, schools, critical infrastructure, and entire city governments. Once these organizations are infected with ransomware, their systems and devices become useless, as a ransomware attack will grab all files stored within reach and “encrypt” them—making them inaccessible to their own users without a related “decryption key.”

It is at this critical moment when the clock starts ticking for ransomware victims.

Organizations without reliable backups, unable to work or provide vital services, are pressured into a dreadful decision: Do they pay the cybercriminals a ransom to receive the decryption key (and trust that it works), or do they try to start from scratch, rebuild their technology operations, and refuse to fund the efforts of cybercriminals?

For businesses around the world, it’s a question that is happening more frequently, Malwarebytes found.

Between July 2023 and July 2024, ransomware attacks against organizations increased by 33% across the world, year-over-year, according to the 2024 ThreatDown State of Ransomware report. The US and the United Kingdom suffered the greatest uptick in attacks during the same time period, of 63% and 67% respectively.

But it wasn’t just the frequency that increased. It was also the ransom payments.

While the attacks that deployed Magniber against everyday people requested just thousands of dollars, ransomware attacks against businesses and organizations can include demands of millions upon millions of dollars.

In fact, in 2023, the total sum of all ransomware payments made—meaning actual money transferred to cybercriminals by their victims—surpassed $1 billion. The average ransom payment during the same time period was $620,000, and the cost of recovering from a ransomware attack was an astonishing $4.7 million.

In its investigation, Malwarebytes also revealed that ransomware attacks against organizations were becoming faster, happening more frequently at night (so as to avoid detection), and relied increasingly on an attack method in which cybercriminals would use a breached computer’s own software to help carry out the attack.

But most intriguing to everyday users is the discovery that the US is unique in suffering attacks on healthcare facilities and schools and colleges. While the US accounts for a shocking 48% of all ransomware attacks worldwide, it accounts for 60% of all education attacks and 71% of all healthcare attacks.

Your role in this threat landscape is complex. While there is not much you can do to protect hospitals, schools, banks, and city governments, there also is not much you should do. These are separate entities that are responsible for their own cybersecurity and the public cannot be expected to manage the operations of every service they need.

That said, there are steps you can take to protect yourself from ransomware attacks.

How home users can prevent ransomware

There are some rules that can help you avoid falling victim to this type of ransomware:

• Make sure your system and software, including your browser, are on the latest version. Criminals will exploit known holes that have been patched by the vendors but not updated everywhere.
• Run a trusted anti-malware solution.
• Never download illegal software, cracks, and key generators.
• Use a malicious content blocker to stop your browser from visiting bad sites.
• Don’t open unexpected email attachments.
• Don’t click on links before checking where they will take you.

If you do accidentally get caught by ransomware, we recommend you don’t pay. There’s no guarantee you’ll get your files back, and you’ll be helping to line the pockets of criminals.

You can also read the full 2024 ThreatDown State of Ransomware report below.

Texas Attorney General Ken Paxton has sued General Motors (GM) for the unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies without their knowledge or consent.

In June, the Attorney General (AG) announced he had opened an investigation into several car manufacturers over allegations that the companies had improperly collected mass amounts of data about drivers directly from the vehicles and then sold the information to third parties.

Following that investigation, the AG explained in a press release, he decided to sue General Motors:

 “Our investigation revealed that General Motors has engaged in egregious business practices that violated Texans’ privacy and broke the law. We will hold them accountable.”

The court filing provides some more detail. It reasons that when consumers buy a vehicle, they want a mode of transportation to get them from one point to another, but with GM (and its subsidiary OnStar) they unwittingly opt-in to an all-seeing surveillance system.

GM collected scores of data points from consumers about their driving habits and monetized that data by selling it on to other commercial parties. The AG accuses GM of installing technology that allegedly improves the safety, functionality, and operability of its vehicles, but at the same time this technology gathers driving data about the vehicle’s usage.

The driving data collected and sold by GM included trip details like speed, seatbelt status, and driven distance. On top of that, GM gathered data through other products like its mobile apps.

