New research shows the number of deepfake videos is skyrocketing—and the world's biggest search engines are funneling clicks to dozens of sites dedicated to the nonconsensual fakes.

Google’s and Microsoft’s search engines have a problem with deepfake porn videos. Since deepfakes emerged half a decade ago, the technology has consistently been used to abuse and harass women—using machine learning to morph someone’s head into pornography without their permission. Now the number of nonconsensual deepfake porn videos is growing at an exponential rate, fueled by the advancement of AI technologies and an expanding deepfake ecosystem.

A new analysis of nonconsensual deepfake porn videos, conducted by an independent researcher and shared with WIRED, shows how pervasive the videos have become. At least 244,625 videos have been uploaded to the top 35 websites set up either exclusively or partially to host deepfake porn videos in the past seven years, according to the researcher, who requested anonymity to avoid being targeted online.

Over the first nine months of this year, 113,000 videos were uploaded to the websites—a 54 percent increase on the 73,000 videos uploaded in all of 2022. By the end of this year, the analysis forecasts, more videos will have been produced in 2023 than the total number of every other year combined.

These startling figures are just a snapshot of how colossal the issues with nonconsensual deepfakes has become—the full scale of the problem is much larger and encompasses other types of manipulated imagery. A whole industry of deepfake abuse, which predominantly targets women and is produced without people’s consent or knowledge, has emerged in recent years. Face-swapping apps that work on still images and apps where clothes can be “stripped off a person” in a photo with just a few clicks are also highly prominent. There are likely millions of images being created with these apps.

“This is something that targets everyday people, everyday high school students, everyday adults—it's become a daily occurrence,” says Sophie Maddocks, who conducts research on digital rights and cyber-sexual violence at the University of Pennsylvania. “It would make a lot of difference if we were able to make these technologies harder to access. It shouldn't take two seconds to potentially incite a sex crime.”

The new research highlights 35 different websites, which exist to exclusively host deepfake pornography videos or incorporate the videos alongside other adult material. (It does not encompass videos posted on social media, those shared privately, or manipulated photos.) WIRED is not naming or directly linking to the websites, so as not to further increase their visibility. The researcher scraped the websites to analyze the number and duration of deepfake videos, and they looked at how people find the websites using the analytics service SimilarWeb.

Many of the websites make it clear they host or spread deepfake porn videos—often featuring the word _deepfakes_ or derivatives of it in their name. The top two websites contain 44,000 videos each, while five others host more than 10,000 deepfake videos. Most of them have several thousand videos, while some only list a few hundred. Some videos the researcher analyzed have been watched millions of times.

The research also identified an additional 300 general pornography websites that incorporate nonconsensual deepfake pornography in some way. The researcher says “leak” websites and websites that exist to repost people’s social media pictures are also incorporating deepfake images. One website dealing in photographs claims it has “undressed” people in 350,000 photos.

Measuring the full scale of deepfake videos and images online is incredibly difficult. Tracking where the content is shared on social media is challenging, while abusive content is also shared in private messaging groups or closed channels, often by people known to the victims. In September, more than 20 girls aged 11 to 17 came forward in the Spanish town of Almendralejo after AI tools were used to generate naked photos of them without their knowledge.

“There has been significant growth in the availability of AI tools for creating deepfake nonconsensual pornographic imagery, and an increase in demand for this type of content on pornography platforms and illicit online networks,” says Asher Flynn, an associate professor at Monash University, Australia, who focuses on AI and technology-facilitated abuse. This is only likely to increase with new generative AI tools.

The gateway to many of the websites and tools to create deepfake videos or images is through search. Millions of people are directed to the websites analyzed by the researcher, with 50 to 80 percent of people finding their way to the websites via search. Finding deepfake videos through search is trivial and does not require a person to have any special knowledge about what to search for.

The issue is global. Using a VPN, the researcher tested Google searches in Canada, Germany, Japan, the US, Brazil, South Africa, and Australia. In all the tests, deepfake websites were prominently displayed in search results. Celebrities, streamers, and content creators are often targeted in the videos. Maddocks says the spread of deepfakes has become “endemic” and is what many researchers first feared when the first deepfake videos rose to prominence in December 2017.

Since the tools needed to create deepfake videos emerged, they’ve become easier to use, and the quality of the videos being produced has improved. The wave of image-generation tools also offers the potential for higher-quality abusive images and, eventually, video to be created. And five years after the first deepfakes started to appear, the first laws are just emerging that criminalize the sharing of faked images.

The proliferation of these deepfake apps combined with a greater reliance on digital communications in the Covid-19 era and a "failure of laws and policies to keep pace" has created a “perfect storm,” Flynn says.

Experts say that alongside new laws, better education about the technologies is needed, as well as measures to stop the spread of tools created to cause harm. This includes action by firms that host the websites and also search engines, including Google and Microsoft’s Bing. Currently, Digital Millennium Copyright Act (DMCA) complaints are the primary legal mechanism that women have to get videos removed from websites.

Henry Ajder, a deepfake and generative AI expert who has monitored the spread of the technologies, says adding more “friction” to the process of people finding deepfake porn videos, apps to change people’s faces, and tools that specifically allow the creation of nonconsensual images can reduce the spread. “It's about trying to make it as hard as possible for someone to find,” he says. This could be search engines down-ranking results for harmful websites or internet service providers blocking sites, he says. “It's hard to feel really optimistic, given the volume and scale of these operations, and the need for platforms—which historically have not taken these issues seriously—to suddenly do so,” Ajder says.

“Like any search engine, Google indexes content that exists on the web, but we actively design our ranking systems to avoid shocking people with unexpected harmful or explicit content they don't want to see,” says Google spokesperson Ned Adriance, pointing to its page on when it removes search results. Google’s support pages say it is possible for people to request that “involuntary fake pornography” be removed. Its removal form requires people to manually submit URLs and the search terms that were used to find the content. “As this space evolves, we're actively working to add more safeguards to help protect people, based on systems we've built for other types of nonconsensual explicit imagery,” Adriance says.

Courtney Gregoire, chief digital safety officer at Microsoft, says it does not allow deepfakes, and they can be reported through its web forms. “The distribution of nonconsensual intimate imagery (NCII) is a gross violation of personal privacy and dignity with devastating effects for victims,” Gregoire says. “Microsoft prohibits NCII on our platforms and services, including the soliciting of NCII or advocating for the production or redistribution of intimate imagery without a victim’s consent.”

While the number of videos and pictures continues to skyrocket, the impact on victims can be long-lasting. “Gender-based online harassment is having an enormous chilling effect on free speech for women,” Maddocks says. As reported by WIRED, female Twitch streamers targeted by deepfakes have detailed feeling violated, being exposed to more harassment, and losing time, and some said the nonconsensual content found its way to family members.

Flynn, the Monash University professor, says her research has found “high rates” of mental health concerns—such as anxiety, depression, self-injury, and suicide—as a result of digital abuse. “The potential impacts on a person’s mental and physical health, as well as impacts on their employment, family, and social lives can be immense,” Flynn says, “regardless of whether the image is deepfaked or ‘real.’”

Deepfake Porn Is Out of Control

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2023 Q3 Security Researcher Leaderboard are Wei, VictorV, and Anonymous!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2023 Q3 Security Researcher Leaderboard are **Wei, VictorV, and Anonymous!**

Check out the full list of researchers recognized this quarter here.

Congratulations to the top Azure researchers this quarter: **Wei, VictorV, Suresh Chelladurai!**

Congratulations to the top Office researchers this quarter: **Brad Schlintz, Harun Can, Disclosures!**

Congratulations to the top Windows researchers this quarter: **Jarvis\_1oop, k0shl, Anonymous!**

This 2023 Q3 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between July 1, 2023, and September 30, 2023
*   Submitted and assessed by the MSRC team between April 1, 2023, and June 30, 2023 (last program period), but assessed after July 1, 2023

Past quarterly leaderboard announcements:

*   MSRC 2023 Q2 Security Researcher Leaderboard
*   MSRC 2023 Q1 Security Researcher Leaderboard
*   MSRC 2022 Q4 Security Researcher Leaderboard
*   MSRC 2022 Q3 Security Researcher Leaderboard
*   MSRC 2022 Q2 Security Researcher Leaderboard
*   MSRC 2022 Q1 Security Researcher Leaderboard
*   MSRC 2021 Q4 Security Researcher Leaderboard
*   MSRC 2021 Q3 Security Researcher Leaderboard

Keep up the awesome work and we look forward to seeing you next quarter!

_Madeline Eckert, MSRC_

Congratulations to the Top MSRC 2023 Q3 Security Researchers!

Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security.
"The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM)," the tech giant said. "New features for Windows 11 include

Authentication / Endpoint Security

Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security.

"The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM)," the tech giant said. "New features for Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos."

IAKerb enables clients to authenticate with Kerberos across a diverse range of network topologies. The second feature, a local Key Distribution Center (KDC) for Kerberos, extends Kerberos support to local accounts.

First introduced in the 1990s, NTLM is a suite of security protocols intended to provide authentication, integrity, and confidentiality to users. It is a single sign-on (SSO) tool that relies on a challenge-response protocol that proves to a server or domain controller that a user knows the password associated with an account.

It has since been supplanted by another authentication protocol called Kerberos since the release of Windows 2000, although NTLM continues to be used as a fallback mechanism.

"The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user," CrowdStrike notes. "Kerberos uses a two-part process that leverages a ticket granting service or key distribution center."

Another crucial distinction is that while NTLM relies on password hashing, Kerberos leverages encryption.

Besides NTLM's inherent security weaknesses, the technology has been rendered vulnerable to relay attacks, potentially allowing bad actors to intercept authentication attempts and gain unauthorized access to network resources.

Microsoft said it's also working on addressing hard-coded NTLM instances in its components in preparation for the shift to ultimately disable NTLM in Windows 11, adding it's making improvements that encourage the use of Kerberos instead of NTLM.

"All these changes will be enabled by default and will not require configuration for most scenarios," Matthew Palko, Microsoft's senior product management lead in Enterprise and Security, said. "NTLM will continue to be available as a fallback to maintain existing compatibility."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.

Note (2022) : minizip source are avaiable on the contrib/zlib github page. There is also minizip-ng, a rewritten library with more feature (like zlib-ng, a reworked and faster zlib)

. You'll also find SmartVersion with source code.

Click to download Minizip (zip/unzip) package for zLib version 1.01h, with minor bugfixes, or, better, 1.1 (with zip64 support).

This package enables to extract files from a .zip archive file. It is compatible with PKZip 2.04g, WinZip, InfoZip, MimarSinan Codex Suite 2002 tools, and compatible sofware.  
It runs both under Linux and Windows, and probably other systems too. Encryption, multi-volume Zip files (span), and old compression methods used by old PKZip 1.x are not supported.  
See appnote-011203-iz.zip or appnote-iz-latest.zip for the specification of ZIP format (or appnote-981119-iz.zip for older versions). Pkware provides also probdesc.zip and an HTML page with the specification.

**What is Minizip (Zip/Unzip)?**

The Zlib library allows to deflate compressed files and to create gzip (.gz) files. Zlib is free software and small.

An archive in ZIP format can contain several files compressed with this method, while a .gz archive can containt only one file. It is a very popular format, that is why I have written a package for reading files compressed within a Zip archive.

**How to get the Minizip package**

You need the source code of Zlib (**zlib125.zip** or **zlib-1.2.5.tar.gz**. For previous version, get zlib114.zip, or by FTP zlib114.zip).  
Now, with version 1.23,1.24,1.25 and 1.14 of zLib, the Minizip library is inlucded in the contrib/minizip directory.

In **zlib125dll.zip** there is the Win32 Windows DLL of my Windows DLL named Zlibwapi.dll that contains both zLib and Minilib.  
For previous version, in zlib114dll.zip you will find Windows DLL (Win16 and Win32) and static library (Win32) of Zlib 1.14 WITH zip/unzip package.  
Please note I have added in buildzlib114dll.zip the version of zip.c/unzip.c (0.21).  
You must read zip.h and unzip.h, which contains the documentation of the zip and unzip functions.

March 2003: you can get version 0.21 with support of custom I/O functions to read and write zip files, and raw I/O (in order to duplicate files from one zip archive to another without uncompressing nor compressing). There is also a modified version of unzip with uncrypting, written by Terry Thorsen).  
You can also get version 0.22e with crypting/uncrypting (do a #define NOCRYPT if you don't need it) and adding a file to an existing Zip archive.

15 March 2010: You can now download version 1.01h, with minor bugfixes, or, better, 1.1 with zip64 support.  
Justin Fletcher wrote a very simple implementation of a memory access method for the ioapi code (ioapi\_mem\_c.zip). Ivan A. Krestinin wrote a small example of how delete a file from zip archive. This example is not fully tested (memory leaks are possible if the source archive is corrupt), but it might help you.

**Unzipping files**

The source code is made of only two files: unzip.h and unzip.c (plus ioapi.c and a few other include files). It uses the Zlib library.

miniunz.c is a very simple, but real unzip program. It can display files contained in a Zip archive or extract them.

**Zipping files**

The source code is made of only two files: zip.h and zip.c (plus ioapi.c and a few other include files). It uses the Zlib library.

minizip.c is a very simple, but real zip program.

**A C++ Wrapper**

Daniel Godson made a C++ wrapper to the zip/unzip library. Another can be found at Troels page.

**A full MFC sample**

In the CodeGuru developers site, there is an excellent example, 'Implementing a "Send as ZIP-File" command in Scribble' written by Stefan Kuhr. Unfortunately, this example is not built with the good, standard zLib DLL (see the DLL page). Download mapizip\_demo\_gooddll.zip for a fixed project which uses the good DLL.

**Extension to Minizip**

Troels K. worked hard on the Minizip library. He has made several add-on, including a proposal for unzAttach/unzDetach.

**Other examples**

Jukka Pihl wrote mod\_ziplook Apache module. It enables to view zip archive files directly in Apache without extracting them to the filesystem. It also uses HTTP compression (supported by W3C, like Microsoft IIS, Apache mod\_deflate and examples in python and jython. Bashuman Deb wrote a FTP paging Support for miniunz.

**Miscellaneous**

The Gilles vollant software forum contain a section about Minizip.

Please also email me for feedback.

**Future of ZIP file format**

It seems that the ZIP file format will changes. The web sites PCWorld (and this new article), IDG, SlashDot contain information about ZIP's future. PkWare site contains a new specification, InfoZip has also a ZIP specification. WinZip specifies also new encryption. The PKWare specification mentions a new BZip2 compression method (there is a "zlib-like" library for BZip2 compression).

_Latest revision : 2010-03-15_

CVE-2023-45853: Minizip: Zip and UnZip additionnal library

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-36559

The goal of the program is to uncover critical or important vulnerabilities within the AI-powered Bing program.

Microsoft has announced its AI bug-bounty program to encourage researchers worldwide to discover vulnerabilities within the Bing generative AI chatbot and AI integrations. Bounty rewards will range from $2,000 to $15,000 for qualified submissions.

Eligible participants must be at least 14 years old, with permission from a legal guardian if they are a minor, and an individual researcher. Should a participant be a public sector employee, the bounty award must go to the public sector organization and be signed by an attorney or executive responsible for its ethics policies. 

The scope of the bounty program extends to AI-powered Bing on bing.com, AI-powered Bing integration in Microsoft Edge, AI-powered Bing integration in the Microsoft Start app, and AI-powered Bing integration in the Skype Mobile app. Any vulnerabilities found in these integrations are qualified for submission and are eligible to win a reward.

Microsoft stated that the goal of the program is to uncover vulnerabilities that have a significant impact on the security of its customers within the AI-powered "Bing experience." When submitting a vulnerability, researchers must ensure that it has not been previously reported, is of critical or important severity as per the Microsoft Vulnerability Severity Classification for AI Systems, and is reproducible on the latest version of the product with clear steps as to how to reproduce the vulnerability. 

Further directions as to how to get started and enter a submission; specific information on different types of vulnerabilities and the winnings they have the potential to earn; research rules of engagement; and terms and conditions, are listed on Microsoft’s website.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Debuts AI Bug-Bounty Program, Offers $15K

Apple, Google, and Microsoft are promoting passkeys as a solution for accounts recovery, but enterprises are slow-walking their adoption.

The growing support for passkeys means consumers and small businesses finally have an easy-to-use technology for passwordless access to websites and cloud applications, but enterprises will likely not see a usable form of the technology for some time yet.

The passwordless authentication approach, based on the FIDO Alliance's WebAuthn standard, allows developers to leverage the user device's authentication technology — such as FaceID and fingerprint sensors — to log into cloud services and Web applications. While WebAuthn resulted in many implementations, which added significant complexity for consumers, passkeys are supported by major Internet firms — including Apple, Google, and Microsoft — which dramatically simplifies their use for consumers.

Yet that usability, which could extend to cloud-native small businesses, does not allow for the control and attestation necessary for passkeys in large corporations, says Jasson Casey, CEO of Beyond Identity. Instead, passkeys will likely develop into a optional factor in their current public key infrastructure (PKI) or credential-based system.

"I honestly think it's going to be a love child of passkeys and PKI that ultimately businesses need," Casey says. "The really cool thing about passkeys is the idea that there's a well-defined interface between a browser or user agent and an actual authenticator that manages credentials and keys."

Major companies have pushed passkeys as a more secure way to sign into online accounts. In June, Google began allowing companies to switch their Workspace users over to passkeys rather than using passwords. On Oct. 10, the company began giving users the ability to make passkeys the default option across their personal accounts, prompting them to make the switch when they sign in.

Apple and Microsoft have both added support for passkeys in their hardware and software, with iOS, Mac OS, and Windows 11 all supporting the technology.

For companies, passkeys could eliminate some of the cost of improving managing identity and improving authentication, says Steve Won, chief product officer at 1Password, an identity and password management firm.

"I'm really optimistic that enterprise adoption will be totally tenable within the next decade," Won says. "I've talked to so many businesses that are like, holy crap, \[passkeys are\] basically usable certificates or ... usable Yubikeys. Certificates are such a nightmare to be able to handle, and on the Yubikey side, nobody wants to be in the business of managing hardware."

**The End of Phishing?**

Done right, passkeys could eliminate phishing attacks aimed at harvesting credentials because there are no passwords to steal. The specification, which aims for interoperability among the largest identify providers, allow a user's device to attest to their identity, using private and public keys to then log the user into a service.

A major sticking point was the issue of recovering the keys when a device is lost, says Beyond Identity's Casey.

"A passkey is actually anchored in an enclave on my device, so if I throw that device in the ocean because — I don't even need a reason — and I go buy a new device, how do I log back in? That was viewed as a major stumbling block for the B2C \[business-to-consumer\] community," he says.

Apple, Google, and Microsoft fix this problem by tying the keys to their services. A user who logs back into one of the services can then recover by being issued a new set of keys.

Despite the promise of phishing resistance and doing away with shared secrets, businesses are still hesitant to commit to passkeys, says Andras Cser, vice president and principal analyst at Forrester Research.

"We still see zero to minimal adoption in the market," he says. "Service providers — \[such as\] retailers, healthcare orgs, \[and financial services\] companies — are concerned about device attestation and presence of the person authenticating."

**Companies Need More Than Passkeys**

The problems faced by enterprises are different. For companies, passkeys hold the promise of providing a standardized PKI as a way of interacting with online resources, as long as four requirements are met, says Casey. The system has to guarantee that keys cannot move; it solves the recovery problem for lost devices; it works across all sorts of devices, browsers, and online services; and it provides companies with centralized policy management for devices.

"An effective passkey system is going to have a distributed, automated PKI system under the hood that is providing similar security guarantees but without requiring you to actively manage the service ... regardless of whether the device is managed or BYOD devices," Casey says. "Classical PKI systems don't do any of that for you, not without a huge administrative burden."

While some small businesses may mandate the use of passkey, companies will more likely offer the technology as an authentication option for their customers.

**Another Zero-Trust Possibility**

If passkey providers and identity and access management (IAM) companies solve the enterprise-use problems of passkeys, they could take off in business. While consumers need easy-to-use services, companies can mandate that their employees use a specific technology, even if that technology has a learning curve or adds some steps to daily workflows, says Ian Hassard, senior director of product management at Okta, a single sign-on provider.

"If you look at customer identity being focused around balancing security and friction, because if you have too much friction, people don't buy your products," he says. "But in workforce identity, if you're managing your workforce, you have a bit more of a captive audience in the sense of, you can apply more friction to ensure a higher level of assurance and security."

Okta, for example, focuses on the management of identities, access privileges, and ensuring the user's device has the proper security controls in place and does not show signs of compromise, says Hassard. These are all foundational for a zero-trust approach to security.

"You want that assurance that the device is not compromised," he says. "Because obviously a lot of this technology is great until the client device is completely owned, and that's not a good thing."

Passkeys Are Cool, but They Aren't Enterprise-Ready

European Union military personnel and political leaders working on gender equality initiatives have emerged as the target of a new campaign that delivers an updated version of RomCom RAT called PEAPOD.
Cybersecurity firm Trend Micro attributed the attacks to a threat actor it tracks under the name Void Rabisu, which is also known as Storm-0978, Tropical Scorpius, and UNC2596, and is also

Endpoint Security / Cyber Attack

European Union military personnel and political leaders working on gender equality initiatives have emerged as the target of a new campaign that delivers an updated version of RomCom RAT called **PEAPOD**.

Cybersecurity firm Trend Micro attributed the attacks to a threat actor it tracks under the name Void Rabisu, which is also known as Storm-0978, Tropical Scorpius, and UNC2596, and is also believed to be associated with Cuba ransomware.

The adversarial collective is something of an unusual group in that it conducts both financial motivated and espionage attacks, blurring the line between their modes of operation. It's also exclusively linked to the use of RomCom RAT.

Attacks involving the use of the backdoor have singled out Ukraine and countries that support Ukraine in its war against Russia over the past year.

Earlier this July, Microsoft implicated Void Rabisu to the exploitation of CVE-2023-36884, a remote code execution flaw in Office and Windows HTML, by using specially-crafted Microsoft Office document lures related to the Ukrainian World Congress.

RomCom RAT is capable of interacting with a command-and-control (C&C) server to receive commands and execute them on the victim's machine, while also packing in defense evasion techniques, marking a steady evolution in its sophistication.

The malware is typically distributed via highly targeted spear-phishing emails and bogus ads on search engines like Google and Bing to trick users into visiting lure sites hosting trojanized versions of legitimate applications.

"Void Rabisu is one of the clearest examples where we see a mix of the typical tactics, techniques, and procedures (TTPs) used by cybercriminal threat actors and TTPs used by nation-state-sponsored threat actors motivated primarily by espionage goals," Trend Micro said.

The latest set of attacks detected by the company in August 2023 also deliver RomCom RAT, only it's an updated and slimmed-down iteration of the malware that's distributed via a website called wplsummit\[.\]com, which is a replica of the legitimate wplsummit\[.\]org domain.

Present on the website is a link to a Microsoft OneDrive folder that hosts an executable named "Unpublished Pictures 1-20230802T122531-002-sfx.exe," a 21.6 MB file that aims to mimic a folder containing photos from the Women Political Leaders (WPL) Summit that took place in June 2023.

The binary is a downloader that drops 56 pictures onto the target system as a decoy, while retrieving a DLL file from a remote server. These photos are said to have been sourced by the malicious actor from individual posts on various social media platforms such as LinkedIn, X (formerly known as Twitter), and Instagram.

The DLL file, for its part, establishes contact with another domain to fetch the third-stage PEAPOD artifact, which supports 10 commands in total, down from 42 commands supported by its predecessor.

The revised version is equipped to execute arbitrary commands, download and upload files, get system information, and even uninstall itself from the compromised host. By stripping down the malware to the most essential features, the idea is to limit its digital footprint and complicate detection efforts.

"While we have no evidence that Void Rabisu is nation-state-sponsored, it's possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine," Trend Micro said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New PEAPOD Cyberattack Campaign Targeting Women Political Leaders

Categories: Explained
Categories: News
Tags: quishing

Tags:  qr code

Tags:  phishing

We explain what quishing is and provide information about some current quishing campaigns.



(Read more...)




The post Explained: Quishing appeared first on Malwarebytes Labs.

Quishing is phishing using QR (Quick Response) codes. QR codes are basically two-dimensional barcodes that hold encoded data, and they can be used to work as a link. Point your phone's camera at a QR code and it will ask you if you want to visit the link.

The use of QR codes in malicious campaigns is not new, and because they can provide contactless access to a product or service they grew in popularity during the Covid-19 pandemic.

In August, 2023 we wrote about an email campaign that used QR codes to phish for Microsoft credentials. The links in the QR codes redirected from legitimate domains associated with Bing, Salesforce, and Cloudflare to send the targets to phishing sites that were after Microsoft credentials. Since the subject of the emails were often fake Microsoft security notifications, the Bing URLs would not have looked out of place to any victims who gave them a cursory examination.

Lately, there has been an increase in quishing emails, which either send victims to malware-infested sites or ones looking for credentials. 

The usual methods are used to make the emails look convincing: The email will pretend to come from a bank or another organization you trust, or might look like internal mails from the organization you work for, perhaps pretending to come from HR or the IT department. The QR codes in these mails are either embedded or sent as an attachment.

Most of the email contains little to no text, which reduces the chances of the scammer making a mistake and gives spam filters less to read. The message is displayed in an image, which also helps the email get through spam filters.

**Example**

I personally received a quishing mail pretending to be from the KVK (the Dutch Chamber of Commerce), telling me I had to request a digital key within the next 3 days or my company would be registered as inactive.

As you can see, a lot of the normal signs by which we can recognize a phishing mail are there:

*   Urgency
*   A link leading to a site to fill out personal information
*   Sloppy lay-out of the mail

I was also able to recognize it as false because the sender address didn’t belong to the organization it claimed to be from.

The QR code contained a link to the lihi1.com URL shortener which pointed me to a clone of the KVK site.

It asked for my name, birth date, address, mobile phone number, my KVK registration number and my bank account number. A succesfull phisher can probably sell that data for a few bucks on the dark web.

To stay safe from quishing, you can follow the same advice we provide for phishing, because that’s what it is. It's just that the method to obfuscate the phishing site is a bit more sophisticated, which also makes the use of it more suspicious.

One extra measure you can take is to install a QR code scanner that doesn’t take you to the destination in the URL, but displays it for you, so you can decide whether you want to proceed.

Stay alert for hallmarks of phishing campaigns, such as a sense of urgency, appeals to your emotions. Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Explained: Quishing

The advanced persistent threat (APT) actor known as ToddyCat has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew's tactics and capabilities.
The findings come from Kaspersky, which first shed light on the adversary last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three

The advanced persistent threat (APT) actor known as **ToddyCat** has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew's tactics and capabilities.

The findings come from Kaspersky, which first shed light on the adversary last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three years.

While the group's arsenal prominently features Ninja Trojan and a backdoor called Samurai, further investigation has uncovered a whole new set of malicious software developed and maintained by the actor to achieve persistence, conduct file operations, and load additional payloads at runtime.

This comprises a collection of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a tool called LoFiSe to find and collect files of interest, a DropBox uploader to save stolen data to Dropbox, and Pcexter to exfiltrate archive files to Microsoft OneDrive.

ToddyCat has also been observed utilizing custom scripts for data collection, a passive backdoor that receives commands with UDP packets, Cobalt Strike for post-exploitation, and compromised domain admin credentials to facilitate lateral movement to pursue its espionage activities.

"We observed script variants designed solely to collect data and copy files to specific folders, but without including them in compressed archives," Kaspersky said.

"In these cases, the actor executed the script on the remote host using the standard remote task execution technique. The collected files were then manually transferred to the exfiltration host using the xcopy utility and finally compressed using the 7z binary."

The disclosure comes as Check Point revealed that government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 using a wide variety of "disposable" malware to evade detection and deliver next-stage malware.

The activity, per the cybersecurity firm, relies on infrastructure that overlaps with that used by ToddyCat.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft