Malware Bytes

Sorry for the headline, but we have to get creative to get anyone to read an article on a Friday like this one, even if it is an important story.

As we enter the holidays and parents begin to rest after another hectic year of shopping for their kids, Malwarebytes Labs wants to draw some attention to a part of most children’s lives that deeply affects their online security: The education system.

Although children in the US can’t take out loans or get credit cards on their own, they can end up as victims of identity theft, which can end up being a lifelong burden in the form of bad credit ratings and even criminal records.

An old study by Experian estimated that 25 percent of children will be victims of identity fraud or theft by the time they are 18 years old. In the current system it’s even possible that a newborn gets assigned a Social Security Number (SSN) which has already been used by a criminal.

The Social Security Administration (SSA) has already assigned more than half of all available SSNs and because there is no check before the number gets issued, a baby could end up getting one with a bad history.

But usually, it happens later on. According to Javelin’s 2022 Child Identity Fraud Study, approximately 1.7 million US children had their personal information exposed and potentially compromised due to data breaches in 2021.

Many of the leaked information about children comes, unsurprisingly, from the educational institutions that they visit.

Breaches in education don’t follow a pattern or affect only children. They range from leaky school apps to ransomware and from childcare to the teacher’s retirement system.

Even though the Taxpayer First Act of 2019 mandates that the IRS notify taxpayers, including parents and guardians, when there is suspected identity theft, it has been criticized for not complying with this obligation.

So, parents and guardians need to be vigilant themselves.

How to keep an eye on your children’s identities

There are a few things you can do.

• Contact the three major credit bureaus (Equifax, Experian, and TransUnion) to check if your child has a credit report. Generally, children under 18 should not have a credit report. If a report exists, it may indicate identity theft. If a credit report is found, inform the credit bureau it may be fraudulent. You may need to provide documents to credit bureaus to verify your child’s identity and your own.
• If your child is under 16, you can request a free credit freeze to prevent new accounts from being opened in their name. This freeze remains in place until you request it to be removed. The process for getting a freeze for a minor is different than getting one for an adult. The credit bureaus give specific instructions at these three sites: Experian, Equifax, and TransUnion.
• Limit who you share your child’s Social Security number with and only provide it when absolutely necessary. Don’t be afraid to ask why the information is needed and how it will be protected.
• If you suspect your child’s identity has been stolen, report it to the Federal Trade Commission (FTC) at IdentityTheft.gov. Also, contact your local law enforcement to get a police report and notify the fraud departments of companies where fraudulent accounts were opened in your child’s name.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

More and more, threat actors are leveraging the browser to deliver malware in ways that can evade detection from antivirus programs. Social engineering is a core part of these schemes and the tricks we see are sometimes very clever.

Case in point, there has been an increase in attacks that involve copying a malicious command into the clipboard, only to be later pasted and executed by the victims themselves. Who would have though that copy/paste could be so dangerous?

The new campaign we observed uses a a combination of malicious ads and decoy pages for software brands, followed by a fake Cloudflare notification that instructs users to manually run a few key combinations. Unbeknownst to them, they are actually executing PowerShell code that retrieves and installs malware.

The discovery

Our investigation into this campaign started from a suspicious ad for ‘notepad’ while performing a Google search. Such search queries have been a hot spot for criminals who want to lure victims that are looking to download programs onto their computer.

Based on previous evidence, criminals are tricking victims into visiting a lookalike site with the goal of downloading malware. In this case, the first part was true, but what unfolded next was new to us.

When we clicked the Download button, we were redirected to a new page that appeared to be Cloudflare asking us to “verify you are human by completing the action below“. This type of message is more and more common, as site owners try to prevent bots and other unwanted traffic.

But rather than having to solve a CAPTCHA, we saw another unexpected message: “Your browser does not support correct offline display of this document. Please follow the instructions below using the “Fix it” button“.

Powerful technique

This technique is actually not new in itself, and similar variants have been seen both via email spam and compromised websites before. It is sometimes referred to as ClearFake or ClickFix, and requires users to perform a manual action to execute a malicious PowerShell command.

Clicking on the ‘Fix It’ button copies that command into memory (the machine’s clipboard). Of course the user has no idea what it is, and may follow the instructions that ask to press the Windows and ‘R’ key to open the Run command dialog. CTRL+V pastes that command and Enter executes it.

Once the code runs, it will download a file from a remote domain (topsportracing[.]com) within the script. We tested that payload in a sandbox and observed immediate fingerprinting:

C:\Users\Admin\AppData\Local\Temp\10.exe
C:\Windows\SYSTEM32\systeminfo.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"

The information is then sent back to a command and control server (peter-secrets-diana-yukon[.]trycloudflare[.]com) abusing Cloudflare tunnels:

The use of Cloudflare tunnels by criminals was previously reported by Proofpoint to deliver RATs. We weren’t able to observe a final payload but it is likely of a similar kind, perhaps an infostealer.

Campaign targets several brands

This was not an isolated campaign for Notepad, as we soon found additional sites with a similar lure. There was a Microsoft Teams landing page which used exactly the same trick, followed by others such as FileZilla, UltraViewer, CutePDF and Advanced IP Scanner.

Oddly, we saw a lure for a cruise booking site. We have no idea how that came to be, unless the criminals agree that everyone needs a vacation sometimes.

Overlap with other campaigns

As mentioned previously, this type of social engineering attack is getting more and more popular. Researchers are tracking several different families under different names such as the original SocGholish.

Interestingly, the same domain (topsportracing[.]com) we saw in the malicious PowerShell command for Notepad++ was also used recently in another campaign known as #KongTuke:

As these schemes are being increasingly used by criminals, it is important to be aware of the processes involved. The Windows key and the letter ‘R’ pressed together open the Run dialog box. This is not something that most users will ever need to do, so always think carefully whenever you are instructed to perform this.

Malwarebytes customers are protected against this attack via our web protection engine for both the malicious sites and PowerShell command.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Malicious domains

notepad-plus-plus.bonuscos[.]com
microsoft.team-chaats[.]com
cute-pdf[.]com
ultra-viewer[.]com
globalnetprotect[.]com
sunsetsailcruises[.]com
jam-softwere[.]com
advanceipscaner[.]com
filezila-project[.]com
vape-wholesale-usa[.]com

Servers used before Cloudflare proxy

185.106.94[.]190
89.31.143[.]90
94.156.177[.]6
141.8.192[.]93

Malware download URLs

hxxp[://]topsportracing[.]com/wpnot21
hxxp[://]topsportracing[.]com/wp-s2
hxxp[://]topsportracing[.]com/wp-s3
hxxp[://]topsportracing[.]com/wp-25
hxxp[://]chessive[.]com/10[.]exe
hxxp[://]212[.]34[.]130[.]110/1[.]e

Malware C2

peter-secrets-diana-yukon[.]trycloudflare[.]com

The US government launched a national security investigation into the popular, Chinese-owned router maker TP-Link, with a potential eye on banning the company’s devices in the United States.

The investigation comes amid heightened tension between the US and the Chinese government, and after a public letter from members of the US House of Representatives this summer that alleged that TP-Link was engaged in predatory pricing practices, driven by ulterior motives, and possibly sponsored by China. US officials noted how TP-Link undercut the competition on price to become the market leader for Small Office/Home Office (SOHO) network appliances.

In doing this, TP-Link managed to grow their market share to 60% of the US retail market for WiFi systems and SOHO routers—from 10% in 2019. And the company reportedly has almost 80% of the US retail market for WiFi 7 mesh systems.

A WiFi 7 Mesh system is the latest advancement in wireless networking, combining the features of WiFi 7 technology with the benefits of mesh networking, which uses multiple nodes that work together to provide uniform WiFi coverage throughout the home, eliminating dead zones.

Because of TP-Link’s original founding in China, claims have been made of a so-called “Huawei playbook,” referring to allegations that Huawei Technologies Co. spies for the Chinese government and that it became a dominant player in the global networking equipment sector on the back of improper state subsidies. Huawei and China both deny these allegations, though.

Nonetheless, the US imposed restrictions that make it harder for Huawei to sell equipment in the US and buy parts from American suppliers.

Perhaps because of this type of scrutiny, TP-Link has made many efforts to distance itself from its Chinese ownership. TP-Link Systems is an entity based in Irvine, California, and no longer affiliated with the Chinese TP-Link Technologies.

Part of the attention paid to TP-Link this year could also be because a Chinese-backed Advanced Persistent Threat (APT) called Volt Typhoon has been using SOHO routers as gateways to get inside sensitive infrastructure. The cybercriminals used the routers to hide the actual origin of malicious attempts to reach inside the utilities and other targets.

But that argument doesn’t make sense since many of those routers were malware-infected NetGear and Cisco SOHO devices that no longer receive updates because they have reached their End-of-Life.

TP-Link said the market share percentages were overstated, but it did recently sign deals with internet service providers (ISPs) who then supply the routers to their customers. In such deals ISPs often rebrand the routers which makes it hard for customers to know which brand and type of router they have.

Representative John Moolenaar, the co-chairman of the US House Select Committee on Strategic Competition between the United States and the Chinese Communist Party—which sent the letter prompting the TP-Link probe—stayed fast in his concerns:

“Chinese companies that, because of the technology they provide or the supply chains they impact, pose an unacceptable risk to our country’s security.”

Unfortunately, vulnerabilities in routers are very common and hardly ever patched by consumers, because they either don’t know how, or they may not even know that the patches are necessary because they don’t know which router model they have or that patches are available.

This makes it very hard to tell whether a vulnerability was an oversight or an intentional backdoor. This will make it hard for the investigators to find the “loaded gun” they are looking for.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Pallet liquidation scams target people looking to purchase pallets of supposedly discounted merchandise, often from major retailers like Amazon.

Groups that engage in pallet liquidation sales are rampant on social media and it’s hard to discern the scammers from the legitimate ones (to be honest, I’ve always thought they were all scams, until someone told me there are legitimate ones), let alone the grey area in between.

The scams are based on the fact that many products are returned and can not be sold again for various reasons. But companies also offer overstock and out-of-season apparel for sale. Most of these companies have the first buyers sign non-disclosure agreements (NDAs) so when you scroll through different legitimate liquidation websites and marketplaces the origin of the pallet is almost never stated.