GM had agreements with various companies which allowed them to the driving data to calculate a driving score based on risk analysis. After buying a license from GM, an insurer could access the driving scores of over 16 million customers. Based on those scores the insurer could and did increase monthly premiums, drop coverage, or deny coverage.

GM claimed to have consent, but according to the AG it “engaged in a series of misleading and deceptive acts” to obtain that consent.

Among others, the onboarding process was treated as a mandatory pre-requisite to take ownership of the car. But it was nothing short of a deceptive flow to ensure customers would agree to sign up for GM’s products and get enrolled in the driving data collection scheme. Customers were presented electronically with some fifty pages of disclosures about its OnStar products, which consisted of product descriptions and a confusing series of applicable user terms and privacy notices.

At no point did GM disclose that it would sell any of their data, much less their driving data, nor did it disclose that it had contracts in place to make driving scores available to other companies or permit companies to re-sell driving scores to insurance companies.

Last year on the Malwarebytes Lock and Code podcast, David Ruiz spoke to a team of researchers at Mozilla who had reviewed the privacy and data collection policies of various product categories over several years. They reported that classified cars were the worst product category they ever reviewed for privacy.

A modern car hasn’t solely been a transportation vehicle for a long time. With multiple digital systems, they are increasingly plugged into web applications and digital processes—both of which are vulnerable to security flaws.

But at least those flaws are not intentional; some of the privacy issues apparently are. So it’s good to see a raised awareness among consumers about these issues, and investigations conducted.

As we noted, an ongoing US Senate investigation indicated that connected car makers violate consumer privacy by sharing and selling drivers’ data, including their location, on a vast scale, and that the same car makers often obtain consumer consent through deception.

Based on this investigation, senators have urged the Federal Trade Commission (FTC) to investigate automakers’ disclosure of millions of Americans’ driving data to data brokers, and to share new-found details about the practice.

As always, we will keep an eye on the developments in this field.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Stalkerware researcher maia arson crimew strikes again. Big time.

We know maia as a researcher that loves to go after stalkerware peddlers, which Malwarebytes—as one of the founding members of the Coalition Against Stalkerware—loves to see.

This time the target company, Tracki, is one selling GPS trackers and doesn’t hesitate to explicitly market itself as a device for spying on a spouse or other family member. Tracki devices are sold by some major telecommunication companies, sometimes under the Tracki brand or sometimes under their own label.

Tracki’s mother company Trackimo—hey we’re not the ones that made that name up—co-owns a subsidiary called watchinU that offers a Nickelodeon-branded smart watch for kids, the NickWatch, which is currently only available in the UK and Israel.

The investigation into Tracki, besides uncovering a tangled web of companies, dubious websites, and false identities, also led to a data breach that maia says could possibly affect almost 12 million users.

Researching the technology behind the tracker and the web portal for customers that want to see all their trackers on a map, maia found various hardcoded usernames and passwords used to load data from a number of administration and support tools.

One of the tools, the Trackimo Troubleshooter, was designed for remote debugging of all Tracki and Trackimo devices, by showing the technical support agents practically all the data from any given device by just entering a device identification number.

This “simple internal support tool” required no other authentication than logging in using a password that shared between Tracki and Trackimo employees. All you need to is a device id which follows a standardized format, so it looks like it’s possible with a bit of scripting to grab all the relevant data from each device.

Tracki support receives multiple subpoenas per week from local and federal law enforcement worldwide. Many are for stalking or harassment but also occasionally for other charges, including domestic violence, attempted murder, and murder. In all these cases, the victim was being tracked by using a Tracki device. maia says Trackimo is not only aware of these use cases, but actively assisted customers to set up nonconsensual tracking of individuals via its helpdesk.

Worryingly, agencies and military programs in the US and other governments around the world use Tracki devices, typically for asset, personnel, and vehicle tracking.

Our takeaway from this research is that by deciding to use stalkerware, of almost any kind, you are not the only one who might be able to follow the target. We have shown time and time again that these companies do not invest as much in keeping their records secure as you would expect or hope.

If you’re curious about the companies and people behind them, please read maia’s blog. It contains a lot of juicy details.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Millennials are in a bind.

According to a new analysis of research released earlier this year by Malwarebytes, Millennials are significantly more likely than every other generation to feel that there is no need to share their online account logins with boyfriends, girlfriends, spouses, or significant others, and that keeping such information private shows trust between partners.

And yet, Millennials still grant their romantic partners the same level of access as Gen Z partners do to their devices, locations, online banking accounts, ride-sharing services, vacation rental platforms, and more, causing a crisis of consent amongst a small number of Millennial partners who agreed: Their sharing is done only under duress.

The new findings—which come from a follow-on investigation into the data compiled in the Malwarebytes report “What’s mine is yours: How couples share an all-access pass to their digital lives”—reveal a unique problem for Millennials who grew up before the internet took hold of public life. Straddled with fading privacy norms, Millennials are not entirely convinced that healthy relationships should involve such high, digital demands.

A stronger sense of privacy

For Millennials, privacy is seemingly sacred.

Ranking higher than any other age group, 67% of Millennials in committed relationships agreed that they “don’t feel the need to share my device logins or passwords with significant others.” The rates of agreement for the same sentiment were significantly lower amongst Gen Z respondents (57%), Gen X respondents (52%), and Baby Boomer respondents (49%).

Relatedly, Millennials also believed that privacy between romantic partners was crucial to a healthy relationship.

When asked about a similar statement, 73% of Millennials agreed that “keeping your personal login information (account or computer passwords, device PINs, etc.) private in a romantic partnership shows trust between partners.” Again, the rates of agreement amongst other age groups were lower, with just 56% of Gen X respondents and 57% of Baby Boomers feeling the same way. Gen Z respondents also reported a lower rate, at 68%.

Alone, these two findings don’t reveal that Millennials are particularly unique, but it is where Millennials split off—from either Gen Z respondents or older Gen X respondents and Baby Boomers—that their online beliefs come into focus.

For example, Millennials, Gen X respondents, and Baby Boomers all reported similar rates of refusing to share their locations with their romantic partners through apps like Apple’s Find My, or through third-party apps like Google Maps. When asked if they currently share their locations these ways with their significant others, 16% of Millennials said “No, and I never would.” They were joined nearly hand-in-hand with Gen X respondents (17%) and Baby Boomer respondents (18%).

But in looking at Gen Z, a separate vision of location privacy emerges—just 10% of Gen Z respondents said they do not, and never would, share their locations with their significant through the use of apps. Gen Z respondents, for their part, were the most likely to agree that “sharing locations with my significant other makes me feel safer” (85%).

Unsatisfied with account sharing and unconvinced about location sharing, Millennials should report lower rates of those exact activities with their own romantic partners.

The strange thing is they don’t.

Similar sharing

Millennials in committed relationships share just as much access to many of their devices and online accounts as Gen Z respondents do—from their computers to their tablets to their messaging apps and their online photo albums.

When asked if their romantic partners have access to specific types of personal accounts, Millennials and Gen Z reported similar rates of sharing for:

• Computer PIN/password (73% of Millennials and 69% of Gen Z)
• Location sharing apps such as Find My/Find My Device (71% of Millennials and 73% of Gen Z)
• Messaging apps such as WhatsApp, Messenger, Viber, WeChat, etc. (55% of Millennials and 52% of Gen Z)
• Food/grocery deliver apps such as Uber Eats, DoorDash, Instacart, etc. (63% of Millennials and 60% of Gen Z)
• Ride-hailing apps such as Uber, Lyft, etc. (57% of Millennials and 58% of Gen Z)
• Vacation rental apps such as Airbnb, Vrbo, etc. (58% of Millennials and 55% of Gen Z)

In fact, though variations between the two generations did appear for certain behaviors, including sharing access to email accounts, social media, and phone passcodes, the difference in reporting was never large enough to be statistically significant. When it comes to sharing actual account and location access, Millennials are far more similar to Gen Z than to Gen X and Baby Boomer respondents.

But the sharing doesn’t come without wrinkles.

More than any other generation, Millennials were more likely to say they shared account access with their romantic partners only because their partners insisted.

For respondents who granted at least some account and app access to their boyfriends, girlfriends, spouses, or partners, 16% of Millennials agreed:

“My partner insists on sharing account access even though I don’t want to.”

That rate was significantly higher than Gen Z (9%), Gen X (4%), and Baby Boomers (1%).

Millennials were also the most likely to agree that, if they had granted some account access to their romantic partners, it was because of threats they received.

At significantly higher rates than Gen X respondents (2%) and Baby Boomers (2%), and at slightly higher rates than Gen Z respondents (9%), 14% of Millennials agreed: “My partner has threatened me over sharing account access (for example, said they would break up with me, harm me physically or emotionally, not talk to me/shut me out, etc.).”

Different dilemma

Millennials in committed relationships are at a crossroads.

As the last generation to be raised without smartphones, their sense of privacy—particularly around location—stands in stark contrast to Gen Z. They are less likely to see the value in sharing online account access with their romantic partners, and more likely to say that, when they do share such access, it is only because their partner insists.

Where the pressure is coming from, exactly, is unclear. It may be from having relationships with Gen Z partners (the reported average age gap between heterosexual couples in America of 2.3 years allows for intergenerational couples in their late 20s for Millennials and Gen Z). It may also be from other Millennials who are becoming influenced by modern dating norms.

Whatever the cause, there is guidance for setting and adhering to the type of online sharing that works for each couple. To learn more about consensual location sharing, avoiding online harassment, and what risks lie ahead for couples that overshare, visit the Modern Love in the Digital Age hub below.

Last week on Malwarebytes Labs:

• Dozens of Google products targeted by scammers via malicious search ads
• Microsoft patches bug that could have allowed an attacker to revert your computer back to an older, vulnerable version
• We’re making it easier for you to protect your identity
• X accused of unlawfully using personal data of 60 million+ users to train its AI
• Malwarebytes awarded Parent Tested Parent Approved Seal of Approval
• Data theft forum admins busted after flashing their cash in a life of luxury
• AI girlfriends want to know all about you. So might ChatGPT (Lock and Code S05E17)
• Google Manifest V3 and Malwarebytes Browser Guard

Last week on ThreatDown:

• Ransomware payments on track to smash $1.1 billion record
• Ransomware review: August 2024
• Malwarebytes expands protection to ARM-powered Windows devices with ThreatDown product portfolio
• Update now! August Patch Tuesday covers several zero-days
• Patch now! Microsoft Office flaw could leak NTLM hashes

Stay safe!

In a previous blog, we saw criminals distribute malware via malicious ads for Google Authenticator. This time, brazen malvertisers went as far as impersonating Google’s entire product line and redirecting victims to a fake Google home page.

Clearly not afraid of poking the bear, they even used and abused yet another Google product, Looker Studio, to lock up the browser of Windows and Mac users alike.

We describe how they were able to achieve this, relying almost exclusively on stolen or free accounts and leveraging Google’s APIs to create rotating malicious URLs for the browser lock.

All malicious activities described in this blog have been reported to Google. Malwarebytes customers were proactively protected against this attack via the Malwarebytes Browser Guard extension.

Malvertising {keyword:google)

The following image is a collage of malicious ads that all came from Google searches each consisting of two keywords: google {product}. They all tie back to the same advertiser, which we believe may be unaware that their account was compromised. In fact, we previously saw that same advertiser in two other unrelated incidents at the end of June 2024 for Brave (malware download) and Tonkeeper (phishing).

While brand impersonation is commonly done via tracking templates, in this instance the fraudsters relied on keyword insertion to do the work for them. This is particularly useful when targeting a single company and its entire portfolio. Notice how all the ads follow the same pattern with a display URL showing lookerstudio.google.com (a Google product also later abused in this scheme).

Shortly after we reported this initial wave of ads, we saw the same scammers (the final URL after clicking on the ad is also going to lookerstudio.google.com) register a new advertiser account. In this case, despite their identity not having been verified yet, their ad still showed up for a standard “google maps” search. This time, the ad’s display URL mirrors the product (maps.google.com):

Fake Google Search page via Looker Studio

Originally intended as a tool to convert data into dashboards, the scammers are misusing Looker Studio to display a dynamically generated image instead. The image is stretched across the screen to give the illusion that you are at the Google home page, ready to make a new search.

Opening Developer Tools in Chrome, we can see that the “Google search page” is indeed just one large image:

What’s interesting is how this image is used as a lure that requires some user interaction to trigger an action. Leveraging the Looker Studio API, the scammers are embedding a hidden hyperlink that will be launched as a new tab when a victims clicks on the image:

Tech support scam

The embedded linkUrl cddssddds434334[.]z13[.]web[.]core[.]windows[.]net redirects to a fake Microsoft or Apple alert page that will attempt to hijack the browser by going in full screen mode and play a recording. These fake alerts are the most common way innocent people fall victims to tech support scams. In such a situation, many people will assume there is something wrong their computer and will follow the instructions they are given on screen.

Calling the phone number for assistance will kickstart a conversation with a call center often located overseas. Fake Microsoft or Apple representatives will persuade victims to buy gift cards or log into their bank account to pay for the ‘repairs’.

The scam URL is part of web[.]core[.]windows[.]net which belongs to Microsoft Azure and is commonly abused by scammers. In this particular instance, the Looker Studio API provides a new malicious URL (rotated at regular intervals) to make any blocking via conventional means futile.

Conclusion

As we saw in this blog, malicious ads can be combined with a number of tricks to evade detection from Google and defenders in general. Dynamic keyword insertion can be abused to target a larger audience related to the same topic, which in this case was Google’s products.

Finally, it’s worth noting that in this particular scheme, all web resources used from start to finish are provided by cloud providers, often free of charge. That means more flexibility for the criminals while increasing difficulty to block.

As we were investigating this campaign, we checked that Malwarebytes customers were protected. Despite the malicious URLs being hosted on Microsoft Azure and rotating regularly, Malwarebytes Browser Guard was already blocking this attack thanks to its heuristics engine.

Indicators of Compromise

Google advertiser accounts

08141293921851408385
Dhruv
06037672575822200833

Looker Studio URLs

lookerstudio[.]google[.]com/embed/reporting/fa7aca93-cabd-47bf-bae3-cb5e299c8884/
lookerstudio[.]google[.]com/embed/reporting/42b6f86d-2a06-4b38-9f94-808a75572bb8/
lookerstudio[.]google[.]com/embed/reporting/fbd88a24-af73-4c76-94dc-5c55345e291d/

Microsoft has released a patch for a bug for a “downgrade attack” that was recently revealed by researchers at security conferences Black Hat and Def Con.

What does that mean in layman terms?

You: Let me check whether my system is fully updated

Windows: Sure, all’s well

Attacker: *Chuckles and deploys an attack against a vulnerability for which you could have been patched long ago*

With a downgrade attack, the victim may have done all they can to keep their computer and software up to date, but an attacker can force it to revert to an older, vulnerable version and then use a known bug to infect your device.

With this particular attack, the researcher built a tool called “Windows Downdate” that takes over Windows Updates to turn a completely patched Windows system into a system which is exploitable by thousands of vulnerabilities from the past.

Microsoft has now patched the two vulnerabilities in Windows (CVE-2024-38202 and CVE-2024-21302) that the researcher used to create Windows Downdate. To manually check whether you have received this update:

• Click Settings in the Start menu
• Click Windows Update
• Select Update History

You should see this entry (KB5041585 successfully installed) for Windows 11:

If you don’t see this, you can start the update by clicking the Check for updates button from the Windows Update menu, or download the relevant update from the Microsoft Update Catalog.

For Windows 10 systems the method is the same, but the KB number is KB5041580 and the update catalog can be found by following this link.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.