23andMe has released new details about the credential stuffing attack that took place in October.

In October we reported that the data of as many as seven million 23andMe customers were for sale on criminal forums following a password attack against the genomics company.

Now, a filing with the US Securities and Exchange Commission (SEC) has provided some more insight into the data theft. The filed amendment supplements the original Form 8-K submitted by 23andMe.

The amendment says that an investigation showed that the attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.

With the breached accounts at their disposal, the attacker used 23andMe’s opt-in DNA Relatives (DNAR) feature—which matches users with their genetic relatives—to access information about millions of other users. According to a spokesperson the DNAR profiles of roughly 5.5 million customers could be accessed in this way, plus the Family Tree profile information of 1.4 million additional DNA Relative participants.

The 5.5 million DNAR Profiles contained sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships, and ancestry reports.

For a subset of these accounts, the stolen data might contain health-related information based upon the user’s genetics.

The 1.4 million Family Tree profiles contain display names and relationship labels, plus other information that a user may have added, including birth year and location.

23andMe is in the process of notifying users impacted by the incident. The company said it believes that the attacker activity is contained, and that it is working to have the publicly-posted information taken down.

When the breach was first announced, 23andMe urged its users to ensure they have strong passwords, to avoid reusing passwords from other sites, and to enable multi-factor authentication (MFA).

Our Mark Stockley noted at the time:

> “Respectfully, we would like to see 23andMe reach a different conclusion. Telling users to choose strong passwords and not to reuse them is great advice that just isn’t working. It’s good in theory but fails in practice. In a world where users have tens or even hundreds of logins to manage, password reuse and weak passwords that are easy to remember are inevitable.”

And it looks as if they listened to us. On the 23andMe blog the updated article about the breach now says:

> “We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers. The company will continue to invest in protecting our systems and data.”

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 23andMe says, er, actually some genetic and health data might have been accessed in recent breach 

This week on the Lock and Code podcast, we speak with Allan Liska about why a ransomware group tattled on its own victim, and what to expect next year.

_This week on the Lock and Code podcast…_

Like the grade-school dweeb who reminds their teacher to assign tonight’s homework, or the power-tripping homeowner who threatens every neighbor with an HOA citation, the ransomware group ALPHV can now add itself to a shameful roster of pathetic, little tattle-tales.

In November, the ransomware gang ALPHV, which also goes by the name Black Cat, notified the US Securities and Exchange Commission about the Costa Mesa-based software company MeridianLink, alleging that the company had failed to notify the government about a data breach. Under newly announced rules by the US Securities and Exchange Commission (SEC), public companies will be expected to notify the government agency about “material cybersecurity incidents” within four days of determining whether such an incident could have impacted the company’s stock prices or any investment decisions from the public.

According to ALPHV, MeridianLink had violated that rule. But how did ALPHV know about this alleged breach?

Simple. They claimed to have done it.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” wrote ALPHV in a complaint that the group claimed to have filed with the US government.

The victim, MeridianLink, refuted the claims. According to a MeridianLink spokesperson, while the company confirmed a cybersecurity incident, it denied the severity of the incident.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” a MeridianLink spokesperson said at the time. “If we determine that any consumer personal information was involved in this incident, we will provide notifications as required by law.”

This week on the Lock and Code podcast with host David Ruiz, we speak to Recorded Future intelligence analyst Allan Liska about what ALPHV could hope to accomplish with its SEC complaint, whether similar threats have been made in the past under other regulatory regime, and what organizations everywhere should know about ransomware attacks going into the new year. One big takeaway, Liska said, is that attacks are getting bigger, bolder, and brasher.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors were like, ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Liska continued:

> “We’ve seen ransomware actors go after food banks. You’re not going to get a ransom from a food bank. Don’t do that.”

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Why a ransomware gang tattled on its victim, with Allan Liska: Lock and Code S04E24 

Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited.

Apple has released emergency security updates for iOS 17.1.2 and iPadOS 17.1.2 to patch for two zero-day vulnerabilities that may have been actively exploited.

Apple said both vulnerabilities were in the WebKit component, which is the engine that powers Safari browser on Macs as well as all browsers on iPhones and iPads. It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

The updates are available for the following:

*   iPhone XS and later
*   iPad Pro 12.9-inch 2nd generation and later
*   iPad Pro 10.5-inch
*   iPad Pro 11-inch 1st generation and later
*   iPad Air 3rd generation and later
*   iPad 6th generation and later
*   iPad mini 5th generation and later.
*   macOS Sonoma 14.1.2
*   Safari 17.1.2.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check if your device is at the latest update level.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update your iPhones! Apple fixes two zero-days in iOS 

US senators issued subpoenas for the CEO’s of five social media giants to testify about their "failure to protect children online".

US senators have urgently invited the CEOs of five of the major social media giants to testify about their failure to protect children online. The Senate Judiciary Committee said it will hear from Meta CEO Mark Zuckerberg, X (formerly Twitter) CEO Linda Yaccarino, TikTok CEO Shou Zi Chew, Snap CEO Evan Spiegel, and Discord CEO Jason Citron.

In a press release, the US senate committee on the judiciary announced that the Committee’s previously announced hearing on online child sexual exploitation has been rescheduled for January 31, 2024 and will feature testimony from the CEOs. An earlier hearing on Tuesday, February 14, 2023, included only consumer advocates as witnesses, and no industry representatives.

The CEOs of X, Discord, and Snap will testify after subpoenas were issued by the Committee, following repeated refusals by the three leaders to testify. The CEOs of Meta and TikTok voluntarily agreed to testify at the hearing.

Senators Durbin and Graham commented:

> “Several companies initially refused to accept a subpoena. The US Marshals Service even attempted to serve the subpoena at Discord’s office. Both actions are remarkable departures from typical practice.”

The hearing comes as part of a bipartisan effort to protect children online. To that end, several online safety bills across multiple states have gone into effect. For example, Utah signed a bill in March that will require minors to obtain parental consent to sign up to social platforms, while both Louisiana and Mississippi now require age verification to view content considered harmful to children, like porn. On the other hand, a federal judge has blocked a Texas law requiring age verification and a health warning for viewing pornographic websites, a day before the law was set to take effect.

In May, we talked to Alec Muffet about the possible downsides of some of these bills.

During the “Protecting our children online” hearing in February, witnesses and senators mentioned requirements like parental controls, default settings, and audits as tools that could be used to promote online safety for teenagers.  They focused on the importance of holding platforms liable for failure to enforce their own terms, and discussed imposing a duty of care on online platforms.

So now seems to be the time that the CEOs of the major platforms will be forced to explain what they have done in the past and how they plan to do better in the future. You would expect they would like to bring their ideas and input voluntarily to the table, but nonetheless it took subpoenas to get them all there.

**Children and online safety**

The internet is both a good and bad place. A good approach is to spend little to no time on sites that do not give your child a positive and learning experience. And when it comes to internet safety for kids and teens, the best approach is for parents and carers to be involved in their child’s digital life.

If you don’t want to rely on the introduction of legislation and how the social media platforms will undoubtedly struggle to become compliant, we can recommend reading our blog titled “Internet safety tips for kids and teens: A comprehensive guide for the modern parent.”

I do expect some of the platforms to drag their feet, because it seems they always do. Meta is already facing a lawsuit, filed in a California federal court, which argues that Meta unlawfully misled the public about the harms its products, like Facebook and Instagram, could impose on children and teens.

In the UK, Bytedance’s TikTok is looking at a $28.91m fine related to how children are safeguarded on the app.

And Meta, ByteDance, Alphabet, and Snap, are facing another lawsuit alleging their social platforms have adverse mental health effects on children and for running platforms that are addictive to kids.

While it is clear that something needs to be done to protect our children, agreeing on the way in which we can achieve this is hard. Especially if we can’t rely on all the social media platforms to volunteer their cooperation.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Social media giants to testify over failing to protect kids 

A list of topics we covered in the week of November 27 to December 3 of 2023

December 1, 2023 - Domain fronting is a technique to hide the true origin of HTTPS requests by hiding the real domain name encrypted inside a legitimate TLS request.

November 30, 2023 - A fake antivirus alert may suddenly hijack your screen while browsing. This latest malvertising campaign hit top publishers.

November 29, 2023 - Google's released an update to Chrome which includes seven security fixes. Make sure you're using the latest version!

November 28, 2023 - A vulnerability in the ownCloud file sharing app could lead to the exposure of sensitive credentials like admin passwords.

November 23, 2023 - Google has set a date for the introduction of Manifest V3 which will hurt the capabilities of many ad blockers.

 A week in security (November 27 &#8211; December 3) 

Domain fronting is a technique to hide the true origin of HTTPS requests by hiding the real domain name encrypted inside a legitimate TLS request.

Domain fronting is a technique of using different domain names on the same HTTPS connection. Put simply, domain fronting hides your traffic when connecting to a specific website. It routes traffic through a larger platform, masking the true destination in the process.

The technique became popular in the early 2010s in the mobile app development ecosystem, where developers would configure their apps to connect to a “front” domain that would then forward the connections to the developer’s backend. This way, the developer could expand their backend to deal with growing traffic and new features without constantly having to release app updates.

But as is true or many good things, it also comes with a flipside. Domain fronting allows malicious actors to use legitimate or high-reputation domains which will typically be on the allow-lists of defenders. The legitimate domains often belong to Content Delivery Networks (CDNs), but in recent years a number of large CDNs have blocked the method. The list includes Amazon (banned in 2018), Google (2018),  Microsoft (2022), and Cloudflare (2015).

A CDN is basically a large network of proxy servers and data centers and it can be used to host multiple domains. They are also known as content distribution networks. It’s what companies like Netflix use to deliver the requested content from a server near you.

For a “normal” connection to a website, a Domian Name System (DNS) finds the IP address for the requested domain name. As I explained in the blog DNS hijacks: what to look for, DNS is the phonebook of the internet to the effect that the input is a name and the output is a number. The number that belongs to what or who you want to reach.

With two domains hosted on the same CDN, HTTPS can be used to make it seem as though the user is connecting via a website that is unrestricted. HTTPS protocols are encrypted, so it can be used to discreetly connect to a different target domain. So an attacker can hide an HTTPS request to a restricted site inside a TLS connection to an allowed site.

In domain fronting, the process is the same but it will make an HTTPS request that appears to be from a different domain. It does so by mimicking the secondary domain’s DNS and TLS requests which makes it seem as though the user has connected from another domain. This method is popular as a means to evade online censorship and bypass restrictions.

The technique was adopted by online services like Tor, Telegram, and Signal to bypass internet censorship attempts in oppressive countries. When both Amazon and Google blocked domain fronting on their platforms, some suspected the Russian government was behind it because at the time, the Russian government blocked 1.8 million AWS and Google Cloud IP addresses in an attempt to frustrate access to Telegram’s instant messenger.

Because of the ability to hide backend infrastructure, domain fronting has also gained popularity within malware operations. They can use domain fronting to set up a command and control (C2) channel on a seemingly legitimate domain to bypass defensive techniques. The owners of good reputation sites cannot prevent their hostnames being abused for this activity.

The best defense against domain fronting in an enterprise organization is a cloud-based SWG (Secure Web Gateway) service with unlimited TLS interception capacity. A secure web gateway (SWG) is a network security technology that sits between users and the internet to filter traffic and enforce acceptable use and security policies. With an SWG or other tools with similar functionality, you can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Explained: Domain fronting 

ChatGPT 4.0 can write basic working ransomware in minutes.

This morning I decided to write some ransomware, and I asked ChatGPT to help. Not because I wanted to turn to a life of crime, but because I wanted to see if anything had changed since March, when I last tried the same exact thing.

In short: ChatGPT has helped me, worryingly so. But more on that later.

Today is the first anniversary of the unveiling of OpenAI’s generative AI poster boy, ChatGPT. It’s also the first anniversary of the tsunami of bloviation that the chatbot’s unveiling created. For months following ChatGPT’s release, the cybersecurity press was drenched in speculation about how cybercrime was changed forever, even though it didn’t appear to have changed at all.

By March, I’d read more baseless assertions than I knew what to do with, so I decided to find out for myself if ChatGPT was any good at malware. I wanted to know if its safeguards would stop me from using it to write ransomware, and, if they didn’t, whether the ransomware it produced was any good.

Despite its insistence that “I cannot engage in activities that violate ethical or legal standards, including those related to cybercrime or ransomware,” the safeguards proved to be almost no barrier at all. I was able to fool it into helping me with little effort. However, the code it produced was terrible: It stopped randomly in a places that guaranteed it would never run, switched languages randomly, and quietly dropped older features while writing new ones.

I concluded that an unskilled programmer would be baffled, while a skilled one would have no use for it. The prospect of ChatGPT lowering the barrier to entry into this lucrative form of cybercrime just wasn’t worth worrying about.

As of this morning, I’ve changed my mind.

One of the novel things about ChatGPT is that you can iterate your way to a solution by having a back-and-forth discussion with it. In March I used this approach with ChatGPT 3.0 to build up a basic ransomware step-by-step. The approach was sound but the resulting code would have never worked. I decided to take the same approach again today, using the current version of ChatGPT, 4.0, to better understand what’s changed.

The TL;DR is that everything’s changed. The limitations that made GPT 3.0 a useless partner in cybercrime are gone. ChatGPT 4.0 will help you write ransomware and train you to debug it, without a hint of conscience.

This is a basic ransomware it wrote for me encrypting the contents of two directories and leaving ransom notes behind.

Ransomware written by ChatGPT 4.0 encrypts files in two directories and leaves a ransom note

This isn’t a fully featured ransomware but it has the basics. It encrypts files in whatever directory tree I choose, throws away the originals, hides the private key used for the encryption, stops running databases, and leaves ransom notes. The code used in the demonstration above was generated by ChatGPT in mere minutes, without objection, in response to basic one line descriptions of ransomware features, even though I’ve never written a single line of C code in my life.

For obvious reasons I won’t be providing a step-by-step recipe, but the process started by asking for a program that encrypts a single file.

ChatGPT 4.0 writes a C program to encrypt a single file

Then I modified it to encrypt a directory instead of a file. Subsequent functionality was layered on like this, with incremental modificaitons, to see if ChatGPT ever took a step that made it realise it was writing something malicious. It didn’t.

ChatGPT 4.0 modifies its program to encrypt a directory

ChatGPT seemed unable to determine that what we were doing was writing ransomware, so right at the end of the process I thought I would give it a massive clue and see if the penny finally dropped. The last thing I asked it to do was a signature move for ransomware and something no legitmiate program does. I instructed it to modify its code to “drop a text file in encrypted directories called ‘ransom note.txt’ which contains the words ‘all your files are belong to us’ and an ascii art skull.”

While there are still quesiton marks over its ability to draw skulls, there can be none about its willingness to drop ransom notes.

ChatGPT 4.0 writing code to drop ransom notes with ASCII art skuls

My attempts to turn the chatbot to the dark side eight months ago were thwarted by its inability to hold all the information it needed to, or to write long answers. I likened asking ChatGPT 3.0 to help with a complex problem to working with a teenager: It does half of what you ask and then gets bored and stares out the window.

I encountered no such problems today. The bored teenager is gone, replaced by a verbose and enthusiastic straight-A student. At the very beginning I asked it to write its answers in C, and it never wavered. If it ever provided partial answers it would explain it was doing so, and offer a subset of code that made sense, such as a complete function. If I didn’t want a partial answer I would tell it, and then ask it to write out the entire program, including all the modifications we’d discussed up to that point.

It is, frankly, astonishingly helpful and powerful, and the importance of this can’t be overstated.

ChatGPT 4.0 agreeing to write out a complete program instead of snippets (ChatGPT’s answer is truncated)

**Safeguards removed**

Although I was able to work around ChatGPT’s insistence it wouldn’t write ransomware in March, I was often met with other restrictions that attempted to stop me doing unsafe things.

The latest version of ChatGPT seems to be far more relaxed. For example, in March it initially refused when I asked it to modify my ransomware code to delete the original copies of files it was encrypting. It was “a sensitive operation that could lead to data loss,” it claimed, telling me “I cannot provide code that implements this behaviour.” There was a workaround (there always is) but at least it tried.

This time I was met with no such objection. “Sure,” said ChatGPT 4.0.

ChatGPT 4.0 showed no reluctance to delete files it was encrypting

A similar thing happened when I asked it to save the private encryption key to a remote server. This is an important feature for ransomware because the private key is ultimately what vicitms pay for, so it can’t be left on the victim’s machine.

ChatGPT 3.0 refused to move the key to a remote server, saying it “goes against security best practices.” I couldn’t persuade it and ended up having to fool it with a bait-and-switch approach of writing something I didn’t want and then having it rewrite that into what I did want.

ChatGPT 4.0 on the other hand, was content to do no more than warn me it was “very risky.”

ChatGPT 4.0 had no objection to saving the private encryption key to a remote server

**Programming tutor**

Much to my surprise, after telling ChatGPT what features I wanted in my ransomware I was left with something that looked very much like a complete computer program. To be sure though, I had to actually run it and encrypt some files. And that’s where ChatGPT did something I wasn’t expecting.

C code is compiled, which means that once it’s been written it has to has to be run through a computer program called a compiler, which transforms it into an executable file. Compilation is a complex and often fragile process that can break easily, for any number of reasons. As a result, troubleshooting problems during the compilation phase can be extremely frustrating and time consuming.

Typically, it involves a lot of Googling and sifting through accounts of similar failures on sites like Stack Overflow. Problems can be caused by any number of things, including the code itself, dependencies like code libraries, and the choice of compiler. And numerous different errors can often trigger the same failure in compilation, so troubleshooting is as much an art as it is a science.

Sure enough, I hit a variety of hurdles during compilation.

However, instead of turning to Google, I turned to ChatGPT. Every time I ran into an error I told it what had happened, and based on the bare minimum of information it provided an explanation for what was going on, and advice on how to fix it. When its solutions didn’t work first time, it revised its approach and found a different answer.

ChatGPT 4.0 makes its first attempt at troubleshooting a compilation problem

ChatGPT 4.0 makes its second attempt at troubleshooting a compilation problem

ScreChatGPT 4.0 makes its third attempt at troubleshooting a compilation problemenshot

In every case, ChatGPT solved the problem, and in doing so it enabled me, a non-C programmer to write and troubleshoot basic but functional ransomware written in C, in almost no time.

To me, this ability to troublshoot compilation problems with minimal information is even more impressive than its ability to write code (and its ability to write code is jaw-droppingly impressive). Not only did it condense what could have been days of thankless work into an hour or two, it was coaching me as it did. I didn’t just finish with a working ransomware executable, I finished as a better programmer than I was when I started.

**Should we be worried?**

In a word, yes. Eight months ago I concluded that “I don’t think we’re going to see ChatGPT-written ransomware any time soon.” I said that for two reasons: Because there are easier ways to get ransomware than by asking ChatGPT to write it, and because its code had so many holes and problems that only a skilled programmer would be able to deal with it.

ChatGPT has improved so much in eight months that only one of those things is still true. ChatGPT 4.0 is so good at writing and troubleshooting code it could reasonably be used by a non-programmer. And because it didn’t raise a single objection to any of the things I asked it to do, even when I asked it to write code to drop ransom notes, it’s as useful to an evil non-programmer as it is to a benign one.

And that means that it can lower the bar for entry into cybercrime.

That said, we need to get things in perspective. For the time being, ransomware written by humans remains the preeminent cybersecurity threat faced by businesses. It is proven and mature, and there is much more to the ransomware threat than just the malware. Attacks rely on infrastructure, tools, techniques and procedures, and an entire ecosystem of criminal organisations and relationships.

For now, ChatGPT is probably less useful to that group than it is to an absolute beginner. To my mind, the immediate danger of ChatGPT is not so much that it will create better malware (although it may in time) but that it will lower the bar to entry in cybercrime, allowing more people with fewer skills to create original malware, or skilled people to do it more quickly.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Will ChatGPT write ransomware? Yes. 

A fake antivirus alert may suddenly hijack your screen while browsing. This latest malvertising campaign hit top publishers.

ScamClub is a threat actor who’s been involved in malvertising activities since 2018. Chances are you probably ran into one of their online scams on your mobile device.

Confiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also disrupting their activities. However, ScamClub has been back for several weeks, and more recently they were behind some very high profile malicious redirects.

The list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are automatically redirected to a fake security alert connected to a malicious McAfee affiliate.

ScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify precisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare which immediately took action and flagged it as phishing.

**Forced redirects**

Mastodon user Blair Strater (@r000t@fosstodon.org) was simply browsing the Associated Press website on his phone when he was suddenly redirected to a fake security scan page:

Malicious redirect from APnews.com (credit Blair Strater)

This fake scanner is not run by McAfee, but the domain name _systemmeasures\[.\]life_ that we see in the address bar is the landing page that redirects to one of its affiliates. That affiliate was previously reported but continues unabated.

Web traffic between malicious page and McAfee site

Based on public data, several ad exchanges were abused to deliver this fake antivirus campaign via real-time bidding (RTB) in the past few weeks Most of the telemetry we saw from our Malwarebytes user base was related to smaller websites with ‘risky’ advertisers. However, a different campaign was targeting mobile users with malicious ads slipping by on top publishers (note: this data comes from VirusTotal):

**ESPN.COM (1.585B monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=5uz3hbaiz7oz2&k=b47648817b492be8ba9c7dc97addefb6&country\_code=US&carrier=Verizon&country\_name=United%20States&region=New%20York&city=Bronx&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=en&ref\_domain=**www.espn.com**&os=**iOS**&osv=17&browser=Chrome&browserv=119&brand=Apple&model=iPhone&marketing\_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5

**APNEWS.COM (307.2M monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=59z40b4g6z7oz2&k=506222e0611d62c3261b9ba847063faa&country\_code=US&carrier=-&country\_name=United%20States&region=Virginia&city=Alexandria&isp=Comcast%20Cable%20Communications,%20LLC&lang=en&ref\_domain=**apnews.com**&os=**Android**&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing\_name=K&tablet=2&rheight=0&rwidth=0&e=5

**CBSSPORTS.COM (265.1M monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=5uz16jptz7oz2&k=d2761f12fed2ce8472ab704fd55d49e1&country\_code=US&carrier=-&country\_name=United%20States&region=Colorado&city=Greenwood%20Village&isp=Charter%20Communications%20Inc&lang=en&ref\_domain=**www.cbssports.com**&os=**Android**&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing\_name=K&tablet=2&rheight=0&rwidth=0&e=5

Most of the public reports (\[1\], \[2\], \[3\]) indicate this campaign was at its peak around **November 19**. To be clear, AP, ESPN, CBS and other sites were not hacked, but rather showed malicious ads. It appears that this high profile campaign stopped shortly after, as we haven’t seen new telemetry data coming from these publishers. However, the other campaign we are also monitoring that is affecting smaller sites is still ongoing (via _eu\[.\]vulnerabilityassessments.life_ and _us.vulnerabilityassessments\[.\]life_).

**Connection with ScamClub**

We were able to connect this campaign to the ScamClub infrastructure because of another domain (_trackmaster\[.\]cc_) that was previously mentioned as belonging to the threat actor. We can see the relationship between _systemmeasures\[.\]life_ (the landing page) and _trackmaster\[.\]cc_ (the intermediary domain) in the urlscanio submission below:

urlscanio scan showing the relationship between two domains

**Fingerprinting**

Like other malvertising threat actors, ScamClub dabbles in obfuscation and evasion techniques. However, as previously detailed by Confiant, they are using much more advanced tricks. Their JavaScript uses obfuscation with changing variable names, making identification harder.

Previously, the malicious JavaScripts were hosted on Google’s cloud but they have now moved to Azure’s CDN.

ScamClub’s malicious JavaScript

**Malvertising and mobile users**

On this blog, we have covered a number of malvertising campaigns targeting Desktop, both consumer and enterprise. This is in part because we hunt for Windows malware and the occasional Mac ones too.

ScamClub is a good example of targeting a big market segment, Mobile Web, where security software is often an afterthought, in particular on iOS, in part due to restrictions imposed by Apple. Clearly, malvertising is flourishing on Mobile and users are just as likely, if not more, to get tricked into downloading malware or get scammed.

Malwarebytes for Android protects users from this campaign:

**Indicators of Compromise**

**ScamClub URLs**

octob\[.\]azureedge\[.\]net/oc.js
lzi\[.\]azureedge\[.\]net/lz.js
tinlc\[.\]azureedge\[.\]net/pt.js
bm-rb\[.\]azureedge.net/rb.js
foluo\[.\]azureedge\[.\]net/fo.js
vpv-ger\[.\]azureedge\[.\]net/VpaidVideoAd1.js

**ScamClub JavaScript hashes**

c01716e23f633b206147efbe70fb37945e3857d6575fd088ea50106fb541cf1e  
899cbfbd676159201b2281d9e0e66f3ac200ac58b674375bde04083ff87650ad  
451b48c8f247f25cd09a1bf4a52fc195a74830d88bd2ffed7a5d4b7830e10621  
495304b489cecd33188ca2a7407d397996fd82ea99966e7c145f0dc67ab2dfb5  
a616fc2c1a075170d4decdb9d3c9ad15f2cfbcfda78dbe4c60d72132b9d006c9  
34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8  
a7a73d3bc716346808b2ee8070dfe5842bb01e10aee1fa9ba87fb975d71d0f4f  
de2f1745cdfbe58266b804961bdbd5be8f533843ed7fdf4b5fe6eb0060876b56  
1614786dd6ff4189975e8226ab7e68d258817b435c3c4e145951f5147699878e  
52cd9f2ff282354c77087b204d5cb32cee9066e8eea4e3c3b8f7cf4d3d3fa20f  
df03df284bfbbe006383f26c0c91394f4c4c8d915d04b868a00954f63e6163e0  
2f3867d33c448b941278671df9a2b8d3d6b29dec5d74b67654f5edfcc6771575  
243d9d70703644f3df148e7633f3ec461a9c43149ea58fd547e2e6fd0c47cce5

**Redirectors**

trackmaster\[.\]cc  
protectsystemtools\[.\]life  
securitypatch\[.\]life  
real-time-system-monitoring\[.\]life  
threatdetectorhub\[.\]life  
threatdetectorhub\[.\]online  
vulnerabilityassessments\[.\]life  
strike-it-lucky\[.\]space  
golden-opportunity\[.\]xyz  
stroke-of-luck\[.\]xyz  
blessed-with-luck\[.\]space  
system-scan-tool\[.\]space  
system-security-scan\[.\]buzz  
system-security-scan\[.\]net  
system-scan-tool\[.\]online  
trk6\[.\]kokamedia\[.\]com  
tracklinker\[.\]space  
trackmenow\[.\]life  
trackify\[.\]world  
trackinghub\[.\]info  
trkmyclk\[.\]xyz  
trk-server\[.\]xyz

34.74.68\[.\]195

**Scam landing pages**

systemmeasures\[.\]life
xyzcreators\[.\]xyz

 Associated Press, ESPN, CBS among top sites serving fake virus alerts 

Privacy organization nyob has filed a complaint against Meta about their "Pay or Okay" model it has introduced for European users.

Meta is required to get users’ consent in Europe in order to show them targeted ads. For this reason, Meta has to provide European users with a way to opt out of behavioral advertising or face fines totalling $100,000 a day.

Behavioral advertising are ads tailored to someone’s browsing habits and other online behavior. A profile of the user is built up over time, as they work their way around the web. Tracking users in this was was ruled as a break of GDPR regulations, so Meta had to find a way out.

Meta’s solution was to charge users for an ad-free experience. The choice for European users was keep using Facebook for free or pay to enjoy the platform without personalized ads. In order to enjoy your fundamental rights under EU law, Meta is essentially now proposing that users pay up to $275 per year.

However, organizations concerned about our privacy say that by doing this, Meta has changed the user’s choices from “yes or no” to “pay or okay.”

To put this into perspective, Meta’s annual revenue in 2022 was $120.18 Billion. If every user that visits Facebook daily (2.037 billion) forked out $275 per year, that would bring in roughly $560 Billion.

The price is higher for mobile users and will rise further in 2024 for additional accounts. And note that for each linked account (Instagram) you pay an additional € 8 per month.

From Meta’s point of view it is doing the world a service by providing personalized ads.

> “Every business starts with an idea, and being able to share that idea through personalized ads is a game changer for small businesses.”

But privacy group nyob (none of your business) says that keeping your personal data private is a fundamental right.

> “Fundamental rights cannot be for sale. Are we going to pay for the right to vote or the right to free speech next? This would mean that only the rich can enjoy these rights, at a time when many people are struggling to make ends meet. Introducing this idea in the area of your right to data protection is a major shift. We would fight this up and down the courts.”

And they meant it. On November 28, 2023, nyob filed a complaint against Meta with the Austrian data protection authority. The group considers Meta’s action yet another attempt to circumvent EU privacy laws.

> “Not only is the cost unacceptable, but industry numbers suggest that only 3 percent of people want to be tracked – while more than 99 percent decide against a payment when faced with a privacy fee.”

This strongly suggests that the EU law, which demands that consent should be “freely given” is not met in this case.

Max Schrems, the chairman of noyb said:

> “When 3 percent of people actually want to swim, but 99.9 percent end up in the water, every child knows that it wasn’t a “free” choice. It’s neither smart nor legal – it’s just pitiful how Meta continues to ignore EU law.”

Meta said in response, that it had obtained a ruling of the Court of Justice of the European Union (CJEU) that accepted the subscription model as a valid form of consent for an ads funded service. It also said its pricing was in line with those of ad-free services such as YouTube Premium and Spotify Premium.

However, it conveniently seems to “forget” that ad-free services are not the same as those that gather data about you and sell them to the highest bidder to create personalized ads.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Meta sued over forcing users to pay to stop tracking 

Google's released an update to Chrome which includes seven security fixes. Make sure you're using the latest version!

Google has released an update to Chrome which includes seven security fixes including one for a vulnerability which is known to have already been exploited.

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible.

The easiest way to update Chrome is to set it to update automatically, but you have to make sure to close your browser for the update to finish. You can also end up on an older, vulnerable version if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome** (on Windows) or **Google Chrome > About Google Chrome** (on Mac).

If there is an update available, Chrome will start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

_Google Chrome is up to date_

After the update, the version should be listed as 119.0.6045.199 for Mac and Linux, and 119.0.6045.199/.200 for Windows, or later.

**The technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to the actively expoited zero-day is:

CVE-2023-6345: Integer overflow in Skia. Google notes it is aware that an exploit for CVE-2023-6345 exists in the wild. This vulnerability could lead to a range of risks, from crashes to the execution of arbitrary code.

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix, so that interested criminals remain none the wiser.

The fact that the vulnerability is listed with a severity rating of High, indicates that the scope of the flaw is limited to the browser, but this could mean successful exploitation could provide the attacker with information about visited websites and so on.

Skia is an open source 2D graphic library for drawing Text, Geometries, and Images. Skia works across a variety of hardware and software platforms. It serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and many other products.

That’s why users of other Chromium based browsers and software that uses Skia should keep their eyes open for similar updates.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes