Friday Digest #18: The Rising Threat of Malicious Ads
Hi everyone, Kat here!
Jérôme Segura at MalwareBytes recently revealed the discovery of a malicious ad impersonating NordVPN on Bing that was designed to trick people into installing the SecTopRat Remote Access Trojan.
The ad appeared at the top of search results when people searched for NordVPN and the site appeared to be legitimate. However, downloading the program from the fake site would lead users to be infected with the SecTopRat Remote Access Trojan.
Researchers at the MalwareHunterTeam found that this particular type of trojan creates a second hidden desktop that enables an attacker to control browser sessions on the victim’s system.
This wasn’t the first time malicious actors had posed as popular VPN providers to spread malware. In 2021, threat actors created new domains spoofing VPN providers to distribute malware known as Raccoon stealer.
In both of these instances, attackers took advantage of the public’s increasing interest in privacy products to lure them into downloading malware.
MalwareBytes’ discovery highlights the specific dangers of malvertising and the pitfalls of trusted search engines like Google and Microsoft’s Bing. The fact is, it’s remarkably easy for threat actors to set up a fake ad, get it approved and convince people to click on it by posing as a legitimate company.
And while the legitimate companies aren’t to blame, search engine owners should be doing a lot more to help keep people safe online.
So, what is the state of malvertising in 2024 and how can we protect ourselves against it?
Malvertising is the practice of using malicious advertising to infect a victim with malware. Unlike most forms of phishing attack, it requires no prior knowledge of a target, such as a name or email address. All bad actors need to do is create an ad that looks convincing enough for people to click on it.
These malicious ads aren’t just showing up on popular search engines like Google. They’re also on social media platforms, imitating popular brands. I’ve spotted a number of these myself on Instagram, masquerading as popular clothing stores. Unlike on search engines, these ads aren’t as easy to identify as malicious because the URL isn’t visible until you click on it.
Red Canary, a threat intelligence group that monitors malware, malicious tools and threat groups, has highlighted the rising threat of malvertising in their most recent Threat Detection report .
The group notes the prevalence of a threat they’ve named Charcoal Stork – a pay-per-install content provider that uses malvertising to deliver installers “often masquerading as cracked games, fonts, or desktop wallpaper”.
The report states:
“Throughout 2023 Charcoal Stork was far and away the most prevalent threat we detected, easily placing in the top spot of our annual prevalence rankings.”
While the fake NordVPN ad identified by MalwareBytes led to a remote access trojan, malvertising can hide a variety of different dangers, including adware, ransomware, viruses and even malicious crypto mining trojans.
Sophisticated and highly invasive spyware can even be hidden in malvertising. An article in Haaretz this week revealed that the mercenary spyware company Intellexa pitched their product by highlighting how it could target devices through malicious ads.
One of the reasons malvertising has become so successful is because the vast majority of us place far too much trust in platforms and search engines to remove harmful or dangerous content. With that in mind, it’s time we all take some of that trust back and start exercising some serious caution when it comes to clicking ads displayed on these platforms.
One of the best things you can do is get into a habit of checking URLs. Most spoof sites use strange characters or letters in the URL to make it look similar to the original at a glance, but these are a dead give away if you’re looking closer. For instance, the URL for the fake NordVPN ad was ‘nordivpn[.]xyz’ instead of ‘nordvpn[.]com’.
Installing an ad blocker can also help. While not foolproof, they provide a layer of defense against malicious ads. Additionally, using an anti-malware tool with real-time scanning can help identify and guard against potential threats.
More on This Story
SC Magazine: Bing ad posing as NordVPN aims to spread SecTopRAT malware
Help Net Security: IT pros targeted with malicious Google ads for PuTTY, FileZilla
MalwareBytes: FakeBat delivered via several active malvertising campaigns
What We’ve Been Reading
OONI: Tanzania surge in LGBTQIA censorship and other targeted blocks
Data analysis by the Open Observatory of Network Interference (OONI) shows a surge in LGBTQIA+ censorship in Tanzania as discrimination of these communities has increased. This tightening grip on online freedom will drastically limit access to information and resources for these communities.
WIRED: How to stop your data from being used to train AI
A new wave of lawsuits and investigations has exposed the lack of transparency in how companies use our data to train AI systems. This guide from WIRED runs through the different steps you can take to limit any future collection of your data by AI systems.
CNET: Apple warns of mercenary spyware attack across 92 countries
Apple issued security alerts to iPhone users on Wednesday who they identified as being targeted by "mercenary spyware attacks." Victims of these expensive and meticulous attacks are usually targeted because of their work as journalists, lawyers, political dissidents and human rights activists. This attack highlights the vulnerability of iPhones to highly sophisticated hacking attempts.
Biometric Update: Is digital privacy about to become a basic right in the United States?
Legislation proposed in the US aims to establish digital privacy as a fundamental right, potentially granting citizens more control over their data and strengthening online privacy protections. This legislation is remarkably similar to the EU’s GDPR and would give individuals the right to sue companies that violate data privacy laws.
TechRadar: Italy considers law against sharenting to protect children’s privacy
Italy is considering a law to restrict parents from sharing their children's images online, aiming to protect children's privacy and their right to their own image. Legislators say this "sharenting" law could lessen the security risks and psychological impact currently caused by parents who overshare online.
9to5Google: Google One VPN will be discontinued, Pixel VPN remains with upgrade coming
Google has announced it is shutting down its VPN service offered with Google One subscriptions. Existing users will be directed to third-party alternatives, while the free Pixel VPN remains available.