Depending on the reason of sale and the origin, the pallets may include a large quantity of one product or a mix of products, such as overstock or discontinued items, customer returns, or refurbished goods.

Given that the pallet liquidation market is a billion-dollar industry, it inevitably attracts scammers seeking to grab a piece of the action without putting in the work or risk.

In social media groups that specialize in pallet liquidation, you’ll find advertisements that promise valuable merchandise at significantly discounted prices, such as electronics, tools, or other high-demand items.

Facebook pallet liquidation ad

You’ll also see sponsored ads on social media about pallet sales (note: these are almost always fake).

The risk of not receiving what you have paid for is an obvious one, but some of these scammers will go the extra mile and set up fake websites where they will try and harvest payment details.

How to steer clear of pallet liquidation scams

If you’re really looking to try your luck at this, there are a few tips that can help you get your money’s worth.

The first thing to keep in mind is the higher up you are in the chain, the better your chances of making a profit are. It usually also means buying large quantities (I’m talking about truckloads) and larger investments. And most sellers do not have a return policy. I realize the large shipments are not for everyone, so here are some things to remember:

Red flags:

Unbelievable prices. The people you’re buying from are not stupid. If they are offering goods for unbelievable prices, don’t take their word for it.

Payment methods. Sellers who insist on payment methods that do not offer buyer protection are likely scammers.

Only payment options without buyer protection

Lack of manifest. Sellers that are unwilling to disclose any information about the content of a pallet shouldn’t be trusted. There is definitely a higher risk of damaged items.

Time pressure. Slogans like “Act now!” or “Only 3 left” are often used to create a false sense of urgency, hoping victims will purchase without applying the research below.

Research the seller:

Find contact information and check the validity. Legitimate liquidation sites provide clear and easily accessible contact details, including physical address, phone number, and email address. Be wary of sites that lack this information or provide vague or unreliable contact details.

Verify the physical address of the liquidation site through online maps or directories. A legitimate company is more likely to have a verifiable physical presence. After all, you can hardly receive these pallets in a PO box.

For a website you can use online tools to find the domain age and registration. Legitimate domains have a longer history so they are easier to research. New domains should be regarded as suspicious, since scammers have the habit of moving on to the next domain leaving bad reviews behind.

Check if the website is listed on the Better Business Bureau (BBB) website and review their rating and any associated complaints. It also allows you to check how long they’ve been in business.

Do an online search for the name of the company and combine it with terms like “scam” or “complaint” to help you find problems others may have run into in dealing with this company.

Don’t trust sponsored ads. We have heard of scammers that can afford to pay millions to advertise on Meta, Google, and other platforms and still make a handsome profit.

Use web protection like Malwarebytes Browser Guard. It flags malicious websites and credit card skimmers that steal your information.

Too late?

If you suspect that your payment card details have been stolen, these are the recommended actions:

• Regularly check account and card statements and notify your bank about any suspicious activity.
• Where possible, set up fraud alerts with your bank or payment card provider.
• Change the password and enable multi-factor authentication if you haven’t already.
• Freeze your credit so nobody can open any new accounts in your name.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This is no secret, online criminals are leveraging artificial intelligence (AI) and large language models (LLMs) in their malicious schemes. While AI tends to be abused to trick people (i.e. deepfakes) in order to gain something, sometimes, it is meant to defeat computer security programs.

With AI, this process has just become easier and we are seeing more and more cases of fake content produced for deception purposes. In the criminal underground, web pages or sites that are meant to be decoys are sometimes called “white pages,” as opposed to the “black pages” (malicious landing pages).

In this blog post, we take a look at a couple of examples where threat actors are buying Google Search ads and using AI to create white pages. The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check.

Fake-faced executives

The first example is a phishing campaign targeting Securitas OneID. The threat actors are very cautious about avoiding detection by running ads that most of the time redirect to a completely bogus page unrelated to what one would expect, namely a phishing portal.

It did cross our minds they could very well be trolling security researchers, but if that was truly the case, why not simply go for Rick Astley’s Never Gonna Give You Up?

The entire site was created with AI, including the team’s faces. While in the past, criminals would go for stock photos or maybe steal a Facebook profile, now it’s easier and faster to make up your own, and it’s even copyright-free!

When Google tries to validate the ad, they will see this cloaked page with pretty unique content and there is absolutely nothing malicious with it.

Parsec and the universe

Our second example is another Google ad for Parsec this time, a popular remote desktop program used by gamers.

It so happens that a parsec is also an astronomical measurement unit and the threat actors (or should we say AI) went wild with it, creating a white page heavily influenced by Star Wars:

The artwork, including posters, is actually quite nice, even for a non-fan.

Once again, this cloaked content is a complete diversion which will take detection engines for a ride.

AI vs AI: humans to the rescue

These are just some of the many examples of AI being misused. In the early days of deepfakes, one may remember companies already training AI to detect AI.

There will naturally be content produced by AI for legitimate reasons. After all, nothing prohibits anyone from creating a website entirely with AI, simply because it’s a fun thing to do.

In the end, AI can be seen as a tool which on its own is neutral but can be placed in the wrong hands. Because it is so versatile and cheap, criminals have embraced it eagerly.

Ironically, it is quite straightforward for a real human to identify much of the cloaked content as just fake fluff. Sometimes, things just don’t add up and are simply comical. Do jokes trigger the same reaction in an AI engine as they would to a human? It doesn’t seem like it… yet.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Another day, another exposed S3 bucket.

This time, 5 million US credit cards and personal details were leaked online. The Leakd.com security team discovered that 5 terabytes of sensitive screenshots were exposed in a freely accessible Amazon S3 bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

In this case we don’t know who’s behind the leak, although it seems clear from the screenshots that it’s a phishing operation and the credit and debit card information was exactly the data they were after. Although they probably didn’t intend to share it with the whole world.

Unfortunately, not knowing who left the data exposed makes it harder to plug the hole, but the AWS Abuse team initiated an investigation based on the information provided by Leakd.

The leaked information contains 5 terabytes of screenshots where victims filled out their details on websites that offered “free iPhones” and heavily discounted holiday gifts.

Image courtesy of Leakd.com

Looking at how those screenshots are organized, there are two possible sources.

• Information stealers, many infostealers are capable of taking screenshots and naming them in a way that helps the attackers track and organize the stolen data.
• Phishing using websites that were especially set up for this task. This seems to most likely scenario, because of the content of the screenshots.

As Leakd.com describes it:

“The leaked screenshots often featured instances of users entering personal and financial details into seemingly innocent promotional forms.”

Image courtesy of Leakd.com What do I need to do?

Stolen payment card details are bad enough, as they can be used for financial fraud, identity theft, and cause privacy issues.

The timing just weeks before Christmas makes it even worse. It is hard enough to keep track of your own spending for some of us, let alone when a criminal decides to spend some of our money. And having to cancel your payment card because someone else might use it is most inconvenient right now.

But if you suspect that your payment card details have been stolen, these are the recommended actions:

• Regularly check account and card statements and notify your bank about any suspicious activity.
• Where possible, set up fraud alerts with your bank or payment card provider.
• Change the password and enable multi-factor authentication if you haven’t already.
• Freeze your credit so nobody can open any new accounts in your name.

If you don’t want to become a victim of these cybercriminals:

• Don’t get phished. Be aware of the signs and don’t respond to unsolicited emails and texts.
• Shy away from sites making too-good-to-be-true offers.
• Use web protection like Malwarebytes Browser Guard. It flags malicious websites and credit card skimmers that steal your information.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

An unfamiliar type of scam has surged against everyday people, with a year-over-year increase of some 400%, putting job seekers at risk of losing their time and money.

The emerging threat is delivered in “task scams” or “gamified job scams.” While these scams were virtually non-existent in 2020, the FTC reported 5,000 cases in 2023 and a whopping 20,000 cases in the first half of 2024.

In these scams, online criminals prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually organized in sets of 40 tasks that will take the victim to a “next level” once they are completed.

Sometimes the victim will get a so-called double task that earns a bigger commission. The trick is that the scammers will make the victim think they are earning money to raise trust in the system. The money can be fake and only displayed in the system, but some victims report actually receiving small sums.

But at some point, the scammers will tell the victims, they have to make a deposit to get the next set of tasks or get your earnings out of the app. So, victims are likely to make that deposit, or all their work will have been for naught.

Scammers use cryptocurrency like USDT (a digital stable-coin with a value tied to the value of the US dollar) to make their payments.

Task scams typically begin with unsolicited text messages or messages via platforms like WhatsApp, Telegram, or other messaging apps. These messages often come from unknown numbers or profiles that may appear professional to gain trust. Reportedly, these scams like to impersonate legitimate companies such as Deloitte, Amazon, McKinsey and Company, and Airbnb.

Scammers count on the urge that victims do not want to “cut their losses” and will try to pull victims in even deeper, sometimes inviting them into groups where newcomers can learn and hear success stories from (fake) experienced workers.

How to avoid task scams

Once you know the red flags, it is easier to shy away from task scams.

• Do not respond to unsolicited job offers via text messages or messaging apps.
• Never pay to get paid.
• Verify the legitimacy of the employer through official channels.
• Don’t trust anyone who offer to pay for something illegal such as rating or liking things online.

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov. 

This week on the Lock and Code podcast…

Privacy is many things for many people.

For the teenager suffering from a bad breakup, privacy is the ability to stop sharing her location and to block her ex on social media. For the political dissident advocating against an oppressive government, privacy is the protection that comes from secure, digital communications. And for the California resident who wants to know exactly how they’re being included in so many targeted ads, privacy is the legal right to ask a marketing firm how they collect their data.

In all these situations, privacy is being provided to a person, often by a company or that company’s employees.

The decisions to disallow location sharing and block social media users are made—and implemented—by people. The engineering that goes into building a secure, end-to-end encrypted messaging platform is done by people. Likewise, the response to someone’s legal request is completed by either a lawyer, a paralegal, or someone with a career in compliance.

In other words, privacy, for the people who spend their days with these companies, is work. It’s their expertise, their career, and their to-do list.

But what does that work actually entail?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Transcend Field Chief Privacy Officer Ron de Jesus about the responsibilities of privacy professionals today and how experts balance the privacy of users with the goals of their companies.

De Jesus also explains how everyday people can meaningfully judge whether a company’s privacy “promises” have any merit by looking into what the companies provide, including a legible privacy policy and “just-in-time” notifications that ask for consent for any data collection as it happens.

“When companies provide these really easy-to-use controls around my personal information, that’s a really great trigger for me to say, hey, this company, really, is putting their money where their mouth is.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• Encrypted messaging service intercepted, 2.3 million messages read by law enforcement
• TikTok ban in US: Company seeks emergency injunction to prevent it
• Data brokers should stop trading health and location data, new bill proposes
• Update now! Apple releases new security patches for vulnerabilities in iPhones, Macs, and more
• 4.8 million healthcare records left freely accessible
• Malicious ad distributes SocGholish malware to Kaiser Permanente employees

Last week on ThreatDown:

• 2024 MITRE ATT&CK® Evaluation results: ThreatDown detected every step
• December patch Tuesday fixes one actively exploited zero-day vulnerability
• What is Cross-Site Request Forgery (CSRF)?

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

On December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search Ads. The fraudulent ad masquerades as the health care company’s HR portal used to check for benefits, download paystubs and other corporate related tasks.

We believe the threat actors’ intent was to phish KP employees for their login credentials, but something unexpected happened. Instead, victims who clicked on the ad were redirected to a compromised website that prompted them to update their browser.

This notification is part of a malware campaign known as SocGholish that tricks users into running a script supposedly meant to update their browser. Rather, it infects machines and if the victim is deemed important enough, a human operator will gain access in order to perform nefarious actions.

In this blog post, we review how this attack unfolds and why a compromised website derailed the attackers’ plan. We already reported the malicious ad to Google.

Malicious Kaiser Permanente ad

Several criminal gangs are currently abusing Google Ads to phish victims of various large companies. They prey on employees simply googling for their HR portal so that they can display a malicious ad to lure them in.

Case in point, when searching for Kaiser Permanente’s HR portal, we saw the following ad:

We were able to identify the advertiser who registered a fake account under the name ‘Heather Black’. This ad was only showed for U.S.-based searches, as can be seen in the Google Ads Transparency Center report:

Former company’s website hijacked for phishing

The displayed url shown in the ad (https://www.bellonasoftware[.]com) does not look associated with Kaiser Permanente. According to LinkedIn, Bellona Software was a company based in Romania. We can see what their website looked like in 2021, using the Internet Archive:

Sometimes more recently, this same website was taken over by criminals who transformed it into a phishing page for Kaiser Permanente:

Malicious redirect to SocGholish

It looks like there was more than one cook in the kitchen, as malicious code was also injected in the core JavaScript libraries for that website, confirmed in a scan by Sucuri’s SiteCheck:

When potential victims clicked on the ad, they landed on that compromised website, which in turn briefly displayed the phishing template only for as long as a mouse scroll or click. Then, a new screen appeared with what looks like a Google Chrome notification claiming the user’s browser is out of date:

This screen, also known as SocGholish, is a long running malware campaign that targets vulnerable websites indiscriminately. When a user executes the downloaded Update.js file, they are instead running a malicious script that will collect some of their computer’s information and relay it to a group of criminals. After this fingerprinting takes place, additional tooling such as Cobalt Strike may be downloaded, preparing the ground for a human on keyboard type of attack.

To the best of our knowledge, the phishing campaign has nothing to do with SocGholish, and we assume that the original threat actors did not anticipate for the website they took over to be compromised. As for the gang behind SocGholish, the victims would come from a Google search, something they usually check for via the referer.

Protecting against web threats

For victims, neither the phishing scheme nor the malware are a happy outcome. While initially targeted because of what they searched for, they fell into the hands of a different criminal syndicate.

Such is the reality of web threats. This is a dynamic and ever changing landscape with a number of malicious players trying to lure users in their own way.

Online ads, and in particular search ads, continue to be a threat. As we have showed many times on this blog, any brand is at risk of being impersonated. Unfortunately, this trend has continued unabated throughout 2024.

At the same time, ‘old’ malware campaigns like SocGholish pose a risk due to a never ending number of outdated websites ready to be compromised and act as a springboard for malware delivery.

When searching online, we urge to use extreme caution with any sponsored results and if possible add protection to your online browsing experience with tools like Malwarebytes Browser Guard.

We reported the malicious ad to Google and will update this blog if we hear anything back.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Phishing site

bellonasoftware[.]com

SocGholish infrastructure

premium[.]davidabostic[.]com
riders[.]50kfor50years[.]com

Your main business is healthcare, so your excuse when you get hacked is that you didn’t have the budget to secure your network. Am I right?

So, in order to prevent a ransomware gang from infiltrating your network, you could just give them what they want—all your data.

The seemingly preferred method to accomplish this is to leave the information unprotected and unencrypted in an exposed Amazon S3 bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

Security researcher Jeremiah Fowler is always looking for exposed cloud storage. And recently he found one that contained over 4.8 million documents with a total size of 2.2 TB.

He soon found out that it belonged to a Canadian company offering AI software solutions to support optometrists in delivering enhanced patient care, called Care1. Care1 Canada provides software tools that “take patient care to the next level.”

The information Jeremiah found included eye exam results, which detailed patient PII, doctor’s comments, and images of the exam results. The database also contained lists of patients which included their home addresses, Personal Health Numbers (PHN), and details regarding their health.

In the Canadian healthcare system, a Personal Health Number (PHN) is a unique lifetime identifier that is used to share a patient’s health information among healthcare providers.

This type of healthcare information can be used in phishing attacks, identity theft, and can cause health privacy issues. Ransomware gangs know this is highly coveted, which is why ThreatDown numbers regularly show that 5 to 6% of ransomware attacks are targeting the healthcare industry.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

To check if you’re using the latest software version, go to Settings (or System Settings) > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

iPadOS update available

Updates are available for:

Safari 18.2 macOS Ventura and macOS SonomaiOS 18.2 and iPadOS 18.2 iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and lateriPadOS 17.7.3 iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generationmacOS Sequoia 15.2 macOS SequoiamacOS Sonoma 14.7.2 macOS SonomamacOS Ventura 13.7.2 macOS VenturawatchOS 11.2 Apple Watch Series 6 and latertvOS 18.2 Apple TV HD and Apple TV 4K (all models)visionOS 2.2 Apple Vision Pro Technical details

Noteworthy is a vulnerability in the open-source XML parser libexpat tracked as CVE-2024-45490. This vulnerability has been patched in several popular applications since it was discovered in August.

An important one is the vulnerability tracked as CVE-2024-54529 which is found in the Audio component of macOS and could allow an app to execute arbitrary code with kernel privileges. This means that if you install a malicious app that can exploit this vulnerability, it could take over your system.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Senators introduced a bill on Tuesday that would prohibit data brokers from selling or transferring location and health data.

Data brokers have drawn attention this year by leaking several large databases, with the worst being the National Public Data leak. The data breach made international headlines because it affected hundreds of millions of people, and it included Social Security Numbers.

All this when data brokers had already been faced with reforms in the shape of the American Privacy Rights Act (APRA). Hwoever, APRA is not expected to pass before Congress wraps up for the year, and some lawmakers feel the need for extra data regulations.

The newly introduced “Health and Location Data Protection Act of 2024” would provide the Federal Trade Commission (FTC) with $1 billion for enforcement and give the FTC, state attorneys general and victims of data broker abuses the right to sue brokers for violating the law.

Location data are considered extra sensitive because they can be abused by stalkers. Health information often includes highly personal and intimate details about an individual’s life, such as medical history, mental health status, substance abuse, family planning, and genetic testing results.

The bill also mentions a third category which includes other categories of data that address or reveal location or health data.

Data brokers come in different shapes and sizes. What they have in common is that they gather personally identifiable data from various sources. These sources can range from publicly available data to data sets stolen in cybercrimes. They then sell the gathered data for several purposes.

Background checks are required for specific jobs, as well as some insurance policies, loans, and other financial transactions, but some data brokers just deal in marketing and advertising related information.

One of the main dangers of all these data brokers is that they trade amongst themselves. Because of this they not only gather information about more and more people, but also get their hands on information that isn’t even relevant to their field of expertise.

To the victims of a data breach at one of these companies the origin of the stolen data is often a mystery. They have no direct contact with the companies and are usually unaware that they have information about them in the first place.

So, we can only hope that the senators get at least this bill passed prior to the end of the current Congress, or else it will all have to start over again in the next year.

We don’t just talk about your data, we help remove it from broker sites

Cybersecurity risks should never spread beyond a headline. Clean up your data using Malwarebytes Personal Data Remover (US only).

Test page heading

TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

Back in March, the House of Representatives passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance agreed to give up its share of the immensely popular app.

TikTok claims this is censorship and collides with the principle of free speech. However, the company’s post on X got a lot of responses from people who feel TikTok itself banned them for no clear reason.

On Friday, December 6, a federal appeals court panel unanimously upheld the law that gave ByteDance, TikTok’s Chinese parent company, nine months to either get a new owner or be banned in the US. The deadline is looming; unless the courts stop it, it will go into effect January 19, 2025.

Free speech advocates agree with TikTok that a ban would violate First Amendment rights to free speech, mainly because it would set a precedent. The American Civil Liberties Union said to Reuters:

“Banning TikTok blatantly violates the First Amendment rights of millions of Americans who use this app to express themselves and communicate with people around the world.”

Ever since a former executive at TikTok’s parent company ByteDance claimed in court documents that the Chinese Communist Party (CCP) had access to TikTok data, despite the data being stored in the US, TikTok has been battling to convince politicians that it operates independently of ByteDance, which has deep ties to the CCP.

As early as in 2022, the FCC called TikTok an unacceptable security risk which should be removed from app stores, saying it had referred a complaint against TikTok and parent company ByteDance to the Department of Justice for collecting personal information from children without parental consent.

Since 2020, several governments and organizations have banned, or considered banning, TikTok from their staff’s devices. And during a US Senate hearing, General Paul Nakasone, Director of the National Security Agency (NSA) stated that “America’s TikTok-addicted youth is playing with a loaded gun.”

Meanwhile TikTok also received orders to close its offices in Canada following a national security review. The app has already completely been banned in India, Kyrgyzstan, Uzbekistan, Nepal, and Somalia.

According to TikTok, a ban on the platform would cause small businesses to lose over $1 billion in revenue within just one month, while creators would suffer $300 million in lost earnings.

TikTok’s petition has requested that the Court of Appeals make a decision on the injunction by December 16, 2024.

We will keep you posted.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

European law enforcement agencies have taken down yet another encrypted messaging service mainly used by criminals.

The Matrix encrypted messaging service was an invite-only service which was also marketed under the names Mactrix, Totalsec, X-quantum, or Q-safe. Dutch and French authorities started an investigation when the service was found on the phone of a criminal convicted for the murder of Dutch journalist Peter R. de Vries in 2021.

The investigators soon found Matrix was technically more complex than previous platforms such as Sky ECC and EncroChat, which were earlier subjects of law enforcement eavesdropping.

Eventually the authorities were able to intercept the messaging service’s traffic and monitor the activity for three months. The authorities intercepted and deciphered over 2.3 million messages in 33 languages during the investigation.

The intercepted messages mostly dealt with serious organized crimes such as international drug trafficking, arms trafficking, and money laundering. Now, visitors to the the messaging service are alerted to the takedown through a splash page telling them the platform has been disabled by international law enforcement:

“It’s not the first time and will not be the last time we are able to read the messages in real time. We gained access to data related to this service and our investigation does not end here.”

These services don’t come cheap. We don’t know the exact pricing of Matrix, but similar services cost several thousands of dollars per year. Which explains why law enforcement seized four cars, 970 phones, and a house, along with over half a million in crypto and over $150,000 in cash.

With the takedown of Matrix, the encrypted communication landscape for criminals has lost yet another significant player.

Europol stated:

“Criminals, in response to the disruptions of their messaging services, have been turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity.”

This offers both a challenge and opportunities for law enforcement, since the smaller fish are less tasty, but easier to catch if you’ll pardon me that analogy.

The Matrix messaging service is in no way related to the legitimate Matrix messaging protocol. We don’t want US citizens looking for an encrypted messaging service to shy away from apps built on the Matrix protocol just because it has the same name.

Although I appreciated the hint of the splash page to the media franchise The Matrix.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Last week on Malwarebytes Labs:

• Europol takes down criminal data hub Manson Market in busy month for law enforcement
• Americans urged to use encrypted messaging after large, ongoing cyberattack
• Crypto’s rising value likely to bring new wave of scams
• AI chatbot provider exposes 346,000 customer files, including ID documents, resumes, and medical records
• Repeat offenders drive bulk of tech support scams via Google Ads
• No company too small for Phobos ransomware gang, indictment reveals
• These cars want to know about your sex life (re-air) (Lock and Code S05E25)

Last week on ThreatDown:

• What is Cross-Site Scripting (XSS)?

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A coordinated action between several European law enforcement agencies shut down an online marketplace called Manson Market that sold stolen data to any interested cybercriminal.

What made this market attractive for cybercriminals was that they could buy data sorted by region and account balance with advanced filtering options. This allowed the criminals to carry out targeted fraud with greater efficiency.

The law enforcement investigation started in 2022 when investigators were able to track very specific information used by scammers to the specialized marketplace. The scammers participated in fraudulent phone calls in which they impersonated bank employees to extract sensitive information, such as addresses and security answers, from their victims.

A network of fake online shops set up to phish for payment information provided one of the sources of stolen data.

Coordinated by Europol, the police in Germany, Finland, the Netherlands, and Norway seized the infrastructure of over 50 servers. With this, more than 200 terabytes of digital evidence have been collected.

Two main suspects were arrested in Germany and Austria on European arrest warrants and are currently awaiting their trials.

The operators of the Manson Market also ran Telegram channels, with one of the channels sharing credit card details, such as the number, expiration date, and the CVC code, for free every day.  

The seized website currently warns visitors that:

“All transactions, communications, and user information associated with this site are now in the custody of law enforcement.

If you have engaged in any illegal activity, you are under investigation.

Criminals are neither anonymous nor safe!

Justice is coming…”

And we can’t deny that European law enforcement had a fruitful week in the fight against online crime.

Earlier this week the German police shut down the servers and arrested one of the administrators of the country’s largest German-speaking online marketplaces for illegal goods and services, including stolen data, drugs, and forged documents.

Europol also published how French and Dutch authorities shut down an encrypted messaging service called MATRIX, which was used by criminals to commit serious crimes, including international drug trafficking, arms trafficking, and money laundering.

The Manson Market case shows once more how important it is to be vigilant with your online purchases. Make sure you are protected, be weary of search results for goods that are in high demand, and keep your personal information safe.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A years-long infiltration into the systems of eight telecom giants, including AT&T and Verizon, allowed a state sponsored actor to steal vast amounts of data on where, when and who individuals have been communicating with.

Speaking to Reuters, a senior US official said the attack telecommunications infrastructure was broad and that the hacking was still ongoing.

The state-sponsored actor behind the attack is an Advanced Persistent Threat (APT) group known as Salt Typhoon, believed to be tied to the People’s Republic of China (PRC).

Sophisticated state-sponsored campaigns from China are constantly targeting network appliances and devices. Among the culprits are four major APT groups: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant. Volt Typhoon made headlines earlier this year when the FBI removed their malware from hundreds of routers across the US.

The infrastructure that the US government relies to communicate on is made up of the same private sector systems that everybody else uses. By abusing their components that make up part of the infrastructure, the Chinese are said to have been able to eavesdrop on political and industrial leaders in multiple countries.

Speaking to Reuters, the official said they believed a “large number” of American’s metadata was taken. When asked if that might include every Americans’ phone records, they said:

“We do not believe it’s every cell phone in the country, but we believe it’s potentially a large number of individuals that the Chinese government was focused on.”

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have been investigating the incident since late spring, but admitted that there are still many unanswered questions, including the extent of the breach itself.

They have been working with the telecom companies to remove the intruders, but the companies have not been able to fully remove the hackers from their systems.

Anne Neuberger, the US deputy national security adviser for cyber and emerging technologies stated the “Chinese access was broad in terms of potential access to communications of everyday Americans” but she said the hackers only targeted prominent individuals.

According to NBC news, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at CISA– both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.

If you plan to follow that advice, but are new to encrypted messaging, make sure to use an app that offers E2EE (End-to-end encryption). What that means is only the person sending it and the person receiving it can read it.

To achieve this, a message gets encrypted on your device before it is sent out. During transit the message remains encrypted the entire time it is moving across the internet.  Only when the message reaches the recipient’s device can it be decrypted and read.

You don’t need an expensive app to achieve this. Several popular messaging apps and services support end-to-end encryption, such as WhatsApp, Signal, iMessage, Wire, and Telegram.

The FBI official added:

“People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.”

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

With the value of cryptocurrencies going to the roof, you can expect several attempts to get defrauded if you even show the slightest interest in the topic or not.

Since most cybercriminals lack creativity and are notoriously lazy, we expect to see only slight variations of old tricks. So, we figured if we showed you some old examples, you would know what to expect and hopefully that will assist you in avoiding them. And avoiding them is in everyone’s best interest—the Federal Bureau of Investigation (FBI) reported estimated losses to cryptocurrency related fraud exceeding $5.6 billion in 2023.

Here’s what to look out for:

Pig butchering scams. We have discussed the workings of pig butchering scams several times. Somebody contacts you out of the blue, sometimes pretending to be a friend you haven’t heard of in ages, sometimes a celebrity, and sometimes someone appearing to have the wrong contact details.

Once the conversation starts, the scammer will slowly move to the subject of interesting “investments” with the goal of cleaning out your accounts. The investments, mind you, are always part of the larger scam. By siphoning your money out of your accounts, and by sometimes even fabricating false “returns” on your investments, the cybercriminals are slowly building trust from you, only to yank away all your money at a later date.

Elon Musk livestreams. Scammers have used deepfake videos of Elon Musk and other wealthy celebrities to deceive investors. These scams make it appear as if this celebrity is discussing specific cryptocurrency opportunities and promising doubled returns on cryptocurrency deposits if victims send in their crypto. Remember, if a celebrity or public figure is suddenly making large promises on specific, individual cryptocurrencies, be cautious about their claims.

Fake crypto trading platforms. If you want to invest in cryptocurrency or want to get out now that the price is right for you, be careful where you conduct the trades. Unfortunately, we have seen a number of devastating exit scams and other deceptive operations where people’s life savings disappeared into thin air.

Advance fee scams. These are closely related to the fake crypto trading platform. In advance fee scams a “trader” asks for an upfront payment, promising a future service or huge return on investment. This is sometimes followed by additional requests to complete the promised transaction, which, as it turns out eventually, will never happen.

Fake bonus scams. Similar to pyramid schemes, there are sites where users would supposedly earn more based on the number of referrals and investment amounts made by their referrals. The victims did indeed see the number of tokens grow steadily. But when they tried to withdraw their funds, they got nothing.

Compromised account scams. Cybercriminals will send a warning to the target and claim that their account has been compromised. If the user responds, the scammers will try to obtain additional information such as the owner’s seed phrase, an important piece of information which thieves can use to empty the account.

Typosquatting. Similar to other typosquatting scams, imposters have registered domain names that are similar to or can easily be confused with legitimate cryptocurrency trading platforms. Should you enter your login credentials on such a fake site, the scammers will harvest them and log in on the actual site to take over your account.

How to protect your investments

A good resource for learning about crypto related scams is the Crypto Scam Tracker website of the California Department of Financial Protection and Innovation (DFPI) where you can find examples of the latest scams that are doing the rounds. Here is how you can stay safe from crypto scams (and other types of common scams found online):

• Use a password manager, it will refuse to fill out your details when it’s on the wrong website.
• Use multi-factor authentication (MFA) to make it harder for criminals to take over your account.
• Don’t respond to messages out of the blue, especially from people you don’t know.
• Don’t click on links in unsolicited emails or messages.
• Carefully research the platforms you plan to do business with.

And always act on the age-old adage: “If it’s too good to be true, it probably is.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.