New warning for web shoppers
On November 7th, new guidance from government cybersecurity agencies regarding malware that infects legitimate online advertising campaigns was updated.
A serious warning has been issued to the billions of users of the most popular web browser after “tens of millions of dollars” were stolen from “hundreds of thousands” of web users. Google has removed known websites from search results, but links elsewhere, such as on social media and messaging platforms, will not be eradicated. It is important that all users know what to look for. Simply put, you should not use these websites.
Human Security researchers Satori warned that the attackers “infected legitimate websites with malicious payloads to direct traffic to fake web shops.” This payload creates fake product listings and adds metadata that places these fake listings near the top of search engine product rankings, making them an attractive offer to unsuspecting consumers. When a consumer clicks on an item’s link, they are redirected to another website that is controlled by the threat actor. ”
The risky website itself directs the user to a legitimate payment processing platform to purchase the selected product. Of course the product will not arrive, but the money will definitely be taken. While many consumers may be protected from ultimate financial costs through a credit card chargeback, that is never guaranteed until the charge is investigated.
In a recent campaign, malicious attackers “infected over 1,000 websites to create and promote fake product listings and built 121 fake web stores to deceive consumers… It is estimated that losses in the tens of millions or hundreds of thousands of dollars have occurred over five years” to the number of affected consumers. ”
So what can you look for to avoid your money disappearing into a black hole?
- If a product deal looks too good to be true and is usually offered at a lower than market price, don’t proceed unless you can confirm the site.
- Check for consistency between your website name and the name that appears in pop-ups, payment processing windows, and URLs. This particular campaign infected legitimate websites and redirected them elsewhere.
- Does the ordering process feel completely legitimate? For example, are address details auto-filled or are the quality of the data entered checked?
- If you haven’t used the website before, check the reviews carefully. Keep in mind that it may be fake, so look for reviews on known websites about the site.
- Can you find a product on a well-known website, even if it is expensive?
The campaign, which the researchers dubbed “phishing and ships,” included a number of sophisticated tricks, including metadata that helped it appear at the top of search results, but Google said it was fraudulent. removed known metadata. In this case, the infection of a legitimate website initially lulls users into a false sense of security, but that’s when a redirect to a fake web store starts to ring alarm bells.
A list of all known fake websites can be found here. Some of them remain active despite known treatment according to this latest report.
Attack chain — don’t be fooled
“This operation highlights the relationship between the digital advertising ecosystem and fraud,” Satori said. “If it weren’t for the fake organic and sponsored product listings engineered by attackers, there would be no traffic to the fake web store, and therefore no fraud. What you get from Phish ‘n’ Ships Importantly, digital advertising can be risky and consumers should be careful when clicking through to the next step in their digital journey.”
Users of all major browsers fall victim to such attacks. The research team warned that although Google’s removal has “partially disrupted” the threat, “phishing and ships remains an active threat.” “It is unlikely that attackers will stop their operations without trying to find new ways to perpetuate their fraud.”
When it comes to dangerous search results that lead to dangerous phishing attacks, another troubling new development has recently come to light. Malwarebytes warns of ‘new wave of phishing for banking credentials’ [is] Target consumers through Microsoft’s search engine. A Bing search query for “Keybank login” currently returns a malicious link on the first page, and in some cases returns a malicious link at the top of the search results. ”
Microsoft’s search share pales in comparison to Google’s, but just as it’s currently running a campaign to push Chrome users to Edge, the company is doing the same with Bing with a new $1 million giveaway. I put my hands in my pockets to try.
Malwarebytes notes that “Microsoft’s Bing only has about 4% of the search engine market share, but criminals are attracted to it as an alternative to Google. One particularly interesting detail is that just two weeks ago, It appears that the phishing websites created are being indexed and displayed before the official website.
This dangerous new campaign successfully exaggerated the search signals of new malicious sites and tricked users into clicking higher in search results for common keywords. “A malicious link appears as the first result, pretending to be a Keybank login page…The attacker is exploiting Bing’s search algorithm.”
When users click on the link, they are redirected to a malicious website created for the campaign. This further deceives users by using the official branding of the lure. Its purpose is only to collect IDs, login credentials, and passwords. Attackers have even found a way to harvest MFA codes to facilitate logins.
Similar to “phishing and shipping” attacks, this social engineering manipulation of search results is clearly effective, coupled with behind-the-scenes machinations to shift traffic from legitimate sites to malicious sites. earn millions in profits.
The concern for users is the expected proliferation of AI-based searches soon, which poses not only a threat to existing search engines, but also long-term defense mechanisms and “SpySense” systems that can detect incoming attacks. It is also a threat to users who do not have “. Ironically, we have also witnessed phishing attacks claiming to come from OpenAI itself, driving home the point of this brave new world. Buyer beware.
This report by Human’sSatori researchers has led to another serious website scam alert. The UK government’s Cybersecurity Office says: “Digital advertising is a cornerstone of the digital economy and relies on interactions between those selling advertising space and those buying it, often in real time. ” he warned. However, this can be exploited to generate malicious advertising and malvertising, including malware. This can lead to fraud and undermine trust in the digital advertising industry. ”
In a new advisory that brings “guidance for brands to help advertising partners combat malvertising,” the NCSC says organizations running digital advertising campaigns are intentionally or inadvertently using deceptive techniques. It warns legitimate businesses that digital advertising campaigns could expose customers to fraud if implemented.
“Organizations that help run campaigns should take steps to prevent harm to users,” it says. “You also need assurance that the ads that appear on the same sites and pages as yours are reputable and trustworthy. You can support your broader efforts by requesting effective malvertising detection and removal services. This is an ongoing process and should be applied before and throughout your advertising campaign.”
Similar to “phishing and shipping,” where a legitimate commerce website is infected and lends legitimacy to a malicious campaign, the risk of digital advertising is that trusted brands mask the threat and entice users to take the first step. It is used to socially engineer attack chains. This ultimately leads to fraud and credential theft.
The NCSC states that “advertisers, publishers, and ad networks need to collaborate and share threat intelligence.” By pooling information about emerging threats, you can quickly respond to new attacks and proactively prevent attacks detected on one platform from appearing on other platforms. ”
This is all about the real-time nature of the web, and like manipulated Bing search results, attacks can appear and disappear in an instant, making them difficult to trap. It’s the core mechanics of the system itself being manipulated.
Cybersecurity authorities are asking organizations that plan campaigns and buy advertising to help ad intermediaries demonstrate the following five steps to make life harder for threat actors:
- How do we handle malvertising detection and removal services?
- Which vendors (if any) are we using to detect and remove malvertising, and whether this involves “cloaking” to hide the harmful nature or destination of the ads?
- Scope of assets being scanned, discovered, and removed
- How to monitor changes during the lifecycle of an advertising campaign
- If an attack occurs, how do we escalate and investigate?
“Organizations that help run campaigns should take steps to prevent harm to users,” the agency said. “You also need assurance that the ads that appear on the same sites and pages as yours are reputable and trustworthy.”
