Anti-bot services on the dark web allow phishers to bypass Google’s Red Page warnings, evading detection and making…

Anti-bot services on the dark web allow phishers to bypass Google’s Red Page warnings, evading detection and making phishing campaigns harder to stop. Tools like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot are raising concerns among cybersecurity experts.

Cybercriminals are constantly innovating, and their latest weapon is a new breed of services called the anti-bot services, reveals the latest research from SlashNext. These services are advertised on the Dark Web to help phishers bypass Google’s “_Red Page_” warnings.

****The Power of Google’s Red Page****

Phishing attacks have become more sophisticated with the rise of PhaaS (phishing-as-a-service) platforms. These platforms make it easy for even inexperienced criminals to launch large-scale phishing campaigns. However, a major hurdle for phishers has been detection by security services like Google’s Safe Browsing.  

Google Red Page is a feature of Google Safe Browsing that warns users of potential dangers, such as phishing attempts. The page, displayed in red, warns users that a site they are navigating may be deceptive and advises them to avoid it. This can significantly limit the success of phishing attacks, as these campaigns rely on high click-through rates, which are significantly lowered when Google’s detection flags a phishing page and adds it to a blocklist.

****Anti-Bot Services: A New Challenge for Security Teams****

New anti-bot services aim to circumvent Google’s Red Page warnings. These services, including Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, help phishers evade detection. Here is how these work:  

*   **Filtering Out Security Crawlers:** Anti-bot services analyze user-agent strings and IP addresses to identify and block security bots that scan for malicious websites.   
*   **Cloaking Techniques:** Some anti-bot services use techniques like JavaScript obfuscation or context-switching to serve different content to humans and bots. Real users see the phishing page, while security bots might see harmless content.  
*   **Geolocation-Based Targeting:** These services can restrict access to specific regions, ensuring the phishing site remains hidden from international security entities.
*   **CAPTCHAs and Challenges:** By introducing CAPTCHAs or challenge pages, anti-bot services block automated scanners that cannot solve them.

SlashNext researchers note that these services are effective against less sophisticated security bots. However, advanced security measures and manual analysis by security professionals can still detect these phishing sites.

Via SlastNext

“These services represent the latest evolution in the ongoing cat-and-mouse game between cybercriminals and security measures,” SlashNext researchers explained in the blog post.

Anti-bot services are constantly evolving to stay ahead of security measures. As new detection techniques emerge, these services will likely adapt to counter them. Cybersecurity teams must remain vigilant and adopt advanced threat detection methods to combat the growing sophistication of phishing attacks.

1.  EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA
2.  Cybercriminals Beta Test New Attack to Bypass AI Security
3.  Trio Run “OTP Agency” Enabling Bank Fraud and 2FA Bypass
4.  Phishing Attacks Bypass Microsoft 365 Email Safety Warnings
5.  Unicode QR Code Phishing Scam Bypasses Traditional Security

Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page

The persistent infostealer's latest campaign inserts fake CAPTCHA pages into legitimate applications, fooling users into executing the malicious payload, researchers find.

Source: Oleksandr Hruts via Alamy Stock Photo

Lumma Stealer stars in a new campaign that uses malicious CAPTCHA pages to scam targets into clicking through the "verification" process — triggering the initial malware download.

Malware-as-a-service (MaaS) Lumma Stealer is commonly used by threat actors to steal sensitive information like passwords and crypto-wallet data, researchers at Qualys, who recently detailed the latest attack chain, explained.

"When the user clicks the 'I'm not a robot' button, verification steps are presented," Qualys threat researcher Vishwajeet Kumar wrote in a blog post detailing the latest Lumma Stealer find. "Completing these steps triggers the execution of a PowerShell command that initiates the download of an initial stager (malware downloader) on the target machine."

**Lumma Stealer's Easy Adaptability**

This latest CAPTCHA-based tactic is new, Kumar added in the Lumma Stealer campaign analysis. Previous campaigns have relied on a wide array of cybercrimes to spread the infostealer, ranging from basic phishing to far more exotic gambits.

Just a handful of examples from just this year include a Lumma Stealer campaign from January 2024 that used YouTube channels disguised as content to offer workarounds for eluding Web filters and cracking popular applications.

By the summer, another Lumma Stealer effort popped up on Facebook, this time trying to lure victims into downloading a legitimate artificial intelligence (AI) photo editor. Even Hamster Kombat wasn't spared. The more than 250 million estimated players of the game were targeted and lured into downloading Lumma Stealer by multiple simultaneous scams, it was discovered last July.

"The investigation into Lumma Stealer reveals an evolving threat landscape characterized by the malware’s ability to adapt and evade detection," Kumar wrote. "It employs a variety of tactics, from leveraging legitimate software to utilizing deceptive delivery methods, making it a persistent challenge for security teams."

Protecting from ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams, according to Sarah Jones, a cyber-threat intelligence research analyst at Critical Start.

"Given the rapid evolution of threats like Lumma Stealer, security teams must adopt a stance of continuous monitoring and adaptation, regularly updating detection rules, indicators of compromise, and security controls," Jones says. "This campaign exemplifies the sophisticated threats organizations face today, requiring a multilayered defense approach that combines advanced technical controls with proactive threat hunting and ongoing adaptation to effectively combat evolving malware campaigns."

Tricky CAPTCHA Caught Dropping Lumma Stealer Malware

Debian Linux Security Advisory 5795-1 - Cedric Krier discovered that python-sql, a library to write SQL queries in a pythonic way, performed insufficient sanitizing which could result in SQL injection.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5795-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 21, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : python-sqlCVE ID         : CVE-2024-9774Cedric Krier discovered that python-sql, a library to write SQL queriesin a pythonic way, performed insufficient sanitising which could resultin SQL injection.For the stable distribution (bookworm), this problem has been fixed inversion 1.4.0-1+deb12u1.We recommend that you upgrade your python-sql packages.For the detailed security status of python-sql please refer toits security tracker page at:https://security-tracker.debian.org/tracker/python-sqlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcWnkYACgkQEMKTtsN8TjYrzBAAtMjk7yF0IB4onUZ+GHMkYCDoPhZRaZft7eQUAGya1/IHpuA4e5KvmWahJK8D1glflGgopSLhLSkPkXWij3LqKjb2obuqRB9icuEl1mKWeJoovHWONZLCUVSt0iPtAvLA4jIi4KpHRfzFY4QbpkkAKXAjTLjxtjDlmEky4PT+1puHAi7lQ7O2/OY/haxnVYHtoHID+E6r0eTgXq5HX9723niVkxKpjcZz8ki8WeDoEmNUOj4j89Nke0VeQNFYmCuWtAQLvRFTSL4I9fGWcRBWWEHm46YqnktlJIHVe2f9posYCMMFxvFwNo70U3MUinCDAXX6VmeAGuzTXGQAPXW0kDT7Y436ononkFcnVMoiCr/T/+m3UKUw+2iINEcnMe/G/4wkhiYx7T2YYFmJ4vRgye7sSE4YfRl6/wl/rbeVfz3AfM/iAxp7uWAlzVLry4mL1ZkNhAhvTDCpEIsBECDp1gX2z4ZVLqHDqXIqQ+IEEFIZoNImUo/LIgKvZIg18XuP77K29UAnonUe1qxf8d19nRwD18hwoQG1KL6dCRgKhE+OKjTRCZv+9hb1Xp7QagQviZTCnP+36HFtpNfbim/JlAtllEZrUdufBcMzAVx82C9oVHd8WigI+PWGSFnh5qzy0B1xhX7H3x5zLaVO1HJ6ZHzyH5VcfCFSxmzV6MeyzFk==Xlam-----END PGP SIGNATURE-----

Debian Security Advisory 5795-1

Debian Linux Security Advisory 5794-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5794-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 21, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-17CVE ID         : CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in denial of service or information disclosure.For the stable distribution (bookworm), these problems have been fixed inversion 17.0.13+11-2~deb12u1.We recommend that you upgrade your openjdk-17 packages.For the detailed security status of openjdk-17 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-17Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcWmOcACgkQEMKTtsN8TjYeZw/7BTQ3D6sDygG5LotB4JCo8QMyG1rx0XgX9dAgK4Xw0sp9jnYS2iebp8RhlbIDht+jchjLpbEPnzx11JM2b3e/x3JO1QRUSEDkTnQhuynR4wj7WKLXY4l36zkzG/73g9Tq/EM5t8vjuMWFFcsEIJ5c0erHaw/X5lAr9Gg0vs8LrLYyqOMod8Z8AZJpbKNJpGEDUu/i1lASkDnjJAl5+ybPG5xN++Ax+FvPhmlQKu39rVKrX140+LIkFcGJdLh+RMbLU66ryDR2rQQSgeDeZYZln5gsbykzRbfeZZil4bF0+aT3FCY0/nOA0aA82nrE9S6VU6kdxWyS/KTzRsVUw8IsIW/9KyD3hAGvEbHiD4hG/YrABOFdg4rvUPLnaBU6i+LnyrdcayoFP6cp72KiBOQxn4nUzUqhqynKatZ5ixZfgboaTFKBr2WxazoWTzrefjyH30GEeQ0dWFc2ujcOlMZSag9VdfgIoVg+F2l20UbmKnYtZGSXm5rD2ocG5l7gTb8uDcZO3P1HXGmrD7A8NLy9aRPT/dmNDLnAo8se61O4ctirgNQ3dIpwzeIEyjPNysY0lON5+7EE7XToW2C7dSYjHSVCNTqE+heRE66p7hDBxyeuhxhBK+Bd7DcAT97Kkp1BOZ0XSn9YjQ9zdyzQneOxMK7CbM6/PIETqGsY6aTIptI==PgDB-----END PGP SIGNATURE-----

Debian Security Advisory 5794-1

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the directory HTTP POST parameter called by the persistenceManagerAjax.php script.

  
ABB Cylon Aspect 3.08.01 (persistenceManagerAjax.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'directory' HTTP POST parameter called by the  
persistenceManagerAjax.php script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5846  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5846.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 

$ curl "http://192.168.73.31/persistenceManagerAjax.php" \  
> -d "command=deleteVMobile\  
> &directory=`sleep 17`"

ABB Cylon Aspect 3.08.01 persistenceManagerAjax.php Command Injection

This white paper, titled "DTLS 'ClientHello' Race Conditions in WebRTC Implementations," details a security vulnerability affecting multiple WebRTC implementations. The research uncovers a security flaw where certain implementations fail to properly verify the origin of DTLS "ClientHello" messages in WebRTC sessions, potentially leading to denial of service attacks. The paper includes methodology, affected systems, and recommendations for mitigation.

DTLS ClientHello Race Conditions In WebRTC Implementations

Ubuntu Security Notice 7080-1 - Toshifumi Sakaguchi discovered that Unbound incorrectly handled name compression for large RRsets, which could lead to excessive CPU usage. An attacker could potentially use this issue to cause a denial of service by sending specially crafted DNS responses.

==========================================================================  
Ubuntu Security Notice USN-7080-1  
October 22, 2024

unbound vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10  
- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Unbound could be made to stop responding if it received specially crafted  
DNS traffic.

Software Description:  
- unbound: validating, recursive, caching DNS resolver

Details:

Toshifumi Sakaguchi discovered that Unbound incorrectly handled name  
compression for large RRsets, which could lead to excessive CPU usage.  
An attacker could potentially use this issue to cause a denial of service  
by sending specially crafted DNS responses.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  libunbound8                     1.20.0-1ubuntu2.1  
  unbound                         1.20.0-1ubuntu2.1

Ubuntu 24.04 LTS  
  libunbound8                     1.19.2-1ubuntu3.3  
  unbound                         1.19.2-1ubuntu3.3

Ubuntu 22.04 LTS  
  libunbound8                     1.13.1-1ubuntu5.8  
  unbound                         1.13.1-1ubuntu5.8

Ubuntu 20.04 LTS  
  libunbound8                     1.9.4-2ubuntu1.9  
  unbound                         1.9.4-2ubuntu1.9

Ubuntu 18.04 LTS  
  libunbound2                     1.6.7-1ubuntu2.6+esm3  
                                  Available with Ubuntu Pro  
  unbound                         1.6.7-1ubuntu2.6+esm3  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  libunbound2                     1.5.8-1ubuntu1.1+esm2  
                                  Available with Ubuntu Pro  
  unbound                         1.5.8-1ubuntu1.1+esm2  
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS  
  libunbound2                     1.4.22-1ubuntu4.14.04.3+esm2  
                                  Available with Ubuntu Pro  
  unbound                         1.4.22-1ubuntu4.14.04.3+esm2  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7080-1  
  CVE-2024-8508

Package Information:  
  https://launchpad.net/ubuntu/+source/unbound/1.20.0-1ubuntu2.1  
  https://launchpad.net/ubuntu/+source/unbound/1.19.2-1ubuntu3.3  
  https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.8  
  https://launchpad.net/ubuntu/+source/unbound/1.9.4-2ubuntu1.9

Ubuntu Security Notice USN-7080-1

Ubuntu Security Notice 7078-1 - Atte Kettunen discovered that Firefox did not properly validate before inserting ranges into the selection node cache. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-7078-1October 22, 2024firefox vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Firefox could be made to crash or run programs as your loginSoftware Description:- firefox: Mozilla Open Source web browserDetails:Atte Kettunen discovered that Firefox did not properly validate beforeinserting ranges into the selection node cache. An attacker could possiblyuse this issue to cause a denial of service or execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  firefox                         131.0.3+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-7078-1  CVE-2024-9936Package Information:  https://launchpad.net/ubuntu/+source/firefox/131.0.3+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-7078-1

Ubuntu Security Notice 7072-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7072-2October 21, 2024linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Network traffic control;(CVE-2024-38630, CVE-2024-27397, CVE-2024-45016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1068-gke     5.15.0-1068.74  linux-image-gke                 5.15.0.1068.67  linux-image-gke-5.15            5.15.0.1068.67After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7072-2  https://ubuntu.com/security/notices/USN-7072-1  CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1068.74

Ubuntu Security Notice USN-7072-2

Ubuntu Security Notice 7062-2 - USN-7062-1 fixed vulnerabilities in libgsf. This update provides the corresponding updates for Ubuntu 24.10. It was discovered that libgsf incorrectly handled certain Compound Document Binary files. If a user or automated system were tricked into opening a specially crafted file, a remote attacker could possibly use this issue to execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-7062-2October 21, 2024libgsf vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.10Summary:libgsf could be made to run programs as your login if it opened a speciallycrafted file.Software Description:- libgsf: GObject introspection data for the Structured File LibraryDetails:USN-7062-1 fixed vulnerabilities in libgsf. This update provides thecorresponding updates for Ubuntu 24.10.Original advisory details: It was discovered that libgsf incorrectly handled certain Compound Document Binary files. If a user or automated system were tricked into opening a specially crafted file, a remote attacker could possibly use this issue to execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.10  libgsf-1-114                    1.14.52-1ubuntu0.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7062-2  https://ubuntu.com/security/notices/USN-7062-1  CVE-2024-36474, CVE-2024-42415Package Information:  https://launchpad.net/ubuntu/+source/libgsf/1.14.52-1ubuntu0.1

Latest News