More malvertising: Google Ads used to con users looking for software ๐Ÿ’ป

Oct 23 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that terrorises cybercriminals like Bobby Charlton terrorised defenders โšฝ๐Ÿฅ…๐Ÿ† #RIPLegend

Todayโ€™s hottest cybersecurity news stories:

  • ๐ŸŽญ More malvertising: Google Ads used to con users looking for software ๐Ÿ’ป

  • ๐Ÿšจ Woop, Woop, thatโ€™s the sound of the Europol! Ragnar Locker arrested ๐Ÿ‘ฎ

  • ๐Ÿ“ฑ Oktaโ€™s support system gets hacked! Customer data exposed to scams ๐Ÿ‘จโ€๐Ÿ’ป

Introducing Con Draper of MAL Men ๐Ÿ™ˆ

๐Ÿ“ข Breaking News: Malvertising Campaign Exploiting Google Ads Unveiled! ๐Ÿฆ ๐Ÿ”’๐Ÿ•ต๏ธโ€โ™‚๏ธ

Morning, cyber squad! ๐Ÿ‘‹ We've got some crucial details to share about a sneaky malvertising campaign that's been spotted in the wild. ๐Ÿ†๐Ÿšซ๐Ÿฆ 

๐Ÿ” What's the Scoop?

Our friends at Malwarebytes have uncovered some crafty cyber trickery! This campaign uses Google Ads to lure folks searching for popular software to fake landing pages and then sneakily delivers nasty payloads. ๐Ÿ˜ฑ๐Ÿ’ป

๐Ÿ†” Unique Fingerprinting & Time-Sensitive Payloads

This campaign is truly unique! It identifies users and delivers time-sensitive attacks. If you're looking for software like Notepad++ or PDF converters, watch out! Fake ads may pop up on your Google search results page. These ads cleverly filter out bots and unwanted IP addresses. ๐Ÿ˜ฎ๐Ÿ”’

๐Ÿ’ผ The Bait & Switch

If the attackers find you interesting, they'll redirect you to a copycat website advertising the software. Meanwhile, they're silently checking if you're using a virtual machine. Those who fail the check are sent to the real Notepad++ site, while potential targets get a unique ID for tracking and making downloads unique. ๐Ÿ˜จ๐Ÿ•ต๏ธโ€โ™€๏ธ

๐ŸŒ Cybersecurity Alert

The final-stage malware is an HTA payload connecting to a remote domain, "mybigeye[.]icu," on a custom port. It serves follow-on malware. Jรฉrรดme Segura, director of threat intelligence, says, "Threat actors are crafty and can bypass ad verification checks to target specific victims." ๐Ÿ˜ˆ๐Ÿ’ป

๐Ÿ”„ Similar Campaign on the Radar

This revelation overlaps with another campaign targeting KeePass password manager users. Malicious ads direct victims to a domain using Punycode (keepass[.]info vs. ฤทeepass[.]info), a special encoding for tricky business. Victims may get redirected to the bad stuff. ๐Ÿ˜ ๐Ÿ”‘

๐Ÿ”€ Cloaking the Way

People landing on the decoy site could be tricked into downloading a nasty installer, leading to FakeBat (aka EugenLoader). The combination of Punycode and rogue Google Ads is a new twist in the world of malvertising. It's all about luring you into installing malware. ๐Ÿ˜ก๐Ÿฆ 

๐Ÿ›ก๏ธ Stay Informed & Vigilant

Malwarebytes warns that these attacks keep evolving, with different threat actors using visual tricks and fake browser updates to spread Cobalt Strike, loaders, stealers, and remote access trojans. They aim to fool you with compromised websites and customised lures. ๐Ÿ˜ต๐Ÿ’ผ

So, folks, stay sharp and be cautious while browsing the web. These cyber threats are getting more sophisticated, and it's essential to protect your digital self. ๐Ÿ”’๐Ÿ’ป๐ŸŒ

That's all for now. Stay safe and keep those devices secure! ๐Ÿ‘จโ€๐Ÿ’ป๐Ÿš€

Cybersecurity is more important than ever, and your Mac or PC are no exception. Over time, your Mac or PC can accumulate junk files, malware, and other threats that can slow it down and make it vulnerable to attack.

That's where MacPaw comes in. MacPaw offers a suite of easy-to-use apps that can help you clean, optimize, and secure your Mac. With MacPaw, you can:

  • Remove junk files and malware to free up space and improve performance

  • Protect your privacy by erasing sensitive data

  • Optimize your startup settings to speed up boot times

  • Manage your extensions and apps to keep your Mac or PC running smoothly

Since 2008 MacPaw is trusted by over 30 million users worldwide, and it's the perfect solution for keeping your Mac or PC safe and secure.

Ragnar Locker up and throw away the key ๐Ÿ”๐Ÿ‘€๐Ÿ˜‚

๐ŸŒ Major Win Against Ragnar Locker Ransomware and Cybercrime Worldwide! ๐Ÿ›ก๏ธ๐Ÿ”๐ŸŒ

Big news! Europol has just made a significant move to combat cybercrime. They've taken down the infrastructure linked to the notorious Ragnar Locker ransomware and nabbed a key player in France. ๐Ÿš€

๐Ÿ‘ฎโ€โ™‚๏ธ Coordinated Effort

Between October 16th and 20th, authorities in Czechia, Spain, and Latvia swung into action. The mastermind, suspected to be a Ragnar group developer, faced the Paris Judicial Court. Five other accomplices were questioned in Spain and Latvia, while servers and a data leak portal were confiscated in the Netherlands, Germany, and Sweden. ๐Ÿ‘ฅ๐ŸŒ๐Ÿ•ต๏ธโ€โ™‚๏ธ

๐ŸŒ Global Collaboration

This effort involved authorities from around the world, including Czechia, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. Two suspects from the ransomware crew were arrested in Ukraine in 2021, with another member caught in Canada a year later. ๐ŸŒ๐ŸŒ๐Ÿค

๐Ÿ”’ Ragnar Locker's Notorious Past

Ragnar Locker, a cyber troublemaker since December 2019, targeted critical infrastructure worldwide. Eurojust revealed the group's knack for double extortionโ€”demanding hefty payments for decryption tools and to keep sensitive data secret. Their attacks have hit 168 international companies since 2020. ๐Ÿ˜ˆ๐Ÿ’ป๐Ÿ’ฐ

๐Ÿ›ก๏ธ More Cyber Action

In Ukraine, the Cyber Police raided suspected members in Kyiv, seizing laptops, phones, and electronic media. Meanwhile, the Ukrainian Cyber Alliance (UCA) thwarted the Trigona ransomware group, shutting down their leak site and exfiltrating their data. โš™๏ธ๐Ÿ’ป๐Ÿ‡บ๐Ÿ‡ฆ

๐Ÿ” Ever-Evolving Threats

As we celebrate these victories, remember that cyber threats are always evolving. Hive, for example, has rebranded as Hunters International. Stay vigilant! ๐Ÿฆ ๐Ÿฆพ๐Ÿ•ต๏ธโ€โ™€๏ธ

๐Ÿ’ผ Crackdown on Cyber-Enabled Financial Crimes

India's Central Bureau of Investigation launched Operation Chakra-II, seizing phones, laptops, servers, SIM cards, and more across 11 states. This operation aimed to dismantle infrastructure used for tech support scams and cryptocurrency fraud. ๐Ÿ‡ฎ๐Ÿ‡ณ๐Ÿ’ธ๐Ÿ“ฑ

๐ŸŒ Extradition and Dark Web Bust

Sandu Diaconu, extradited from the U.K. to the U.S., faces charges related to running E-Root Marketplace. This website offered access to compromised computer credentials for ransomware attacks and more. ๐ŸŒ๐Ÿ’ผ๐Ÿ’ป

๐Ÿ”’ Ending with Accountability

In another case, Marquis Hooper, a former U.S. Navy IT manager, was sentenced to over five years in prison for obtaining and selling 9,000 U.S. citizens' personal info on the dark web for bitcoin. Justice prevails! โš–๏ธ๐Ÿ’ป๐Ÿ’ฐ

Stay safe, stay vigilant, and keep those devices secure! ๐Ÿ›ก๏ธ๐Ÿ’ป๐Ÿค

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

๐Ÿƒย The Motley Fool: โ€œFool me once, shame on โ€” shame on you. Fool me โ€” you can't get fooled again.โ€ Good olโ€™ George Dubya ๐Ÿ˜‚ Let us tell whoโ€™s not fooling around though; thatโ€™s the Crรผe ๐Ÿ‘€ at Motley Fool. Youโ€™d be a fool (alright, enough already! ๐Ÿ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐Ÿ› Kidding aside, if you check out their website theyโ€™ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐Ÿค‘ย (LINK)


๐Ÿšตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐ŸŒ๏ธโ›ณ๐ŸŒˆ๐Ÿ•Š๏ธ Mmmm Happy Placeโ€ฆ ๐Ÿ˜‡ So, weโ€™ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโ€™s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐Ÿž๏ธ๐Ÿ˜ย (LINK)


๐ŸŒŠย Digital Ocean: If you build it they will come. Nope, weโ€™re not talking about a baseball field for ghosts โšพ๐Ÿ‘ป๐Ÿฟ (Great movie, to be fair ๐Ÿ™ˆ). This is the Digital Ocean whoโ€™ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโ€™ll find yourself catching the buzz even if you canโ€™t code (guilty ๐Ÿ˜‘). But if you can and youโ€™re looking for somewhere to test things out or launch something new or simply enhance what youโ€™ve got, weโ€™d recommend checking out their services foโ€™ sho ๐Ÿ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ŸŒฟย (LINK)

Oktarred and feathered ๐Ÿ˜ณ

๐Ÿ” Okta Discloses Security Incident โ€“ Stay Informed! ๐Ÿ”’

We have an important security update for you! Identity services provider Okta recently revealed an incident where unknown threat actors used stolen credentials to access its support case management system. ๐Ÿ˜จ๐Ÿ’ป

๐Ÿšจ The Key Details

According to David Bradbury, Okta's chief security officer, the threat actors were able to view files uploaded by certain Okta customers as part of recent support cases. However, it's crucial to note that this support case management system is separate from the main Okta service, which remains fully operational and untouched by this incident. ๐Ÿ‘จโ€๐Ÿ’ผ๐Ÿ’ผ๐ŸŒ

๐Ÿค Customer Notification

Okta is taking this seriously. They've directly notified the customers who have been affected by this incident. If you're one of them, be sure to follow their guidance and recommendations. ๐Ÿ”’๐Ÿ“ข

๐Ÿ› ๏ธ The Support System

Okta also mentioned that the customer support system is used to upload HTTP Archive (HAR) files for troubleshooting purposes. These HAR files can contain sensitive data like cookies and session tokens, which could be exploited by malicious actors to impersonate valid users. Stay cautious! ๐Ÿ˜Ÿ๐Ÿช๐Ÿ”

๐Ÿš€ Preventative Measures

To protect users, Okta worked with affected customers to revoke the session tokens and prevent potential misuse. This proactive approach is vital for safeguarding data and identities. ๐Ÿ›ก๏ธ๐Ÿ”’

๐Ÿ“ Incident Details

Okta did not specify the scale, exact timeline, or when they detected the unauthorised access. As of March 2023, they serve over 17,000 customers and manage around 50 billion users. ๐Ÿ˜ฎ๐Ÿ—“๏ธ๐ŸŒ

๐ŸŽฏ Targeted Companies

BeyondTrust and Cloudflare confirmed they were targeted in this support system attack. Cloudflare described it as a sophisticated attack where a threat actor hijacked a session token from a support ticket created by one of their employees. Thankfully, no customer information or systems were compromised. ๐ŸŒ๐Ÿ•ต๏ธโ€โ™‚๏ธ๐Ÿ”“

๐Ÿ•ฐ๏ธ Ongoing Investigation

While BeyondTrust detected and resolved the attack promptly with their own identity tools, the situation remains under investigation. Okta has become a high-value target due to its widespread use by major companies. ๐Ÿ‘€๐Ÿข๐Ÿ“š

โ˜๏ธ Silver Lining

Okta mentioned that the breach only impacted around 1% of their 18,400 customers. They are actively working to secure their services and protect your data. ๐Ÿ”’๐ŸŒŸ

Your online security is paramount! Stay informed, stay safe, and keep an eye on any updates from Okta. ๐Ÿ’ป๐Ÿ”๐ŸŒ

Until next time, folks!

๐Ÿ—ž๏ธ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa:ย The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso:ย Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles