#malvertising

Organised campaigns delivered 4.5 million malicious ads on Meta platforms in 23 days, with ten advertisers responsible for over half, exploiting targeting and trust signals.

That's because adblockers are an important safety tool for your browser, maybe the most important thing you can do to secure your web browser.

This is because of "Malvertising", one of the most common ways for malware to spread. This is because it is very easy for criminals to pay to place malware infected ads into the big online advertising networks, such as the one Google operates. This can place their malware on otherwise reputable sites who use these networks. And it's well-established you don't even need to click on the ad to get infected, both the wiki page linked above and this Wired article talks about it.

The ad networks have mechanisms for detecting such malvertising, but like antivirus in general, they are inherently limited. The programs can't flag malware that isn't already in their databases.

All the big advertising networks have problems with malvertising, including Google ads which have been infected many times.

The only good solution for the enduser is to block ads entirely in their browser. Ads are both annoying and a dangerous malware vector, not worth it at all.

Google now trying to block adblockers on Youtube and demanding that users turn them off is even more grotesque in light of this. It's like asking you to turn your firewall.

What to do

Ublock Origin is the most reputable adblocker. It doesn't just block ads, it also blocks non-advertising

Part of this is that unlike Adblock Plus or Brave Browser's built-in adblocker, Ublock actually blocks all ads it can and doesn't fund itself by taking bribes from advertisers to show users "acceptable ads."

I linked to the Firefox Addon page for Ublock origin above, because Ublock Origin works best on Firefox, which is the opinion of the Ublock Origin developers and they explain why in technical detail on the project's github page.

So stay safe online, use Ublock Origin and use it on Firefox so it works the best it can.

BTSARMY Security Awareness Edition

Securing Mobile Devices Part 1: Identifying Fake Apps (with Mister World Wide Handsome Kim Seokjin)

Contributors:

ddaengsec

emandro1d

ArmyCompsci

Devika⁷

btsarmysafety

Misconfigured MongoDB servers, compromised antivirus updates, malicious Meta ads, hijacked Open VSX extensions, and targeted SaaS credential theft highlight widespread cyber threats today.

Criminals are weaponising Google ads and trojanised PDF software to quietly steal credentials from organisations worldwide.

Source: Sophos

At least two variants of a malware installation are floating out there for macOS users. Bleeping Computer has published their initial findings regarding the campaign after having it brought to their attention by Berk Albayrak, a security engineer at Trendyol Group, who posted about the scam on LinkedIn. Amidst the constant abuse of vulnerabilities and supply chain attacks, good old-fashioned malvertising is sneaking in through the noise.

It starts simple, users doing a search for downloading Claude onto their Mac. This campaign utilizes the legitimate site through a sponsored ad before redirecting to a malicious link, itself using a hijacked Claude chat. Users are instructed to open their terminal and copy/paste a command. The first – as seen by Albayrak – downloads an infostealer that harvests browser credentials, cookies, and macOS Keychain contents, packages them up, and exfiltrates them to the attacker's server. While verifying Albayrak’s findings, Bleeping Computer stumbled across a second variant, that includes user profiling as the first step. The profiling is aimed at discovering if the user who clicked on the malicious ad is using a Russian or CIS-region keyboard and, if so, the script does nothing further. Upon successful determination that the profiled user is not, however, it runs an infostealer looking for the victim's external IP address, hostname, OS version, and keyboard locale before sending it to the attacker.

Another detail I spotted while researching this is that the version Albayrak found additionally uses a hijacked URL from a roofing company for the redirect, and is an HTTP link. The version Bleeping Computer found uses an HTTPS link of bernasibutuwqu2[.]com. That one carries a loader.sh as well, which contains a set of Gunzip-compressed shell instructions. Given the secure nature of that link, one can only assume it is also hijacked or spoofed. The two versions are cataloged on Virus Total.

Upon download, both then run a second stage payload through osascript, Mac’s built-in scripting engine. This allows the malware to live off the land, meaning that no physical download file is stored in the hard drive, instead running from the compression in memory. It allows remote code execution without leaving any sign that it’s there, making remediation challenging, as no hash or signature is left behind to be flagged by security tools.

Malvertizing campaigns have largely fallen by the wayside in recent months, but in no way are they a discarded tool of threat actors. Many attacks of this kind use a domain for hosting; this one leverages the genuine URL instead, making it more highly obfuscated. This is not the first time AI tools have been abused in such a way, either. In December, Bleeping Computer reported on a similar scam aimed at ChatGPT and Grok users. And earlier this year another, nearly identical campaign targeted users searching for Homebrew, a package manager.

Users are encouraged to always go directly to a site and download from there, rather than following the instructions of an ad. And never copy/paste a command into the terminal from one, even a sponsored one. Legitimate download of an application does not require that. Stay aware, stay suspicious and remember that your friendly neighborhood WISP is here to help.

Malvertising, as defined by Wikipedia, is the use of online advertising to spread malware. The name is a portmanteau of ‘malicious advertising’, and it relies on social engineering and trust to deliver its payload, much like phishing schemes. It used to be more obvious, to the point where it was meme-able, the province of sidebar ads on explicit websites luring in the unwary with hot singles in one’s area or for performance enhancing pharmaceuticals. It still exists in banner and clickbait type ads, commonly promoting self help objects or special ‘deals’ for products. It’s a regular feature of many preinstalled casual game suites in Windows; my home computer’s antivirus software has blocked the pages of those ads from opening when accidentally clicked nearly every single time due to the URL’s being suspicious. To a degree, it’s targeted. The ones I see are aimed at a particular demographic, usually older people who may not be as savvy in noticing the falseness.

The web seems to be riddled with fake ads. Popups, compromised widgets and third party apps are all likely locations to find either self hosted malware or redirects to spoofed domains. And these days, many of them are targeted towards developers. There are two articles regarding the delivery of malware via spoofed websites on my news feed today. One is a ‘classic’ ClickFix campaign, tricking users into downloading an open source video editor containing a REMCOS Trojan through a faked CAPTCHA page. Pretty standard fare, as ClickFix campaigns go. The other one is a Claude AI clone that delivers an infostealer as its payload, and is the one I’ll be focusing on.

Spoofing is frequently the vehicle driving these campaigns, presenting a legitimate looking site during a search, as is the case with the Claude clone, which has been dubbed ‘InstallFix’ by Push Security. The malicious code is typically obfuscated. Push Security’s report states that the fake site is identical in every way to the real thing, and is only visible as malware if one hovers over the copy and paste command. Hence my often repeated warning against copying and pasting anything into a command line. You don’t know what it actually is. AI is a popular vector for compromise, since the agents offer less technically adept users a simplified way to utilize developer tools and is trendy to boot.

Push goes on to say that the copy/paste/run model is becoming the norm for developer software. Many packages, in a variety of coding languages, instruct their users to do it as part and parcel of installation. It is a framework based on trusting the domain, which is where a lot of these problems share a root cause. Despite numerous admonitions towards zero trust, security is rarely at the forefront of a user’s mind when faced with something flashy or there’s a deadline to meet. And threat actors are counting on that lack of vigilance.

InstallFix is distributed through Google ads, showing up in sponsored results when users are searching for ‘Claude Code’, ‘Claude Code install’, or ‘Claude Code CLI’. In the images Push shares in the article, not one of the top results actually goes to Anthropic, Claude’s parent company, and the only place one should be getting it from.

This in itself is part of the larger issue with social engineering and the degree to which our search engines have changed. Sponsored results are how many of these malvertising scams work. People see the first link and click on it without thinking, or even looking at the source. I’ve come across it myself in everything from social media to banking institutions to my phone provider. A few extra seconds to check the source of a site is all it takes not to click the wrong thing. Prevention is always going to be the best medicine, but remember if you get into trouble, your friendly neighborhood WISP is here to help.

Attackers are buying Google ads to serve pixel-perfect clones of developer tool install pages, where a single copied command silently delivers the Amatera credential-stealing infostealer to your machine.

Source: Push Security