Scammers are sending out fake Netflix job offers to get control of Facebook accounts.

In what seems a phishing attack targeted at a certain audience, scammers are impersonating Netflix and reaching out to marketing staff.

The initial mail looks like what you might expect from a headhunter or a human resources (HR) recruitment specialist.

“I hope this note finds you well,” the email begins. “Your reputation as a visionary marketing leader has caught out attention, and I’d like to share an extraordinary opportunity with you at Netflix.”

Undoubtedly this email is crafted by AI and based on real-life examples. The role offered in the email as VP of Marketing would be a fitting role for the person that received this email, so it looks as if the scammers have done their research before reaching out.

Replying to the initial mail—which is not recommended, unless you like letting scammers know you exist and encouraging them to send you more phishes—got us one step closer to landing the exciting new job at Netflix.

We received an invitation to set up an interview with the ‘Netflix HR team’.  

Following the link under “Schedule Interview” gets us a block by Malwarebytes web protection.

Again, not something we would want our readers to do but in the interest of learning more about the scam, we bypass that block and proceed to the website.

We find that there are 20 openings, all more or less in the same fields of social media and marketing.

The website itself is a mix of content copied from the actual Netflix site and of the phishing campaign.

Back to scheduling our interview. We’re given an option to choose our interview slot:

Regardless of which of the two buttons you use on the screen, you’ll be asked to sign in to your existing “Career Profile” or create a new one.

At this stage, all red flags should go up. It doesn’t matter if you choose “Continue with Facebook” or whether you enter your email and click “Continue with Email” the next screen will ask you to sign in to your Facebook account.

The only difference is that the second option fills out your email in the login screen.

That doesn’t make a lot of sense—Facebook is not known to keep track of your calendar. It does keep track of a lot of things, but your meeting schedule isn’t one of them. Besides, if you look at the address bar, you’ll see I’m still at the fake Netflix site.

However, it’s very normal practice to offer the option of logging in with Facebook on third party sites, so it would be understandable for the jobseeker to click that link.

When you enter the credentials and click on “Log In”, it will take a while and then you’ll be notified that “The password you’ve entered is incorrect. Please try again!”

This login page is also the part that makes this attack a very sophisticated one. The phishers use a websocket method that allows them to intercept submissions live as they are entered. This allows them to try the credentials and if your password works, they can log into your real Facebook account within seconds. They could potentially ask for multi-factor authentication (MFA) confirmation if that’s necessary, too.

Imagine that the phisher can instantly see the credentials you submitted, tests them at the real Facebook login page, and subsequently sends you the appropriate response. (In my case “wrong password” since I had no intention of feeding them valid credentials.)

You’d have no idea that they were accessing your Facebook account and they’d have bought some time to log you out, spam your friends, or whatever else they wanted to do with your account.

We often see phishing campaigns like these that are explicitly designed to steal the credentials of marketing managers, social media staff, and especially those who have access to company Facebook Pages or business accounts.

Compromising a business account can allow attackers to run malicious ads using the company’s payment methods, demand a ransom for return of control over the account, or use the company’s reputation to spread more scams.

**What to do**

If you suspect your credentials may have been compromised, immediately change your passwords, enable multi-factor authentication, and notify your IT/security team if you have one.

You can stay safe from these attacks by:

*   Be super cautious at engaging in job offers that you have not applied for.
*   Carefully check the URLs, both in the email and on the website, before you click them (did you notice the missing “i” in the domain name?)
*   Check if the address in the browser bar matches what you expect to see, along with the content of the website.
*   Learn how to spot and recognize phishing attempts. Phishing mails are getting harder to identify now that cybercriminals are using Artificial Intelligence (AI).
*   Keep your browser, your Operating System, and other software up to date.
*   Use an up-to-date real-time anti-malware solution with web protection.

Since the phishing campaign was hosted behind Cloudflare’s services, we have notified Netflix and Cloudflare about this campaign.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Netflix scammers target jobseekers to trick them into handing over their Facebook logins 

The US court filing system, which houses court records and sealed filings, was reportedly hacked by Russians seeking sensitive documents.

Russia is after secret files in the US court system, according to reports this week—and its hackers appear to have reached at least some of them.

Last week, news broke of a successful cyberattack against the decades-old US court filing system. Called Case Management/Electronic Case Files (CM/ECF), courts use the system to file and maintain documentation for legal cases around the country, which in turn can be accessed through a public portal called PACER. The attack happened as early ago as the first week of July, and possibly before that.

Now, investigators say that Russia is at least partly responsible for the hack, which they described in the New York Times as a multi-year effort to compromise the system.

What would Russian hackers be looking for? Many court documents are accessible via PACER for a small fee (or via other sites such as CourtListener for free). But CM/ECF also hosts many sensitive, sealed documents that are not available to the general public. These would be a treasure trove to those with criminal and/or nation-state connections.

Indeed, the targeted documents were those with overseas ties, according to the NYT report, which said that the attack has targeted at least eight district courts. Chief judges there were asked to move sensitive cases out of CM/ECF. At least one judge, for the Eastern District of New York, issued an order forbidding sealed documents to be directly uploaded there.

Experts have already warned that court files are the crown jewels for cyber attackers.

“Experience has shown that the Judiciary is a high-value target for malicious actors and cyber criminals seeking to misappropriate confidential information and disrupt the judicial process in the United States,” said Michael Y. Scudder Jr., chair of the Committee on IT of the Judicial Conference on Courts, testifying to Congress in June this year.

He mentioned that in 2024 alone, the judiciary’s security team blocked 200 million harmful events from reaching local court networks, adding that attacks were becoming more sophisticated over time.

This isn’t the first time that attackers have made it through the filing system’s defenses. In 2021, CM/ECF suffered a major cybersecurity breach, as reported by the Judiciary at the time, later revealed to have involved three hostile foreign actors, per Politico.

The Judiciary is also in the process of modernizing the filing system, Scudder said. That would mean replacing CM/ECF, which was first introduced in the mid-nineties. PACER is also up for replacement.

However, a replacement has been on the cards since at least 2022, when the Judiciary discussed its refresh plans.

The US government runs on technology systems, having moved away from paper. But those systems are often in dire need of modernization. In July, the US Government Accountability Office released an update to a 2019 audit of government IT systems. Of the ten critical legacy systems most in need of modernization back then, only three have been addressed as of this February. Some of the oldest legacy systems, operated by the Department of Defense and the Treasury, date back to before Neil Armstrong first walked on the moon.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Russians hacked US courts, say investigators 

In the August 2025 patch Tuesday round Microsoft fixed a total of 111 Microsoft vulnerabilities, some of which are very important.

In the August 2025 patch Tuesday round Microsoft fixed a total of 111 Microsoft vulnerabilities. A few of them are very important for people to apply.

Even if you’re not a tech expert, keeping your Windows system up to date is one of the simplest and most effective ways to protect yourself from online threats. Microsoft releases important updates on the second Tuesday of every month, called “Patch Tuesday.” These updates fix security problems and keep your Windows system up to date.

Here is a step-by-step guide for updating your Windows 11 (it might be slightly different for older versions) computer this August 2025:

1\. Open **Settings**

*   Click the Start button (the Windows logo at the bottom left of your screen).
*   Click on Settings (it looks like a little gear).

2\. Go to **Windows Update**

*   In the Settings window, look for Windows Update (usually at the bottom of the menu on the left).
*   Click on Windows Update.

3\. **Check for Updates**

*   You’ll see a button that says **Check for updates**. Click it.
*   Windows will now look for the August 2025 Patch Tuesday updates.

If you have selected automatic updates earlier you may see this:  

And this:

*   Which means all you have to do is restart your system and you’re done updating.
*   If not, continue with the below.

4\. **Download and Install**

*   If updates are found, they will start downloading right away. When that’s done, you’ll see a button that says **Install** or **Restart now**.
*   Click **Install** if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click **Restart now**.

5\. Double-check everything Is updated

*   After restarting, go back to Windows Update and check again. If it says **You’re up to date**, you’re all set!

Of the 111 fixed flaws, a few stand out. Let’s have a look at why this round is important.

CVE-2025-50165: Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

This vulnerability can be exploited without user interaction and for example be exploited by sending a target a specially .jpeg file in an Office document or other documents and files. Successful exploitation allows arbitrary remote code execution (RCE) which basically means your machine is at their control.

CVE-2025-53766: Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.

A buffer overflow occurs when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

GDI+ (Graphics Device Interface Plus) is a component of the Windows operating system that provides a way for applications to display graphics and formatted text on screens and printers.

An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Successful exploitation of this vulnerability could cause remote code execution or information disclosure on web services that are parsing documents that contain a specially crafted metafile, without involvement of the target. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Microsoft patches some very important vulnerabilities in August&#8217;s patch Tuesday 

Two different groups were found to have abused a now patched vulneraability in popular archive software WinRAR. Who's next?

On July 30, 2025, WinRAR released a new version (7.13 Final) to patch a vulnerability which was used in two separate malware campaigns. WinRAR is a popular file archiving and data compression tool that allows users to compress files into smaller archives, like RAR and ZIP, and can also unpack various archive formats.

The vulnerability, tracked as CVE-2025-8088, is a path traversal flaw that affects the Windows version of WinRAR and allows the attackers to execute arbitrary code by crafting malicious archive files.

A path traversal vulnerability, also known as a directory traversal vulnerability, is a type of security flaw that allows attackers to access files and directories they should not be able to reach. They typically occur in web applications but can affect any software that handles file paths.

In one campaign, attributed to Russia-aligned group RomCom, the vulnerability was used to drop files in folders other than those stipulated by the user. This allowed cybercriminals to drop files in startup folders and other important areas of the Operating System (OS).

The RomCom attackers used the vulnerability from July 18 – 21 against financial, manufacturing, defense, and logistics companies in Europe and Canada. The malicious archives were sent out in phishing campaigns where the attackers posed as job applicants and sent their resumes as attachments.

Another group called Paper Werewolf used the same vulnerability to target Russian organizations. In early July, researchers discovered this activity in targeted phishing campaigns. The attackers posed as employees of a Russian research institute and attached a letter supposedly from one of the ministries.

At the time, the vulnerability was still a zero-day. Now that a patch is available and more details have emerged, other cybercriminals will almost certainly try to weaponize the same vulnerability, possibly by including malware in online downloads.

Therefore, users of WinRAR are under advice to install the latest version as soon as possible. To check the version of WinRAR you have installed, open WinRAR and navigate to **Help** > **About WinRAR**. This will display a window showing the version number and other details.

**Stay safe**

Some guidelines to stay safe from these types of malware campaigns:

*   Keep your software and devices up to date.
*   Use an up-to-date, real-time anti-malware solution, preferably with a web protection component.
*   Only download software from trusted places, such as the vendor’s website.
*   Don’t open unsolicited attachments. If an attachment arrives unexpectedly, verify its legitimacy through a different channel before opening it.
*   Be cautious around files from unknown or untrusted sources.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 WinRAR vulnerability exploited by two different groups 

Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself.

The next time you shake your head at another online scam and vow that you’d never fall for it, remember that even the most tech-savvy people can sometimes slip up.

A case in point: Julie-Anne Kearns. This self-made scam-hunter told her story to the Guardian last week, revealing how she had been duped by people pretending to be from His Majesty’s Revenue and Customs (HMRC), which is the UK’s version of the US Internal Revenue Service (IRS).

Kearns had first pursued scam-hunting when spotting an attempt to scam her in 2022. After reporting on it on her TikTok account, she started hearing from plenty of people sharing their own experiences of online scams. Although she worked full time for the UK’s National Health Service, she began helping victims track down online criminals.

As her following grew, more online scammers tried to dupe her. Eventually, one succeeded.

It was a classic refund scam, with the criminals impersonating HMRC and sending Kearns a letter telling her she had a rebate. They asked for extra details to confirm her identity, and because the letter seemed consistent with others from the real HMRC, Kearns complied.

Kearns sent the scammers copies of her passport and driving license. The scammers promptly used those materials to claim Kearns’s rebate, and also sold the information on the dark web. The identity thieves started a business in Kearns’s name and took out loans. This tanked her credit rating and also left her battling a legal claim for non-payment of a £16,000 loan that she never took out.

“I worried about whether to share that I’d been scammed,” Kearns told the Guardian. She decided to tell all, because she hoped it might help others avoid the same fate.

Kearns isn’t the only savvy person in the cybersecurity field to fall victim to scammers. Others who are clued into scams have also been taken in. Cybersecurity researcher Troy Hunt fell victim to a phishing attack in March, after someone pretending to be from his newsletter distribution provider Mailchimp sent a bogus notification about penalties to his account. In the attack, the scammer stole around 16,000 records belonging to his blog subscribers.

“I’m enormously frustrated with myself for having fallen for this, and I apologize to anyone on that list,” Hunt wrote at the time.

Jim Browning, a scam hunter who regularly goes after online criminals halfway around the world, also suffered from a phishing attack in 2021. Criminals pretending to be from YouTube used Google Chat to send an email from the Google domain, convincing him to delete his YouTube channel.

“It wasn’t exactly my finest hour, but it does go to prove that anyone can be scammed if the circumstances are exactly right,” he said after getting his channel reinstated.

These experiences illustrate why victim shaming is such a pointless exercise. If people with experience in scamming sometimes get scammed themselves, then it’s understandable that those with less expertise in online crime also get taken in.

Even those trying to protect themselves will run across situations where they let their guard down, whether it’s phishing, answering seemingly legitimate letters from the tax department, or falling for a romance scam because they’re lonely.

Shame is a powerful weapon. When someone is caught in a scam, fear of speaking out can make things worse. So, if there’s someone you know who has been caught in a scam, have some compassion, and a non-judgmental ear.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Scam hunter scammed by tax office impersonators 

Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon.

Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon.

The text message tells you that the item does not meet Amazon’s standards, and tries to install some urgency by claiming it is not safe to use. It also includes a link where it says you can find more information and claim a refund.

> “Amazon Safety Recall: We are contacting you because the product you purchased is being recalled. This recall is due to quality and safety issues. We urge you to stop using the product immediately and contact us to arrange a full refund. You can view your order details at the following link:
> 
> Safety Recall: Order Number:#-142-15261-31435 Your safety is our top priority, please visit our website for more details and instructions. We apologize for the inconvenience and disappointment this may cause you.
> 
> Thank you for shopping at Amazon.”

Of course the link doesn’t go anywhere near Amazon, it’s actually a shortened URL that sends you to amazonzbzc\[.\]co. This is a known phishing site that mimics Amazon, and is after your personal information or to steal your money.

The text messages are intentionally vague about the nature of the product or the exact issue they are being recalled for. This is done so a maximum number of people will think that this might concern them. If the scammers said that the TV you bought might explode, you wouldn’t click the link if you hadn’t purchased a TV recently.

The Federal Trade Commission even issued a warning about these scams back in July, illustrating how this type of scam tactic is growing.

**How to avoid Amazon phishing scams**

*   If you receive a text like this, don’t click on any links. Instead, check if it’s legit by logging in to the Amazon app or website, then going to **Message Centre** under **Your Account**. Legitimate messages from Amazon will appear there.
*   Report the scam to Amazon itself, whether you’ve fallen for it or not. US citizens can send unwanted texts to 7726(SPAM) or use the **Report Junk** option.
*   Set up two-step verification for your Amazon account. This puts an extra barrier between you and the scammers if they do manage to get hold of your login details.
*   Scammers sometimes use information they’ve found online to personalize their scam messages. Check what information is already out there about you using our free Digital Footprint Scanner and then remove or change as much of it as you can.
*   Install web protection that can warn you of phishing sites, card skimmers, and other nasties that could lead to your data being taken.
*   Lastly, if you’ve fallen for this or a similar scam, change your Amazon password and anywhere else you use that password. Also, make sure to monitor your card statements for any unfamiliar charges, and contact your bank immediately if you see anything suspicious.

**We don’t just report on scans—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 That &#8220;Amazon Safety Recall&#8221; message may well be a scam 

This week on the Lock and Code podcast, we speak with EFF Activism Director Jason Kelley about online age verification and the "grey web."

_This week on the Lock and Code podcast…_

The internet is cracking apart. It’s exactly what some politicians want.

In June, a Texas law that requires age verification on certain websites withstood a legal challenge brought all the way to the US Supreme Court. It could be a blueprint for how the internet will change very soon.

The law, titled HB 1181 and passed in 2023, places new requirements on websites that portray or depict “sexual material harmful to minors.” With the law, the owners or operators of websites that contain images or videos or illustrations or descriptions that “more than one-third of which is sexual material harmful to minors” must now verify the age of their website’s visitors, at least in Texas. Similarly, this means that Texas residents visiting adult websites (or websites meeting the “one-third” definition) must now go through some form of online age verification to watch adult content.

The law has obvious appeal from some groups, which believe that, similar to how things like alcohol and tobacco are age-restricted in the US, so, too, should there be age restrictions on pornography online.

But many digital rights advocates believe that online age verification is different because the current methods used for online age verification could threaten privacy, security, and anonymity online.

As Electronic Frontier Foundation, or EFF, wrote in June:

“A person who submits identifying information online can never be sure if websites will keep that information or how that information might be used or disclosed. This leaves users highly vulnerable to data breaches and other security harms.”

Despite EFF’s warnings, this age-restricted reality has already arrived in the UK, where residents are being age-locked out of increasingly more online services because of the country’s passage of the Online Safety Act.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Jason Kelly, activism director at EFF and co-host of the organization’s podcast “How to fix the internet,” about the security and privacy risks of online age verification, why comparisons to age restrictions that are cleared with a physical ID are not accurate, and the creation of what Kelley calls “the grey web,” where more and more websites—even those that are not harmful to minors—get placed behind online age verification models that could collect data, attach it to your real-life identity, and mishandle it in the future.

> “This is probably the worst thing in my view that has ever happened to our rights online.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 “The worst thing” for online rights: An age-restricted grey web (Lock and Code S06E16) 

A carmaker has been found to be open to leaking vehicle data and customer information through their dealership portal.

A carmaker’s online dealership portal has been found leaking the private information and vehicle data of its customers. This also meant that anyone with access could remotely break into a car.

Researcher Eaton Zveare shared his discovery with TechCrunch. Although he said he has chosen not to disclose the vendor’s name, he revealed that it is a well-known automaker with several popular sub-brands and more than 1,000 dealerships across the United States.

Zveare says it wasn’t easy to find the flaw, but once he did, it allowed him to modify the code at the portal’s login page so he could bypass the login security checks. This permitted him to create a new national administrator account.

Not only did this allow him to access all the data of these dealerships, he also found a national consumer lookup tool that allowed any logged-in portal user to look-up the vehicle and driver data of that carmaker.

Real life tests learned that taking a vehicle’s unique identification number (VIN) from the windshield of a car allowed anyone with access to the portal to look up the name of the owner. It was also possible to pair any vehicle with a mobile account which could then be used to remotely control a car’s functions, such as unlocking the vehicle.

Since both a VIN or someone’s first and last name were enough to find and transfer ownership of an account to one under control of an attacker, they would—at least—be able to open the car and steal everything inside. The researcher did not test whether he was able to drive away in it.

Although he found no evidence of anyone else exploiting the flaw, the portals were a security nightmare waiting to happen. It even allowed administrator accounts, such as the one he was able to create, access to other dealer systems as if they were that user without needing their logins, and found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars.

As we have said before, this is exactly the sort of thing the Federal Communications Commission (FCC) wants car manufacturers to make harder for stalkers, not easier.

Zveare will be presenting his findings at Defcon. He reported the bugs he found to the car maker, and says it took them a week to fix them.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone (such as Google Maps, Waze, etc), rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data using any “remote access” apps for the car, and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If a suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Online portal exposed car and personal data, allowed anyone to remotely unlock cars 

A list of topics we covered in the week of August 4 to August 10 of 2025

August 7, 2025 - We found a host of blogspot pages involved in a malware campaign to promote their own content by using a LikeJack Trojan.

August 7, 2025 - Scammers are targeting Facebook users in this latest phishing campaign.

August 7, 2025 - TeaOnHer turns out to be at least as leaky as its female counterpart, Tea Dating Advice app.

August 7, 2025 - Hackers tricked workers over the phone at Google, Adidas, and more to grant access to Salesforce data.

August 7, 2025 - A jury has ruled that Meta accessed sensitive information from women's reproductive health tracking app Flo without consent.

 A week in security (August 4 &#8211; August 10) 

We found a host of blogspot pages involved in a malware campaign to promote their own content by using a LikeJack Trojan.

As the use of age verification to access adult websites increases in various countries around the world, shady websites with adult content have started a timely malware-fueled campaign to promote links to their own websites.

During our daily rounds on Facebook, looking for the latest scams, we noticed something odd about some posts pointing to adult websites. We found that several of the sites promoted in this way were hosted on blogspot\[.\]com, and that these sites linked to other similar sites.

Here’s one example:

Most of these sites promise the visitor explicit pictures of celebrities, most of which will undoubtedly turn out to be generated by Artificial Intelligence (AI).

This in itself is not uncommon. However, what did stand out was that a few of the Facebook posts had a lot of Likes. Most people don’t like that type of content on Facebook since everyone can see who the Likes are from.

A high number of Likes for a post is great for the accounts posting these links, because when a Facebook profile or post gets more Likes it is more likely to show up in people’s feeds, which is basically more advertising for the same money.

So, how do the posts get these Likes?

It turns out the criminals use a Trojan to promote their posts and profiles. When clicking through links displayed on the adult sites some—selected–visitors will download a Scalable Vector Graphics (SVG) image file. So while surfing from one of these sites to the next one, sometimes, not always, it triggers a download.

Now, the cybercriminals are banking on the fact that SVG is not a filetype that will set off an alarm for most people, given that most people see it as an image file. But SVG files are not always simply image files.They are written in XML, and this allows them to contain HTML and Javascript code, which means that the cybercriminals can use them to get up to no good.

Here is the one provided by the adult sites:

Despite the heavy obfuscation of the second part of the script, for anyone able to read the code it is pretty clear this file is up to no good. In fact, it actually downloads another malicious javascript file, but it was hard to figure out which one.

Because the code in the SVG file uses a technique called “hybrid JSFuck” (how fitting) to hide its intentions we immediately assumed that it was malicious. From the easier to read parts of the script we can deduct that the script downloads and executes a malicious script from the domain crhammerstein\[.\]de, which was blocked by Malwarebytes.

JSFuck is a form of obfuscation that encodes JavaScript using only six characters: “\[ \] ( ) ! +”. There are several online deobfuscators available for pure JSFuck obfuscation, but the criminals used a hybrid method by adding the String.fromCharCode elements which is not that easy to unravel.

Opening the SVG file opens an empty Edge tab titled Process Monitor. This happens because SVG files on Windows are opened by Edge, even if the user has another browser set as their default.

In the end we managed to figure out that the downloaded script was another javascript, detected as Trojan.JS.Likejack. This Trojan, also written in Javascript silently clicks a ‘Like’ button for a Facebook page without the user’s knowledge or consent, in this case the adult posts we found above. The user will have to be logged in on Facebook for this to work, but we know many people keep Facebook open for easy access.

Once we knew how this campaign worked, we found a huge amount of blogspot\[.\]com pages involved in this campaign:

**Conclusion**

Now that governments are imposing age verification upon adult sites that play by the rules, they are driving those interested in that type of content into the arms of those that don’t care about the rules, even to the extent that they are willing to deploy Trojans to get visitors to their sites.

An alternative is that those trying to access content use a VPN to visit the sites from locations that don’t impose these restrictions. Given those options we would obviously recommend using a VPN.

To be protected against this type of campaigns, it’s worth considering using real-time malware protection. Malwarebytes blocks the domains associated with this campaign.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes