### Impact

Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. 

### Patches

Patched in v6.6.1

### Workarounds

Make sure to always consume the incoming body.


**fetch(url) leads to a memory leak in undici**

Moderate severity GitHub Reviewed Published Feb 16, 2024 in nodejs/undici • Updated Feb 16, 2024

GHSA-9f24-jqhm-jfcw: fetch(url) leads to a memory leak in undici

Red Hat Security Advisory 2024-0843-03 - Red Hat OpenShift Serverless version 1.31.1 is now available. Issues addressed include denial of service and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0843.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: Release of OpenShift Serverless 1.31.1Advisory ID:        RHSA-2024:0843-03Product:            Red Hat OpenShift ServerlessAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0843Issue date:         2024-02-15Revision:           03CVE Names:          CVE-2023-6481====================================================================Summary: Red Hat OpenShift Serverless version 1.31.1 is now available.Red Hat Product Security has rated this update as having a security impact ofCritical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Version 1.31.1 of the OpenShift Serverless Operator is supported on Red HatOpenShift Container Platform versions 4.11, 4.12, 4.13 and 4.14This release includes security, bug fixes, and enhancements.Security Fix(es):* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)* go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients (CVE-2023-49569)* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)* logback: A serialization vulnerability in logback receiver (CVE-2023-6481)For more details about the security issues, including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE pages listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.31CVEs:CVE-2023-6481References:https://access.redhat.com/security/updates/classification/#criticalhttps://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.31https://bugzilla.redhat.com/show_bug.cgi?id=2252956https://bugzilla.redhat.com/show_bug.cgi?id=2253330https://bugzilla.redhat.com/show_bug.cgi?id=2254210https://bugzilla.redhat.com/show_bug.cgi?id=2258143https://bugzilla.redhat.com/show_bug.cgi?id=2258165

Red Hat Security Advisory 2024-0843-03

By Waqas
The latest report from Swedish telecom security firm Enea sheds light on security vulnerabilities within the widely used messaging platform, WhatsApp.
This is a post from HackRead.com Read the original post: Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

NSO Group, an Israeli spyware firm, is suspected of exploiting a novel “MMS Fingerprint” attack to target unsuspected users on WhatsApp, exposing their device information without needing user interaction.

Swedish telecom security firm Enea reports that the Israeli NSO Group, targeted journalists, human rights activists, lawyers, and government officials with a novel MMS Fingerprint attack by exploiting a **vulnerability in WhatsApp**.

The report that the company shared with Hackread.com on Thursday 15, 2023, WhatsApp discovered a vulnerability in its system in May 2019, allowing attackers to install Pegasus spyware on users’ devices. The flaw was then exploited to target government officials and activists globally. WhatsApp sued **NSO Group** for this exploitation, but appeals failed in the US appeal court and Supreme Court.

The attack, reportedly used by NSO Group, was discovered in a contract between the Israeli agency’s reseller and the telecom regulator of Ghana, which can be viewed in lawsuit documents **here** (PDF).

Enea launched an investigation to find out how an MMS fingerprint attack occurs. They discovered that it could reveal the target device and OS version without user interaction by sending an MMS.

The MMS UserAgent, a string that identifies the OS and device (such as a Samsung phone running Android), can be used by malicious actors to exploit vulnerabilities, tailor malicious payloads, or craft phishing campaigns.

**Surveillance companies** often request device information, but UserAgent may be more useful than IMEI. It’s important to note that MMS UserAgent is different from browser UserAgent, which has privacy concerns and changes.

The problem, according to Enea’s **report**, was not in the Android, Blackberry, or iOS devices but in the complex, multi-stage MMS flow process. The MMS flow examination suggested this was launched possibly through another method involving binary SMS.

For your information, MMS standards designers worked on a way to notify recipient devices of an MMS waiting for them without requiring them to be connected to the data channel. MM1\_notification.REQ uses SMS, a binary SMS (WSP Push), to notify the recipient MMS device’s user agent that an MMS message is waiting for retrieval.

The subsequent MM1\_retrieve.REQ is an HTTP GET to the URL address, including user device information, suspected to be leaked and potentially lifted the MMS fingerprint.

Researchers obtained sample SIM cards from a randomly selected Western European operator and successfully sent MM1\_notification.REQs (binary SMSs), setting the content location to a URL controlled by their web server.

The target device automatically accessed the URL, exposing its UserAgent and x-wap-profile fields. A Wireshark decode of the MMS notification and GET revealed how an attacker would execute an “MMS Fingerprint” attack, demonstrating it was possible in real life.

Enea’s report outlines the stages in an MMS flow and provides insight into the initial attack notification sent to the target. (Screenshot: ENEA)

The attack highlights the **ongoing threat to the mobile ecosystem**. Binary SMS attacks have been steadily reported over the last 20 years, highlighting the need for mobile operators to evaluate their protection against such threats.

For detailed insights into the report, we reached out to **Javvad Malik**, lead security awareness advocate at **KnowBe4** who warned that, Unlike previous methods, this attack doesn’t require user interaction, posing a significant concern for users’ security. The targeting of journalists, activists, and officials highlights the misuse of technology for surveillance and oppression. Platforms like WhatsApp must prioritize security as the foundation of their services.

> _“The saga of the NSO Group and its controversial exploits offers another chapter with the revelation of the “MMS Fingerprint” attack. At the heart of this revelation is a stark reminder of the ever-evolving cybersecurity threats, demonstrating not just the sophistication of threat actors, but their relentless pursuit to leverage vulnerabilities._
> 
> _The tactical evolution from requiring user interaction to achieve compromise—such as the unfortunate click on a malicious link—to now being able to extract valuable information through seemingly benign MMSs, underlines a significant shift. It’s concerning, to say the least, that users can be targeted without any user interaction._
> 
> _The targeting of journalists, activists, and officials is particularly egregious, highlighting a dark side of technological advancements where tools designed to connect and empower can also be twisted into instruments of surveillance and oppression. For organisations like WhatsApp and entities involved in digital communication, the imperative is clear: Security cannot merely be a feature; it must be the very foundation upon which platforms are built and maintained._
> 
> _In the broader context, incidents like the “MMS Fingerprint” attack are reminders that security cannot remain static and needs to continually evolve and build more resilient and secure systems.”_
> 
> Javvad Malik – KnowBe4

To prevent the attack, disabling MMS auto-retrieval on mobile devices can help, but some devices may not allow modification. On the network side, filtering Binary SMS/MM1\_notification messages can be effective. If a malicious binary SMS message is received, it is essential to prevent messages from connecting to attacker-controlled IP addresses.

1.  **Israeli spyware hacked phones of journalists globally**
2.  **iShutdown Tool Detects Pegasus Spyware on iOS Devices**
3.  **Fake WhatsApp clone aim at crypto on Android and Windows**
4.  **WhatsApp OTP Scam Allows Scammers to Hijack Your Account**
5.  **iPhones of State Dept officials hacked by NSO Pegasus spyware**

Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

One of Microsoft's Patch Tuesday fixes has flipped from "Likely to be Exploited" to “Exploitation Detected”.

As it turns out, there was another actively exploited vulnerability included in Microsoft’s patch Tuesday updates for February.

When Microsoft said in its update guide for CVE-2024-21410 that the vulnerability was likely to be exploited by attackers, they weren’t kidding. Soon after they changed the status to “Exploitation Detected”.

Today, I was alerted to the fact after spotting a warning by the German Federal Office for Information Security (BSI) about the same vulnerability, Something the BSI does not do lightly.

The Exchange vulnerability is listed in the Common Vulnerabilities and Exposures (CVE) database as CVE-2024-21410, an elevation of privilege vulnerability with a CVSS score of 9.8 out of 10.

Microsoft’s description of the vulnerability is a bit more revealing:

> “An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”

In a Windows network, NTLM (New Technology LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. An attacker being able to impersonate a legitimate user could prove to be catastrophic.

Microsoft Exchange Servers, and mail servers in general, are central communication nodes in every organization and as such they are attractive targets for cybercriminals. Being able to perform a pass-the-hash attack would provide an attacker with a paved way into the heart of the network.

As part of the update, Microsoft has enabled Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14). Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook).

If you are running Exchange Server 2019 CU13 or earlier and you have previously run the script that enables NTLM credentials Relay Protections then you are protected from this vulnerability. However, Microsoft strongly suggests installing the latest cumulative update.

Last year, Microsoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23.

If you are unsure whether your organization has configured Extended Protection, you can use the latest version of the Exchange Server Health Checker script. The script will provide you with an overview of the Extended Protection status of your server.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Microsoft Exchange vulnerability actively exploited 

Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-25466

**React Native Document Picker Directory Traversal vulnerability**

Moderate severity GitHub Reviewed Published Feb 16, 2024 to the GitHub Advisory Database • Updated Feb 16, 2024

**Package**

npm react-native-document-picker (npm)

**Affected versions**

< 9.1.1

**Description**

Published to the GitHub Advisory Database

Feb 16, 2024

Last updated

Feb 16, 2024

GHSA-pmgm-h3cc-m4hj: React Native Document Picker Directory Traversal vulnerability

A new report cited 28 “verified” accounts on X that appear to be tied to sanctioned groups or individuals.

A watchdog group's investigation found that terrorist group Hezbollah and other US-sanctioned entities have accounts with paid check marks on X, the Elon Musk–owned social network that still resides at the Twitter.com domain.

The Tech Transparency Project (TTP), a nonprofit that is critical of Big Tech companies, said in a report on Wednesday that "X, the platform formerly known as Twitter, is providing premium, paid services to accounts for two leaders of a US-designated terrorist group and several other organizations sanctioned by the US government."

After buying Twitter for $44 billion, Musk started charging users for check marks that were previously intended to verify that an account was notable and authentic. "Along with the check marks, which are intended to confer legitimacy, X promises various perks for premium accounts, including the ability to post longer text and videos and greater visibility for some posts," the Tech Transparency Project report noted.

The Tech Transparency Project suggests that X may be violating US sanctions. "The accounts identified by TTP include two that apparently belong to the top leaders of Lebanon-based Hezbollah and others belonging to Iranian and Russian state-run media," the report said. "The fact that X requires users to pay a monthly or annual fee for premium service suggests that X is engaging in financial transactions with these accounts, a potential violation of US sanctions."

Some of the accounts were verified before Musk bought Twitter, but verification was a free service at the time. Musk's decision to charge for check marks means that X is "providing a premium, paid service to sanctioned entities," which may raise "new legal issues," the Tech Transparency Project said.

Report Details 28 Check-Marked Accounts

Musk's X charges $1,000 a month for a Verified Organizations subscription and last month added a basic tier for $200 a month. For individuals, the X Premium tiers that come with check marks cost $8 or $16 a month.

It's possible for US companies to receive a license from the government to engage in certain transactions with sanctioned entities, but it doesn't seem likely that X has such a license. X's rules explicitly prohibit users from purchasing X Premium "if you are a person with whom X is not permitted to have dealings under US and any other applicable economic sanctions and trade compliance law."

In all, the Tech Transparency Project said it found 28 "verified" accounts tied to sanctioned individuals or entities. These include individuals and groups listed by the US Treasury Department’s Office of Foreign Assets Control (OFAC) as Specially Designated Nationals.

"Of the 28 X accounts identified by TTP, 18 show they got verified after April 1, 2023, when X began requiring accounts to subscribe to paid plans to get a check mark. The other 10 were legacy verified accounts, which are required to pay for a subscription to retain their check marks," the group wrote, adding that it "found advertising in the replies to posts in 19 of the 28 accounts."

X issued the following statement on Wednesday: "X has a robust and secure approach in place for our monetization features, adhering to legal obligations, along with independent screening by our payments providers. Several of the accounts listed in the Tech Transparency Report are not directly named on sanction lists, while some others may have visible account check marks without receiving any services that would be subject to sanctions. Our teams have reviewed the report and will take action if necessary. We're always committed to ensuring that we maintain a safe, secure and compliant platform."

X Removes Some Check Marks

An account with the handle @SH\_NasrallahEng appears to be tied to Hezbollah leader Hassan Nasrallah, the TTP report said. The account had a check mark when we first checked it earlier Wednesday, but it has since been removed.

"The account, which has 93,600 followers, posts English-language Hezbollah messages and memes disparaging Israel and the US. It was created in October 2021 and verified in November 2023, the same month that Nasrallah threatened further escalation of Israel's war with Hamas," the report said.

Elon Musk’s X Gave Check Marks to Terrorist Group Leaders, Report Says

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Thursday, February 15, 2024 14:00

I’ll be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasn’t.  

I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.  

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.  

This attack was only a _hypothetical_ that a security researcher posed in an interview but was reported or translated as an attack that happened. 

To me, I think we can all learn from a few major takeaways from this entire saga — myself included.  

It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year. 

But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised. 

That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations. 

I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.) 

And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web. 

Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.  

**The one big thing **

Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. 

**Why do I care? **

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.  

**Top security headlines of the week **

**Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years,** according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian) 

**A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate.** Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog) 

**Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it.** The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #143: The Reddit security diaries 
*   The Need to Know: How are attackers using QR codes in phishing emails and lure documents? 
*   First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Why the toothbrush DDoS story fooled us all

Malwarebytes researchers have discovered a prolific campaign of fraudulent energy ads shown to users via Google searches.

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.

Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.

This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.

However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.

This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.

**Fraudulent utility scam ads**

The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.

We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.

In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.

The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.

The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.

**Large scamming infrastructure**

The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.

We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.

However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.

In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.

**Keep your identity and money safe from scammers**

This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.

Here are some additional tips:

*   **Watch out for a sense of urgency**. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
*   **Never disclose personal details** over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
*   **Beware requests for money transfers or prepaid cards**. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
*   **Contact your bank immediately** if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
*   **Report the scam** to the proper authorities, which may be the FTC.

**Malwarebytes protection**

Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.

**Indicators of Compromise**

**Google advertiser accounts**

**Advertiser name**

**Advertiser ID**

**Number of ads**

Telesoft

N/A

1

Digitron

04170244641179828225

4

Syed muhammad Adnan

08157637715521699841

15

Progressix

02149758434478653441

2

Umair Jameel

11899369518209695745

1

Laiba Mazhar

14248337572488019969

1

Syed Shahmeer Hussain

12265272419404480513

6

Snow Tech

N/A

1

Muhammad Pirzada

12480474916866490369

145

Eco Designs (Private) Limited

17013467067027816449

5

Right Path Solutions

11370048952557633537

21

Rehman Munawar

06906645958470139905

1

ANDREW PAUL GUZMAN

09045338907926855681

17

Economical Deals

09045708721790910465

4

Qasim Ahmed

15768816743289454593

20

Summaira

14596269127925497857

3

Citrex Solutions (Private) Limited

16648988995463675905

19

Get Energy Promo

08074609881656590337

6

Brightboost LLC

07744256527850012673

5

AA DIGITAL LABS (SMC-PRIVATE) LIMITED

10871392529253662721

1

Malik Muhammad Shahroz Ibrahim

N/A

1

HongKong AdTiger Media Co., Limited

14567350391567024129

1

Mah Noor

07681945004880691201

12

Usama Ashfaq

06711852389684477953

2

Ali Raza

04534984293432164353

15

Muhammad Usman Tariq

17723433991509377025

5

SHABNUM FATIMA SHAH

02536959185141104641

4

QASMIC L.L.C-FZ

11321807192694194177

1

**Phone numbers**

888\[-\]960\[-\]3984  
888\[-\]315\[-\]9188  
888\[-\]715\[-\]1808  
888\[-\]873\[-\]0295  
888\[-\]317\[-\]0580  
888\[-\]316\[-\]0466  
888\[-\]983\[-\]0288  
888\[-\]439\[-\]0639  
888\[-\]312\[-\]2983  
844\[-\]967\[-\]9649  
855\[-\]200\[-\]3417  
888\[-\]842\[-\]0793  
888\[-\]207\[-\]3713  
833\[-\]435\[-\]0029  
888\[-\]494\[-\]4956

888\[-\]928\[-\]6404  
888\[-\]374\[-\]1693  
888\[-\]834\[-\]1050  
888\[-\]497\[-\]3560  
888\[-\]960\[-\]2303  
888\[-\]430\[-\]0128  
800\[-\]353\[-\]5613  
888\[-\]407\[-\]1004  
855\[-\]216\[-\]2411  
844\[-\]679\[-\]7635  
888\[-\]483\[-\]2851  
888\[-\]657\[-\]2401  
888\[-\]580\[-\]0106  
888\[-\]326\[-\]7299  
888\[-\]870\[-\]2661

888\[-\]203\[-\]1692  
855\[-\]428\[-\]7345  
888\[-\]641\[-\]0108  
888\[-\]960\[-\]0688  
888\[-\]347\[-\]7462  
888\[-\]448\[-\]0550  
888\[-\]834\[-\]0998  
888\[-\]470\[-\]8496  
888\[-\]554\[-\]0461  
855\[-\]980\[-\]1080  
888\[-\]539\[-\]0722  
866\[-\]685\[-\]0355  
888\[-\]715\[-\]1806  
888\[-\]960\[-\]2550  
888\[-\]641\[-\]0096  
888\[-\]996\[-\]5133

**Scammer domains**

360billingservices\[.\]com  
aadigital\[.\]online  
citrexsolutions\[.\]co  
digitelcare\[.\]com  
eco-designs\[.\]store  
economical-deals\[.\]co  
electricenergybundle\[.\]com  
electricenergyservice\[.\]com  
electricpowerdeal\[.\]com  
energpaybill\[.\]com  

energybilling\[.\]net  
energybillservice\[.\]online  
energycredits\[.\]online  
energyhelpcenter\[.\]com  
energypayment\[.\]shop  
energypoweroffer\[.\]com  
globalenergysolutionz\[.\]com  
homeutilityservices\[.\]com  
makeabillpayment\[.\]com  
paysenergy\[.\]online

powerelectricoffers\[.\]com  
qasmic\[.\]com  
rebornsolutions\[.\]co  
telecombilling\[.\]us  
telecomcredits\[.\]us  
thepowerpayllc\[.\]org  
uenergyproviders\[.\]store  
utilitybillsolution\[.\]site  
utilitybillspayments\[.\]org  
utilitydiscounts\[.\]store  
utilityservices\[.\]us

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Massive utility scam campaign spreads via online ads 

By Owais Sultan
February 15, 2024 – Nexo, the leading institution for digital assets, announced a partnership with Sift, the Leader…
This is a post from HackRead.com Read the original post: Nexo Teams Up with Sift for Enhanced Digital Security and User Experience

**February 15, 2024** – Nexo, the leading institution for digital assets, announced a partnership with Sift, the Leader in Digital Trust & Safety. By working with Sift, Nexo will be able to revolutionize its approach to fraud prevention, enhancing digital security measures and ensuring a safer, smoother, quicker, and more reliable experience for the company’s over 6 million users.

Nexo will utilize Sift’s industry-leading Payment Protection and Account Defense products, leveraging their advanced artificial intelligence, machine learning (ML) technology, and real-time intelligence to provide robust protection against a wide array of account and payment fraud challenges.

Payment Protection will enhance Nexo’s platform with state-of-the-art payment fraud prevention, resulting in faster transaction approvals, and improved protection of customer funds. In parallel, Sift’s Account Defense will secure user accounts by preventing account takeovers, thus accelerating Nexo’s operational efficiency, and reducing losses associated with compromised accounts.

Nexo also gains access to Sift’s Global Data Network, its consortium of customers, including dozens of the world’s top crypto exchanges. The insights gleaned from the Global Data Network will allow Nexo to prevent fraud more accurately and quickly, and reduce friction for legitimate users.

This initiative places Nexo at the forefront of identifying and preventing complex fraud patterns, enhancing the accuracy and speed of its response, and fostering trust and confidence in the blockchain space.

“The synergistic alliance between Sift and Nexo demonstrates our unwavering commitment to a user-centric ethos, harmonized with strong security and anti-fraud protocols. By harnessing Sift’s cutting-edge technology and comprehensive platform for managing digital risk, Nexo is equipped to adeptly prevent fraud while creating a streamlined experience for our users,” said Savina Boncheva, Head of Compliance at Nexo.

“The crypto community is a magnet for organized fraud actors seeking financial gain,” said Armen Najarian, Chief Marketing Officer at Sift. “By joining Sift’s global data consortium and leveraging our AI-based risk decisioning platform, crypto exchanges like Nexo can greatly reduce fraud _and_ create better experiences for legitimate users. We’re pleased to welcome Nexo to the Sift customer community and look forward to a successful and long-term partnership.”

Nexo is dedicated to continuously improving its security measures, and raising the bar for the entire industry. The partnership with Sift represents a significant step forward in Nexo’s journey towards a safer, more secure digital environment for its users.

**About Nexo**

Nexo is the world’s leading digital assets institution. The company’s mission is to maximize the value and utility of digital assets by offering a comprehensive suite of products that include advanced trading solutions for retail and institutional clients, aggregation of liquidity from leading venues, and flexible, asset-backed credit lines.

In 2022, the enterprise launched its investment arm Nexo Ventures, which now boasts over 60 portfolio companies. Nexo has processed $130+ billion for 6,000,000+ satisfied users across more than 200 jurisdictions.

**Media Contact for Nexo**

*   The Nexo PR Team
*   \[email protected\]

****About Sift****

Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivalled global data network of one trillion (1T) events per year, and a commitment to long-term customer partnerships. Global brands such as DoorDash, Yelp, and Poshmark rely on Sift to gain a competitive advantage in their markets. Visit us at **sift.com**.

****Media Contact for Sift****

*   Victor White,
*   Senior Director, Corporate Communications
*   \[email protected\]

1.  **Powerloom to Hold First Ever Node Mint on Polygon Network**
2.  **Overworld secures $10M for cross-platform ARPG development**
3.  **Aembit Teams Up with CrowdStrike for Secure Workload Access**
4.  **READYgg Onboards 15M Web2 Players into Web3 with Aptos Labs**
5.  **Deloitte Partners with Memcyco for Digital Impersonation Protection**

Nexo Teams Up with Sift for Enhanced Digital Security and User Experience

A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.

### Impact

When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.

### Patches

This issue has been resolved in Helm v3.14.1.

### Workarounds

Check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.

### Credits

Disclosed by Dominykas Blyžė at Nearform Ltd.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-25620

**Helm dependency management path traversal**

Moderate severity GitHub Reviewed Published Feb 14, 2024 in helm/helm • Updated Feb 15, 2024

**Package**

gomod helm.sh/helm/v3 (Go)

**Affected versions**

<= 3.14.0

A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.

**Impact**

When either the Helm client or SDK is used to save a chart whose name within the Chart.yaml file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.

**Patches**

This issue has been resolved in Helm v3.14.1.

**Workarounds**

Check all charts used by Helm for path changes in their name as found in the Chart.yaml file. This includes dependencies.

**Credits**

Disclosed by Dominykas Blyžė at Nearform Ltd.

**References**

*   GHSA-v53g-5gjp-272r
*   https://nvd.nist.gov/vuln/detail/CVE-2024-25620
*   helm/helm@0d0f91d
*   https://github.com/helm/helm/releases/tag/v3.14.1

Published to the GitHub Advisory Database

Feb 15, 2024

Last updated

Feb 15, 2024

Tag

#git