Cybersecurity researchers have alerted to a new malvertising campaign that's targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google.
"The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages," Jérôme Segura, senior director of

Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes

An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

**Table of contents**

*   Overview
*   Criminals impersonate Google Ads
*   Lures hosted on Google Sites
*   Phishing for Google account credentials
*   Victimology
*   Who is behind these campaigns?
*   Fuel for other malware and scam campaigns
*   Indicators of Compromise

**Overview**

Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads.

The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.

This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.

The following diagram illustrates at a high level the mechanism by which advertisers are getting fleeced:

_Figure 1: Process flow for this Google Ads heist campaign_

_Back to top_

**Criminals impersonate Google Ads**

Advertisers are constantly trying to outbid each other to reach potential customers by buying ad space on the world’s number one search engine. This earned Google a whopping $175 billion in search-based ad revenues in 2023. Suffice to say, the budgets spent in advertising can be considerable and of interest to crooks for a number of reasons.

We first started noticing suspicious activity related to Google accounts somewhat accidentally, and after a deeper look we were able to trace it back to malicious ads for… Google Ads itself! Very quickly we were overwhelmed by the onslaught of fraudulent “Sponsored” results, specifically designed to impersonate Google Ads, as can be seen in _Figure 2_:

_Figure 2: A malicious ad masquerading as Google Ads_

While it is hard to believe such a thing could actually happen, the proof is there when you click on the 3-dot menu that shows more information about the advertiser. We have partially masked the victim’s name, but clearly it is not Google; they are just one of the many accounts that have already been compromised and abused to trick more users:

_Figure 3: The advertiser behind this ad is not affiliated with Google at all_

People who will see those ads are individuals or businesses that want to advertise on Google Search or already do. Indeed, we saw numerous ads specifically for each scenario, sign up or sign in, as seen in _Figure 4_:

_Figure 4: Two ads for signing up and sign in to Google Ads respectively_

The fake ads for Google Ads come from a variety of individuals and businesses, in various locations. Some of those hacked accounts already had hundreds of other legitimate ads running, and one of them was for a popular Taiwanese electronics company.

_Figure 5: Victim accounts spending their own budgets on fake Google Ads_

To get an idea of the geographic scope of these campaigns, we performed the same Google search simultaneously from several different geolocations (using proxies). First, here’s the malicious ad from a U.S. IP address belonging to a business registered in Paraguay:

_Figure 6: U.S.-based search showing fake Google ad_

Now, here’s that same ad that appears on Google Search in several other countries:

_Figure 7: The same ad found in different countries_

_Back to top_

**Lures hosted on Google Sites**

Once victims click on those fraudulent ads, they are redirected to a page that looks like Google Ads’ home page, but oddly enough, it us hosted on Google Sites. These pages act as a sort of gateway to external websites specifically designed to steal the usernames and passwords from the coveted advertisers’ Google accounts.

_Figure 8: A malicious Google Sites page impersonating Google Ads_

There’s a good reason to use Google Sites, not only because it’s a free and a disposable commodity but also because it allows for complete impersonation. Indeed, you cannot show a URL in an ad unless your landing page (final URL) matches the same domain name. While that is a rule meant to protect abuse and impersonation, it is one that is very easy to get around.

_Figure 9: The rule that stipulates display URLs and final URLs must have matching domains_

Looking back at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since _sites**.google.com**_ uses the same root domains ads _ads**.google.com**_. In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC..

_Figure 10: The malicious ad does not violate Google’s rule on the use of the display URL_

_Back to top_

**Phishing for Google account credentials**

After the victims click on the “Start now” button found on the Google Sites page, they are redirected to a different site which contains a phishing kit. JavaScript code fingerprints users while they go through each step to ensure all important data is being surreptitiously collected.

_Figure 12: The actual phishing page that follows_

Finally, all the data is combined with the username and password and sent to the remote server via a POST request. We see that criminals even receive the victim’s geolocation, down to the city and internet service provider.

_Figure 12: POST web request with victim’s details_

_Back to top_

**Victimology**

There are multiple online reports of people who saw the fake Google Ads and shared their experiences:

*   Help with removing a dangerous scam in Google Ads (_Google Ads Help forum_)
*   Google Ads Phishing Scam (_Reddit_)
*   It’s just me or Google just sponsored a link to a phising site for Google ads? (_Reddit_)
*   Be aware of fake google page, clicked by accident (_Reddit_)
*   Warning! First sponsorized google answer for “Google ads” is a phishing attempt ! (_BlueSky_)

We were able to get in touch with a couple of victims who not only saw the ads but were actually scammed and lost money. Thanks to their testimony and our own research, we have a better idea of the criminals’ modus operandi:

*   Victim enters their Google account information into phishing page
*   Phishing kit collects unique identifier, cookies, credentials
*   Victim may receive an email indicating a login from an unusual location (Brazil)
*   If the victim fails to stop this attempt, a new administrator is added to the Google Ads account via a different Gmail address
*   Threat actor goes on a spending spree, locks out victim if they can

_Back to top_

**Who is behind these campaigns?**

We identified two main groups of criminals running this scheme but the more prolific by far is one made of Portuguese speakers likely operating out of Brazil. Victims have also shared that they had received a notification from Google indicating suspicious logins from Brazil. Unfortunately, those notifications often came too late or where dismissed as legitimate, and the criminals already had time to do some damage.

We should also note a third campaign that is very different from the other two, and where the threat actors’ main goal is to distribute malware. The Google Ads phishing scheme may have been a temporary run which was not their main focus.

**Brazilian team**

In the span of a few days, we reported over 50 fraudulent ads to the Google Ad team all coming from this Brazilian group. We quickly realized that no matter how many reported incidents and takedowns, the threat actors managed to keep at least one malicious ad 24/7.

_Figure 13_ shows the network traffic resulting from a click on the ad. You will see multiple hops before finally arriving to the phishing portal. The second URL shows the crooks are using a paid service to detect fake traffic.

Figure 13: Network traffic from the ‘Brazilian campaign’

Within the JavaScript code part of the phishing kit, there are comments in Portuguese. _Figure 14_ shows a portion of the code that does browser fingerprinting, which is a way of identifying users. Browser language, system CPU, memory, screen-width, and time zone are some of the data points collected and then hashed.

Figure 14: Identifying users via various settings

**Asian team**

The second group is using advertiser accounts from Hong Kong and appears to be Asia-based, perhaps from China. Interestingly, they also use the same kind of delivery chain by leveraging Google sites. However, their phishing kit is entirely different from their Brazilian counterparts.

Figure 15: Web traffic for the ‘Chinese campaign’

_Figure 16_ below shows a code extract with comments in Chinese, as well as a function called _xianshi_, which could be in reference to a Chinese general of the late Qing dynasty or even a superhero from more modern gaming and literature.

Figure 16: Code with comments in Chinese

**Third campaign (possibly Eastern European)**

We observed another campaign which has a very different modus operandi. Google Sites is not involved at all, and instead they rely on a fake CAPTCHA lure and heavy obfuscation of the phishing page.

Interestingly, the malicious ad we found was for Google Authenticator, despite the obvious ads-goo\[.\]click domain name. However, for about day or so, the redirect from that domain lead directly to a phishing portal hosted at _ads-overview\[.\]com_.

The reason why we suggest the threat actors may be Eastern Europeans here is because of the type of redirects and obfuscation. There is also a distant feel of ‘software download via Google ads’ we have reported on previously (see _Threat actor impersonates Google via fake ad for Authenticator_).

Figure 17: A malicious ad for Google Authenticator and fake CAPTCHA

A PHP script (_cloch.php_) then determines if the visitor is genuine or not (likely doing a server-side IP check). VPNs, bot and detection tools will get a “white” page showing some bogus instructions on how to run a Google Ads campaign. Victims are instead redirected to _ads-overview\[.\]com_ which is a phishing portal for Google accounts.

Figure 18: Cloaking in action with a ‘white’ page or the phishing page

When we checked back on this campaign a few days later, we saw that the ad URL now redirected to a fake Google Authenticator site, likely to download malware. The redirection mechanism is shown in _Figure_ 20:

Figure 19: Web traffic for fake Google Authenticator site

_Back to top_

**Fuel for other malware and scam campaigns**

Stolen Google Ads accounts are a valuable commodity among thieves. As we have detailed it many times on this blog, there are constant malvertising campaigns leveraging compromised advertiser accounts to buy ads that push scams or deliver malware.

*   Printer problems? Beware the bogus help
*   Malicious ad distributes SocGholish malware to Kaiser Permanente employees
*   Hello again, FakeBat: popular loader returns after months-long hiatus
*   Large scale Google Ads campaign targets utility software

If you think about it for a second, crooks are using someone else’s budget to further continue spreading malfeasance. Whether those dollars are spent towards legitimate ads or malicious ones, Google still earns revenues from those ad campaigns. The losers are the hacked advertisers and innocent victims that are getting phished.

As result, taking action on compromised ad accounts plays a key part in driving down malvertising attacks. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored, despite their own policy on the subject (_Figure 20_). For example, we recently saw a case where the same advertiser that had already been reported 30 times, was still active.

_Figure 20: Google’s policy regarding violations_

As the scourge of fraudulent ads continues, we urge users to pay particular attention to sponsored results. Ironically, it’s quite possible that individuals and businesses that run ad campaigns are not using an ad-blocker (to see their ads and those from their competitors), making them even more susceptible to fall for these phishing schemes.

**We don’t just report on threats—we block them**

_Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today._

_Back to top_

**Indicators of Compromise**

Fake Google Sites pages

sites\[.\]google\[.\]com/view/ads-goo-vgsgoldx  
sites\[.\]google\[.\]com/view/ads-word-cmdw  
sites\[.\]google\[.\]com/view/ads-word-makt  
sites\[.\]google\[.\]com/view/ads-word-whishw  
sites\[.\]google\[.\]com/view/ads-word-wwesw  
sites\[.\]google\[.\]com/view/ads-word-xvgt  
sites\[.\]google\[.\]com/view/ads3dfod6hbadvhj678  
sites\[.\]google\[.\]com/view/adwoord  
sites\[.\]google\[.\]com/view/aluado01  
sites\[.\]google\[.\]com/view/ap-rei-pandas  
sites\[.\]google\[.\]com/view/appsd-adsd  
sites\[.\]google\[.\]com/view/asd-app-goo  
sites\[.\]google\[.\]com/view/connectsing/addss  
sites\[.\]google\[.\]com/view/connectsingyn/ads  
sites\[.\]google\[.\]com/view/entteraccess  
sites\[.\]google\[.\]com/view/exercitododeusvivo  
sites\[.\]google\[.\]com/view/fjads  
sites\[.\]google\[.\]com/view/goitkm/google-ads  
sites\[.\]google\[.\]com/view/hdgstt  
sites\[.\]google\[.\]com/view/helpp2k  
sites\[.\]google\[.\]com/view/hereon/1sku4yf  
sites\[.\]google\[.\]com/view/hgvfvd  
sites\[.\]google\[.\]com/view/joaope-defeijao  
sites\[.\]google\[.\]com/view/jthsjd  
sites\[.\]google\[.\]com/view/logincosturms/ads  
sites\[.\]google\[.\]com/view/logins-words-officails  
sites\[.\]google\[.\]com/view/logins-words-officsdp  
sites\[.\]google\[.\]com/view/marchatrasdemarcha  
sites\[.\]google\[.\]com/view/newmanage/page  
sites\[.\]google\[.\]com/view/one-vegas  
sites\[.\]google\[.\]com/view/one-vegasw  
sites\[.\]google\[.\]com/view/onvg-ads-word  
sites\[.\]google\[.\]com/view/oversmart/new  
sites\[.\]google\[.\]com/view/pandareidel  
sites\[.\]google\[.\]com/view/polajdasod6hbad  
sites\[.\]google\[.\]com/view/ppo-ads  
sites\[.\]google\[.\]com/view/quadrilhadohomemtanacasakaraio  
sites\[.\]google\[.\]com/view/ricobemnovinhos  
sites\[.\]google\[.\]com/view/s-ad-offica  
sites\[.\]google\[.\]com/view/s-wppa  
sites\[.\]google\[.\]com/view/sdawjj  
sites\[.\]google\[.\]com/view/semcao  
sites\[.\]google\[.\]com/view/sites-gb  
sites\[.\]google\[.\]com/view/soarnovo  
sites\[.\]google\[.\]com/view/so-ad-reisd  
sites\[.\]google\[.\]com/view/spiupiupp-go  
sites\[.\]google\[.\]com/view/start-smarts  
sites\[.\]google\[.\]com/view/start-smarts/homepage/  
sites\[.\]google\[.\]com/view/umcincosetequebratudo  
sites\[.\]google\[.\]com/view/vewsconnect  
sites\[.\]google\[.\]com/view/vinteequatroporquarenta  
sites\[.\]google\[.\]com/view/xvs-wods-ace  
sites\[.\]google\[.\]com/view/zeroumnaoezerodois  
sites\[.\]google\[.\]com/view/zeroumonlinecomosmp

Phishing domains

account-costumers\[.\]site  
account-worda-ads\[.\]benephica\[.\]com  
account-worda-ads\[.\]cacaobliss\[.\]pt  
account\[.\]universitas-studio\[.\]es  
accounts-ads\[.\]site  
accounts\[.\]google\[.\]lt1l\[.\]com  
accounts\[.\]goosggles\[.\]com  
accounts\[.\]lichseagame\[.\]com  
accousnt-ads\[.\]tmcampos\[.\]pt  
accousnt\[.\]benephica\[.\]pt  
accousnt\[.\]hyluxcase\[.\]me  
accousnt\[.\]whenin\[.\]pt  
ads-goo\[.\]click  
ads-goog\[.\]link  
ads-google\[.\]io-es\[.\]com  
ads-overview\[.\]com  
ads1.google.lt1l.com  
ads1\[.\]google\[.\]veef8f\[.\]com  
adsettings\[.\]site  
adsg00gle-v3\[.\]vercel\[.\]app  
adsgsetups\[.\]shop  
advertsing-acess\[.\]site  
advertsing-v3\[.\]site  
as\[.\]vn-login\[.\]shop  
benephica\[.\]pt  
cacaobliss\[.\]pt  
colegiopergaminho\[.\]pt  
docs-pr\[.\]top  
tmcampos\[.\]pt  
vietnamworks\[.\]vn-login\[.\]shop

_Back to top_

 The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads 

As many as six security vulnerabilities have been disclosed in the popular Rsync file-synchronizing tool for Unix systems, some of which could be exploited to execute arbitrary code on a client.
"Attackers can take control of a malicious server and read/write arbitrary files of any connected client," the CERT Coordination Center (CERT/CC) said in an advisory. "Sensitive data, such as SSH keys,

Google Cloud Researchers Uncover Flaws in Rsync File Synchronization Tool

New research has pulled back the curtain on a "deficiency" in Google's "Sign in with Google" authentication flow that exploits a quirk in domain ownership to gain access to sensitive data.
"Google's OAuth login doesn't protect against someone purchasing a failed startup's domain and using it to re-create email accounts for former employees," Truffle Security co-founder and CEO Dylan Ayrey said

Google OAuth Vulnerability Exposes Millions via Failed Startup Domains

The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.

Source: Everett Collection Historical via Alamy Stock Photo

Multiple threat actors are actively targeting a recently disclosed maximum-severity security bug in the Aviatrix Controller centralized management platform for cloud networking.

In a worst-case scenario, the vulnerability, identified as CVE-2024-50603 (CVSS 10) could allow an unauthenticated remote adversary to run arbitrary commands on an affected system and take full control of it. Attackers are currently exploiting the flaw to deploy XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.

**CVE-2024-50603: A High-Impact Vulnerability**

The vulnerability presents an especially severe risk in Amazon Web Services (AWS) cloud environments, where Aviatrix Controller allows privilege escalation by default, researchers at Wiz Security warned in a blog on Jan. 10.

"Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed," the researchers noted. "In 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions."

Hundreds of large companies use Aviatrix's technology to manage cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud environments. Common use cases include automating the deployment and management of cloud network infrastructure, and managing security, encryption, and connectivity policies. The company lists organizations such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its customers.

Related:In Appreciation: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 stems from Aviatrix Controller not properly checking or validating the data that users send through its application programming interface (API). It is the latest bug to highlight the security risks tied to the growing use of APIs among organizations of all sizes. Other common API-related risks include those stemming from configuration errors, lack of visibility, and inadequate security testing.

The flaw is present in all supported versions of Aviatrix Controller before 7.2.4996 or 7.1.4191. Aviatrix has issued a patch for the bug and recommends that organizations apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

"In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as 'patched,'" the company noted. One such circumstance is applying the patch on non-supported versions of the controller, Aviatrix said.

**Hackers Mount Opportunistic Cloud Attacks**

Security researcher Jakub Korepta of SecuRing, who discovered and reported the bug to Aviatrix, publicly disclosed details of the flaw on Jan. 7. Just one day later, a proof-of-concept exploit for the bug became available on GitHub, triggering near-immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

"Since the proof-of-concept release, Wiz observed that most of the vulnerable instances were specifically targeted by attackers looking for unpatched Aviatrix deployments," says Alon Schindel, vice president of AI & Threat Research at Wiz. "The overall volume of exploitation attempts has been steady. However, we see customers patching their systems and preventing attackers from targeting them."

Schindel characterizes the exploit activity so far as largely opportunistic in nature, and emanating from scanners and automated tool sets combing the Internet for unpatched Aviatrix instances.

"Although some of the payloads and infrastructure used suggest higher sophistication in a few cases, most of the attempts appear to be broad sweeps rather than highly customized or targeted attacks on specific organizations," he says.

Available telemetry suggests that multiple threat actors, including organized criminal gangs, are leveraging the flaw in various ways. So far at least, there is no evidence pointing to any single group as dominating the exploitation activity, Schindel says. "Depending on the environment's setup, an attacker might exfiltrate sensitive data, access other parts of the cloud or on-prem infrastructure, or disrupt normal operations," he notes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

**A Reminder of API-Based Cyber-Risks**

Ray Kelly, a fellow at Black Duck, says the Aviatrix Controller vulnerability is another reminder of both the growing risks associated with API endpoints and the challenges involved in addressing them. The vulnerability shows how a server can be compromised via a simple Web call to an API, and highlights the need for thorough testing of APIs. But such testing can be daunting, given the size, complexity, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

"One effective approach to mitigating these risks is by establishing clear 'rules of governance' for third-party software," Kelly says. "This includes implementing thorough vetting processes for third-party providers, enforcing consistent security measures, and maintaining continuous monitoring of software performance and vulnerabilities."

Wiz's Schindel says the best recourse for organizations affected by the new Aviatrix bug is to apply the company's patch for it as soon as possible. Organizations that are unable to patch immediately should restrict network access to the Aviatrix Controller via an IP allowlist so only trusted sources can reach it, Schindel advises. They should also monitor logs and system behavior closely for suspicious activity or known exploit indicators, set up alerts for abnormal behavior associated with Aviatrix, and reduce unnecessary lateral movement paths between their cloud identities.

Jessica MacGregor, spokeswoman for Aviatrix says the company issued an emergency patch for the vulnerability back in November 2024 given its potential severity. The security patch applied to all supported releases and also for versions of Aviatrix Controller for which support had ended two years ago. The company also reached out privately to customers via multiple targeted campaigns to make sure affected organizations applied the patch, MacGregor says.

While a significant portion of affected customers have applied the patch and recommended hardening measures, some organizations have not. And it is these customers that are experiencing the current attacks, she notes. "While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions with the permanent fixes," she says.

 MacGregor says Aviatrix wants anyone unable to upgrade or patch their systems to reach out so the company can work with them to harden their configuration based on best practices. "We will also work closely with customers that believe they been exploited to restore their Aviatrix software to a clean state."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw

Threat actors are targeting people searching for pirated or cracked software with fake downloaders that include infostealing malware such as Lumma and Vidar.

Source: Bits and Splits via Shutterstock

Attackers are targeting people interested in pirated and cracked software downloads by abusing YouTube and Google search results.

Researchers from Trend Micro uncovered the activity on the video-sharing platform, on which threat actors are posing as "guides" offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments, where they then include links to fake software downloads that lead to malware, they revealed in a recent blog post.

On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include infostealing malware, the researchers said.

Moreover, the actors "often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware, and make detection and removal more difficult," Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco wrote in the post.

**Evasive & Anti-Detection Built Into the Campaign**

The campaign appears to be similar to one that surfaced about a year ago spreading Lumma Stealer — a malware-as-a-service (MaaS) commonly used to steal sensitive information like passwords and cryptocurrency-wallet data — via weaponized YouTube channels. At the time, the campaign was thought to be ongoing.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to up the ante in terms of the variety of malware being spread and advanced evasion tactics, as well as the addition of malicious Google search results.

The malicious downloads spread by attackers often are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection, the researchers noted.

After infection, the malware lurking in the downloaders collects sensitive data from Web browsers to steal credentials, demonstrating "the serious risks of exposing your personal information by unknowingly downloading fraudulent software," the researchers wrote.

In addition to Lumma, other infostealing malware observed being distributed via fake software downloads on links posted on YouTube include PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, according to the researchers.

Overall, the campaign exploits the trust that people have in platforms such as YouTube and file-sharing services, the researchers wrote; it especially can affect people looking for pirated software who think they are downloading legitimate installers for popular programs, they said.

Related:Russia Carves Out Commercial Surveillance Success Globally

**Shades of a GitHub Campaign**

The thinking behind the campaign also is similar to one recently found abusing GitHub, in which attackers exploited the trust that developers have in the platform to hide the Remcos RAT in GitHub repository comments.

Though the attack vector is different, comments play a big role in spreading malware, the researchers explained. In one attack they observed, a video post purports to be advertising a free "Adobe Lightroom Crack" and includes a comment with a link to the software downloader.

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer, which leads to a download of the malicious file that includes infostealing malware from the Mediafire file hosting site.

Another attack discovered by Trend Micro planted a shortened link to a malicious fake installer file from OpenSea, the NFT marketplace, as the third result in a search for an Autodesk download.

"The entry contains a shortened link that redirects to the actual link," the researchers wrote. "One assumption is that they use shortened links to prevent scraping sites from accessing the download link."

The link prompts the user for the actual download link and the zip file's password, presumably because "password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary," they noted.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

**Protect Your Organization From Malware**

As shown by the threat activity, attackers continue to use social engineering tactics to target victims and apply a variety of methods to avoid security defenses, including: using large installer files, password-protected zip files, connections to legitimate websites, and creating copies of files and renaming them to appear benign, the researchers noted.

To defend against these attacks, organizations should "stay updated on current threats and to remain vigilant regarding detection and alert systems," the researchers wrote. "Visibility is important because solely relying on detection can result in many malicious activities going unnoticed."

Employee training, as security experts often note, also goes a long way in ensuring employees don't fall for socially engineered attacks or try to download pirated software.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

This week on the Lock and Code podcast, we speak with Mallory Knodel about whether AI assistants are compatible with encrypted messaging apps.

_This week on the Lock and Code podcast…_

The era of artificial intelligence everything is here, and with it, come everyday surprises into exactly where the next AI tools might pop up.

There are major corporations pushing customer support functions onto AI chatbots, Big Tech platforms offering AI image generation for social media posts, and even Google has defaulted to include AI-powered overviews into everyday searches.

The next gold rush, it seems, is in AI, and for a group of technical and legal researchers at New York University and Cornell University, that could be a major problem.

But to understand their concerns, there’s some explanation needed first, and it starts with Apple’s own plans for AI.

Last October, Apple unveiled a service it is calling Apple Intelligence (“AI,” get it?), which provides the latest iPhones, iPads, and Mac computers with AI-powered writing tools, image generators, proof-reading, and more.

One notable feature in Apple Intelligence is Apple’s “notification summaries.” With Apple Intelligence, users can receive summarized versions of a day’s worth of notifications from their apps. That could be useful for an onslaught of breaking news notifications, or for an old college group thread that won’t shut up.

The summaries themselves are hit-or-miss with users—one iPhone customer learned of his own breakup from an Apple Intelligence summary that said: “No longer in a relationship; wants belongings from the apartment.”

What’s more interesting about the summaries, though, is how they interact with Apple’s messaging and text app, Messages.

Messages is what is called an “end-to-end encrypted” messaging app. That means that only a message’s sender and its recipient can read the message itself. Even Apple, which moves the message along from one iPhone to another, cannot read the message.

But if Apple cannot read the messages sent on its own Messages app, then how is Apple Intelligence able to summarize them for users?

That’s one of the questions that Mallory Knodel and her team at New York University and Cornell University tried to answer with a new paper on the compatibility between AI tools and end-to-end encrypted messaging apps.

Make no mistake, this research isn’t into whether AI is “breaking” encryption by doing impressive computations at never-before-observed speeds. Instead, it’s about whether or not the promise of end-to-end encryption—of confidentiality—can be upheld when the messages sent through that promise can be analyzed by separate AI tools.

And while the question may sound abstract, it’s far from being so. Already, AI bots can enter digital Zoom meetings to take notes. What happens if Zoom permits those same AI chatbots to enter meetings that users have chosen to be end-to-end encrypted? Is the chatbot another party to that conversation, and if so, what is the impact?

Today, on the Lock and Code podcast with host David Ruiz, we speak with lead author and encryption expert Mallory Knodel on whether AI assistants can be compatible with end-to-end encrypted messaging apps, what motivations could sway current privacy champions into chasing AI development instead, and why these two technologies cannot co-exist in certain implementations.

> “An encrypted messaging app, at its essence is encryption, and you can’t trade that away—the privacy or the confidentiality guarantees—for something else like AI if it’s fundamentally incompatible with those features.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01) 

Smishing messages that come with instructions to bypass iMessage's protection against links are on the rise

A smishing (SMS phishing) campaign is targeting iMessage users, attempting to socially engineer them into bypassing Apple’s built in phishing protection.

For months, iMessage users have been posting examples online of how phishers are trying to get around this protection. And, now, the campign is gaining traction, according to our friends at BleepingComputer.

It works like this: Under normal circumstances, iMessage will disable all links in messages from unknown senders to protect the user against clicking them by accident. However, if a user replies to a message or adds the sender to their contact list, the links are enabled, allowing the person to click on the link.

The text of the messages comes in all the variations that phishers love to use:

*   Undeliverable packages from USPS, EVRI, Royal Mail, DHL, Fedex, etc.
*   Unpaid road toll.
*   Owed shipping fees.
*   Other outstanding payments that you are unaware of.

But they all end in a similar way to this:

> “(Please reply Y, then exit the SMS, re-open the SMS activation link, or copy the link to open in Safari)”

Replying with Y (or actually anything) will enable the links and turn off iMessage’s built-in phishing protection. Clicking the link will then lead the recipient to whatever malicious website the phisher had in mind. Even if the user just replies with “Y” and then decides not to follow the link—because it looks slightly off—the phishers will know that they have found a likely target for more attacks.

It’s also important to know that there are similar instructions for the Chrome browser:

> “Reply with 1, exit the SMS message, and reopen the SMS activation link, or copy the link to Google Chrome to open it.)”

**How to avoid smishing scams**

*   Never reply to suspicious messages, even if it’s only a “Y” or “1.” It will tell the phishers they have a live number and they will bombard you with more attempts.
*   Never add a number you don’t know to your Contacts as that will disable the iMessage protection as well.
*   Don’t assume any message is the real deal. If you’re being asked to do something, contact the company directly via a known method you trust. If it turns out to be a fake, you should be able to report it to them, there and then.
*   If you live somewhere with a Do Not Call list or spam reporting service, make full use of it. Report bogus messages and numbers.
*   Your mobile device may already have some form of “safe” message ID enabled without you knowing. It’s tricky to give specific advice here because of the sheer difference of options available on models of phone, but the Options / Safety / Security / Privacy menus are a good place to start.
*   Check the link before you click it or copy it in your browser. Is it exactly what you would expect it to be? Scammers often use typosquatting techniques (for example evri\[.\]top instead of the legitimate evri\[.\]com, or they fabricate a link that uses the subdomain to make it look legitimate (for example usps.com-track.infoam\[.\]xyz). If it doesn’t look real then don’t click on it.
*   If a message sounds too good (or bad) to be true, it probably is.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 iMessage text gets recipient to disable phishing protection so they can be phished 

A list of topics we covered in the week of January 6 to January 12 of 2025

January 13, 2025 - Smishing messages that come with instructions to bypass iMessage's protection against links are on the rise

January 10, 2025 - BayMark Health Services, Inc. notified an unknown number of patients that attackers stole their personal and health information.

January 9, 2025 - At least 36 Google Chrome extensions for AI and VPN tools have begun delivering info-stealing malware in a widespread attack.

January 9, 2025 - Data broker Gravy Analytics that collects location data and sells it to the US government has been breached.

January 9, 2025 - This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes Malwarebytes recently uncovered...

Tag

#google