The Texas Attorney General has requested information of four more car manufacturers about their data handling.

The Texas Attorney General’s Office has started an investigation into how Ford, Hyundai, Toyota, and Fiat Chrysler collect, share, and sell consumer data, expanding an earlier probe launched last year into how modern automakers are potentially using customer driving data.

We’ve addressed cars and privacy at some length on Malwarebytes Labs and came to the conclusion—with the help of many experts in the field—that modern cars simply aren’t very good at it. Many politicians in the US agree with that point of view, too, as US senators have asked the Federal Trade Commission (FTC) to investigate car makers’ privacy practices.

As part of the investigation in Texas, the state’s Attorney General’s Office sent letters—or “notices”—to four automakers earlier this month, demanding written responses under oath.

The Notice delivered to Hyundai discusses “covered data,” which is defined as any information or data about a vehicle manufactured, sold, or leased by you, regardless of whether deidentified or anonymized. And selling data is defined as sharing, disclosing, or transferring of personal data in exchange for monetary or other valuable consideration by you to a third party.

The Notices sent to the car manufacturers are not all exactly the same, but it is clear what the Attorney General’s Office is after:

*   Methods of collection used.
*   Which third parties received the data and if any restrictions were placed on how the recipients used the data.
*   The number of affected customers.
*   How consent was obtained from these customers.

In April of 2024, Texas Attorney General Ken Paxton sent “civil investigative demands” to Kia, General Motors, Subaru and Mitsubishi seeking details of their data collection and sharing practices.

And in August, Paxton sued General Motors for selling customer driving data to third parties.

Only recently we reported how the Attorney General also went after the buyers of data like insurance company Allstate and its subsidiary Arity. Arity acts as a data broker which sold insurers the information to set prices on insurance premiums. The car manufacturers involved in that complaint are Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram. But they were not named as defendants in the complaint.

Paxton did single out a few mobile apps and warned them that they were violating Texas’ data privacy law. Those apps are: GasBuddy, Life360, Miles, MyRadar, SiriusXM and Tapestri.

An Allstate spokesperson stated that Arity “helps consumers get the most accurate auto insurance price after they consent in a simple and transparent way that fully complies with all laws and regulations.”

But according to the press release from the Attorney General, Allstate and other insurers used what they alleged to be covertly obtained data to justify raising Texans’ insurance rates.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Texas scrutinizes four more car manufacturers on privacy issues 

iPhones are being offered for sale with TikTok installed after the US ban caused the app to disappear from the app stores.

After TikTok was briefly banned in the US last weekend, an unusual phenomenon unearthed. Reportedly, people are selling iPhones that have TikTok installed for up to $25,000.

This may require some explanation, so bear with me.

TikTok has had a rough time in the US the last weeks. The ban we mentioned originates from back in March, when the House of Representatives passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance agreed to give up its share of the immensely popular app.

Despite an overruled emergency injunction to stop or postpone the planned ban on the platform in the US, the ban took effect on January 19.

But TikTok’s messaging was clear, they were coming back.

> “Sorry TikTok isn’t available right now
> 
> A law banning TikTok has been enacted in the U.S. Unfortunately that means you can’t Use TikTok for now.
> 
> We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!

And it was indeed back for millions of US users as of January 19 and 20. That is to say, for those that had the app installed.

Update 3

> Welcome back!
> 
> Thanks for your patience and support. As a result of President Trump’s efforts, TikTok is back in the U.S.!
> 
> You can continue to create, share, and discover all the thing you love on TikTok.

However, anyone that deleted or never had the app installed are unable to download it as the Apple and Google app stores in the US still don’t have it available. And despite an executive order to delay enforcing the ban, it is unclear when it will be available for download again.

**Second hand iPhones for sale**

Some people have seized on this as a money-making opportunity, selling their iPhones for thousands of dollars on eBay. But is that a smart thing to do?

According to Apple’s Support pages, there is a recommended procedure to follow before you sell, give away, or trade in your iPhone or iPad. One of those steps is to **Erase All Content and Settings**. From that page:

> “When you tap **Erase All Content and Settings**, it completely erases your device, including any credit or debit cards you added for Apple Pay and any photos, contacts, music, or apps. It will also turn off iCloud, iMessage, FaceTime, Game Center, and other services. Your content won’t be deleted from iCloud when you erase your device.”

If you want to leave an app like TikTok behind, you will have to manually erase all the other items on that list to make sure the buyer will not get hold of other private information about you. This is tough to do and is highly likely you would leave some of your data behind.

If you’re considering buying a second hand iPhone so you can use TikTok, how can you be sure that TikTok is the only thing that’s left behind? I wouldn’t put it past cybercriminals to sell devices they can still access, or even malware.

Another bad idea is to roam the internet for unofficial TikTok apps (in the form of IPA or APK files). Installing an unsigned app requires a jailbreak and it can pose significant risks to your device and personal data. Files from unreliable sources may contain malware, spyware, or information stealers and, once installed, these malicious programs can compromise your device’s security.

My advice would be to exercise some patience. TikTok may well reappear in app stores or it’ll be completely removed from access, so everyone will be in the same boat.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Warning: Don&#8217;t sell or buy a second hand iPhone with TikTok already installed 

A vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.

A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web (MotW) security feature in Windows.

The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. The MotW is what triggers warnings that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices. 7-Zip added support for MotW in June 2022.

The MotW also makes sure that Office documents that are marked with the MotW will be opened in Protected View, which automatically enables read-only mode and means that all macros will be disabled until the user allows them.

MotW security warning in file properties

For years, attackers were able to bypass the MotW by putting their malicious files in archives. This worked because the MotW is in fact another file that is attached to the main file as an Alternate Data Stream (ADS), and over the years we have seen many vulnerabilities in archivers where the ADS didn’t pass on the individual files when the archive was decompressed.

The same is true this time. Only the attacker will have to prepare an especially crafted nested archive. A nested archive means there is an open archive inside another open archive. Exploitation of the vulnerability also requires user interaction, meaning the target will have to visit a malicious page or open a malicious file.

If you’re a Windows user, check whether you are using version 7-Zip 24.09 or later. If you’re not, then they’ll need to update.

7-Zip does not have an auto-update function, so you will have to download the version that is suitable for your system from the 7-Zip downloads page.

**Other security measures**

There are some general safety tips to keep in mind when you’re handling archived files on a regular basis:

*   Keep track of how and where you obtained the archive.
*   Always be careful when opening archived files that you downloaded from the internet.
*   Make sure you are using an updated anti-malware solution that is capable of scanning inside archives, and you have that setting enabled.

Malwarebytes scan within archives option enabled

*   Keep track of who accesses archived files and when. This can help identify unauthorized access attempts and help monitor unwanted changes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 7-Zip bug could allow a bypass of a Windows security feature. Update now 

Forget OSINT, AI-supported tool GeoSpy can determine a person's location based on their surroundings in a picture.

It’s just become even more important to be conscious about the pictures we post online.

GeoSpy is an Artificial Intelligence (AI) supported tool that can derive a person’s location by analyzing features in a photo like vegetation, buildings, and other landmarks. And it can do so in seconds based on one picture.

Graylark Technologies who makes GeoSpy says it’s been developed for government and law enforcement. But the investigative journalists from 404 Media report that the tool has also been used for months by members of the public, with many making videos marveling at the technology, and some asking for help with stalking specific women.

404 Media says the company trained GeoSpy on millions of images from around the world and can recognize distinct geographical markers such as architectural styles, soil characteristics, and their spatial relationships.

Using the tool to determine anyone’s location requires virtually no training, so anybody can do it. Normally, it would take open source intelligence (OSINT) professionals quite some time of training and experience to reach the level of speed and accuracy that GeoSpy delivers to an untrained individual.

This means that even the most non tech-savvy individual could find a person of interest based on pictures posted on social media, despite the fact that social media strips the metadata—which could include GPS coordinates or other useful information—from these pictures.

Based on its testing and conversations with users, 404 Media concluded:

> “GeoSpy could radically change what information can be learned from photos posted online, and by whom.”

Even if the tool is unable to narrow down the location to an exact street address or block, based on vegetation it can bring down the search area to a few square miles.

The company’s founder says he has pushed back against requests from people asking to track particular women. Now GeoSpy has closed off public access to the tool, after 404 Media asked him for a comment.

Aside from the contribution towards a surveillance society, the risks of such a tool are obvious. It poses several significant dangers, particularly concerning privacy, security, and potential abuse if a stalker can access it. Another worry concerns the security of the storage for the data that is used and found by this tool. When involved in a breach, a host of information could become available to cybercriminals.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 AI tool GeoSpy analyzes images and identifies locations in seconds 

Companies are showing customers different prices for the same goods and services based what data they have on them, including details like their precise location or browser history.

Companies are showing customers different prices for the same goods and services based what data they have on them, including details like their precise location or browser history.

The name for this method is surveillance pricing, and the FTC has just released initial findings of a report looking into that practice. In July 2024, the FTC requested information from eight companies offering surveillance pricing products and services that incorporate data about consumers’ characteristics and behavior.

The goal was to get a better understanding of the “shadowy market” that third-party intermediaries use to set individualized prices for products and services based on consumers’ characteristics and behaviors, like location, demographics, browsing patterns, and shopping history.

Speaking to staff at these firms, the FTC found that behaviors ranging from mouse movements on a webpage to the type of products that consumers leave in an online shopping cart without clicking Buy can be tracked and used by retailers to tailor consumer pricing.

The intermediaries claimed they used advanced algorithms, artificial intelligence, and other technologies, along with personal information about consumers to determine targeted prices.

FTC chair Lina M. Khan said:

>  “Americans deserve to know whether businesses are using detailed consumer data to deploy surveillance pricing, and the FTC’s inquiry will shed light on this shadowy ecosystem of pricing middlemen.”

The first priorities to investigate are:

*   The types of products and services engaged in surveillance pricing
*   Data sources and who collected them
*   Who the potential customers are
*   How surveillance pricing impacted the prices offered to these customers.

This is nothing new, we’ve seen numerous times that insurance companies are very interested in our lifestyle and will happily charge more or even refuse to take us in as customers if they think we’re too much of a risk.

But, needless to say, surveillance pricing can have serious consequences, not only for our privacy, but also for fair competition and for consumer protection.

Probably the most shocking thing is the type of information that could be involved. The FTC notes that some of these companies even created lists of people suffering from diseases for the purpose of targeting them with offers for ineffective or worthless cures. This makes the introduction of a bill saying data brokers should stop trading health and location data perfectly understandable.

**What can you do?**

When it comes to sharing data online, we’ve all heard someone say, “What’s the big deal when I have nothing to hide?”

Well, this is exactly the deal: By exposing their private data online, they might well end up with companies charging them more. It’s a no brainer that we should all be sharing as little as possible. Here’s how:

*   Limit what you share on social media as much as possible, and try to keep personal data out of photos and written posts
*   Only tell companies the information that they need for the service or product they’re providing. Use false information as much as possible
*   If you are asked to share your location data with an app and there’s no clear reason why you might need to, deny the app that permission
*   If you have to share your location—for example, when using a map app—choose the “Allow only while using the app” option, so that it will be unable to continuously track your location and movement
*   Read privacy policies, however boring they are. Understand how the company will be using your data
*   Block web tracking wherever you can. Malwarebytes Browser Guard automatically declines the cookie consent banners you see on websites, opting you out of data collection performed by tracking cookies (and it’s free).

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Your location or browsing habits could lead to price increases when buying online 

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

January 17, 2025 - A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

January 16, 2025 - Avery has confirmed its website was compromised by a credit card skimmer that potentially affected over 60,000 customers.

January 16, 2025 - The FBI has announced it's deleted PlugX malware from approximately 4,258 US-based computers and networks.

January 15, 2025 - An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

January 14, 2025 - An insurance company is accused of unlawfully collecting, using, and selling location data from millions of people's cell phones.

 A week in security (January 13 &#8211; January 19) 

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members of think tanks, and employees of non-governmental organizations (NGOs), according to new details revealed by Microsoft.

The group, which Microsoft tracks by the name “Star Blizzard,” is also referred to as Coldriver by other researchers. Last year, the group created impersonation accounts where members posed as experts in a field that their targets might be interested in—or that was somehow affiliated with the target. Once a relationship had been established, the target would receive a phishing link or a document that contained a phishing link.

But over time, that tactic became widely known, and part of the cybercriminals’ infrastructure was taken down. Now, it seems the group has changed tactics and is sending QR codes instead of malicious links to the targets that they have established an initial relationship with.

These QR codes do not take the target to a malicious website, nor will they join them to the promised WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs,” as is claimed in one of the cybercriminal lures.

In reality, the link in the QR code is intentionally broken. The idea is that the target will respond with a remark about the broken link. When that happens the cybercriminals send out a shortened URL to a website that displays another QR code.

_Screenshot courtesy of Microsoft_

> “I apologize for the inconvenience with the QR code. Kindly try this alternative link: US-Ukraine NGOs Group  
> It should work without any issues.

By scanning this QR code and following the instructions on the website they confirm the addition of an extra device to the WhatsApp account of the target. With that access the group can read the messages in their WhatsApp account and use existing browser plugins, particularly those designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.

**How to stay safe**

These spear phishing campaigns are highly targeted and you’ll probably never see an invite to this group. But cybercriminals tend to copy ideas that work, so you may see them in another form.

There are a few simple rules that will help you avoid this kind of phishing.

*   Always hover over links before clicking them.
*   When you find a shortened URL, think about the possible reason for shortening. Was there a real need to do this or is it just meant to hide the destination?
*   When still in doubt, unshorten the URL.
*   When following instructions on a website, scrutinize whether the prompts on your device actually match the expected ones. WhatsApp will double-check whether you want to add a device to the account.
*   Double-check whether the sender is who they claim to be through another method of contact.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp spear phishing campaign uses QR codes to add device 

Avery has confirmed its website was compromised by a credit card skimmer that potentially affected over 60,000 customers.

The consequences of a wave of credit card skimmers—which is normal around the holidays—are starting to show.

Label maker Avery has filed a data breach notification, saying 61,193 people may have had their credit card details stolen.

On December 9, Avery said it became aware of an attack on its systems. An investigation showed that cybercriminals had inserted malicious software that was used to “scrape” credit card information used on its website. This credit card skimmer was active between July 18, 2024, and December 9, 2024.

Avery has sent emails to affected customers to let them know their data has been stolen.

The information potentially included:

*   First and last name
*   Billing and shipping address
*   Email address
*   Phone number if provided
*   Payment card information including CVV number and expiration date
*   Purchase amount

Avery says it has received a number of reports from affected customers who said that they incurred a fraudulent charge and/or received a phishing email.

A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses. 

When visiting a site that has a card skimmer on it, you’re unlikely to even know it is there. Card skimmers are experts in injecting JavaScript code, especially on web shops which heavily rely on that type of code, which increases the chance that the extra code will not stand out. Sadly, card skimmers are all too commonplace, but there are things you can do to prevent your details being caught by one.

**How to protect yourself from card skimmers**

*   **Run a security solution and keep it up to date**. Most antivirus products—including Malwarebytes Premium—offer some kind of web protection that detects malicious domains and IP addresses.
*   **Enable in-browser protection**. Malwarebytes Browser Guard—a browser extension available for Chrome, Edge, Firefox and Safari—blocks card skimmers. It also stops annoying ads and trackers, warns about breaches, and flags malicious websites. You can see it in action here, blocking a piece of JavaScript hosted on an otherwise legitimate site:

Malwarebytes Browser Guard blocks credit card skimmer JavaScript

*   **Keep an eye on your financial statements**. Regularly check your online bank and credit card statements. Flag anything that seems suspicious.
*   **Set up identity and credit monitoring**. Identity monitoring alerts you if your personal information is found being illegally traded online, and helps you recover after. Credit monitoring tracks your credit report and borrowing behavior and alerts you if anything changes. A breached company may offer this as a service to you (like Avery is), but you can also get different levels of monitoring solutions, depending on your individual need.

More information on how to act after falling victim to a data breach can be found in our article: **Involved in a data breach? Here’s what you need to know**.

 Avery had credit card skimmer stuck on its site for months 

The FBI has announced it's deleted PlugX malware from approximately 4,258 US-based computers and networks.

The FBI says it has removed PlugX malware from thousands of infected computers worldwide.

The move came after suspicion that cybercriminals groups under control of the People’s Republic of China (PRC) used a version of PlugX malware to control, and steal information from victims’ computers.

PlugX has been around since at least 2008 but is under constant development. With the remote access it provides criminals, it is often used to spy on users and plant additional malware on interesting systems.

Among others, the PlugX Remote Access Trojan (RAT) was used in a lasting campaign uncovered last year in which a Chinese group known as “Velvet Ant” used compromised F5 BIG-IP appliances to gain access to networks, managing to stay hidden for years.

US Attorney Jacqueline Romero for the Eastern District of Pennsylvania commented:

> “This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.”

After researchers found out that thousands of infected machines reported to one specific IP address, they managed to seize control over the IP address that served as a Command & Control (C2) server.

In close cooperation with the French authorities, the FBI and Justice Department used this IP address to “sinkhole” the botnet. Sinkholing in this context means that the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole.

With control of the sinkhole, a specially configured DNS server can simply route the requests of the bots to a fake C2 server. This provides the controller of the sinkhole with valuable information about the affected systems and an opportunity to send commands to delete the PlugX version from the connecting devices.

FBI special agent in Charge Wayne Jacobs of the FBI Philadelphia Field Office said:

> “The FBI worked to identify thousands of infected US computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”

The FBI says it is notifying those who had the malware deleted from their computers via their internet service providers (ISPs).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 PlugX malware deleted from thousands of systems by FBI 

An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

**Table of contents**

*   Overview
*   Criminals impersonate Google Ads
*   Lures hosted on Google Sites
*   Phishing for Google account credentials
*   Victimology
*   Who is behind these campaigns?
*   Fuel for other malware and scam campaigns
*   Indicators of Compromise

**Overview**

Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads.

The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.

This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.

The following diagram illustrates at a high level the mechanism by which advertisers are getting fleeced:

_Figure 1: Process flow for this Google Ads heist campaign_

_Back to top_

**Criminals impersonate Google Ads**

Advertisers are constantly trying to outbid each other to reach potential customers by buying ad space on the world’s number one search engine. This earned Google a whopping $175 billion in search-based ad revenues in 2023. Suffice to say, the budgets spent in advertising can be considerable and of interest to crooks for a number of reasons.

We first started noticing suspicious activity related to Google accounts somewhat accidentally, and after a deeper look we were able to trace it back to malicious ads for… Google Ads itself! Very quickly we were overwhelmed by the onslaught of fraudulent “Sponsored” results, specifically designed to impersonate Google Ads, as can be seen in _Figure 2_:

_Figure 2: A malicious ad masquerading as Google Ads_

While it is hard to believe such a thing could actually happen, the proof is there when you click on the 3-dot menu that shows more information about the advertiser. We have partially masked the victim’s name, but clearly it is not Google; they are just one of the many accounts that have already been compromised and abused to trick more users:

_Figure 3: The advertiser behind this ad is not affiliated with Google at all_

People who will see those ads are individuals or businesses that want to advertise on Google Search or already do. Indeed, we saw numerous ads specifically for each scenario, sign up or sign in, as seen in _Figure 4_:

_Figure 4: Two ads for signing up and sign in to Google Ads respectively_

The fake ads for Google Ads come from a variety of individuals and businesses, in various locations. Some of those hacked accounts already had hundreds of other legitimate ads running, and one of them was for a popular Taiwanese electronics company.

_Figure 5: Victim accounts spending their own budgets on fake Google Ads_

To get an idea of the geographic scope of these campaigns, we performed the same Google search simultaneously from several different geolocations (using proxies). First, here’s the malicious ad from a U.S. IP address belonging to a business registered in Paraguay:

_Figure 6: U.S.-based search showing fake Google ad_

Now, here’s that same ad that appears on Google Search in several other countries:

_Figure 7: The same ad found in different countries_

_Back to top_

**Lures hosted on Google Sites**

Once victims click on those fraudulent ads, they are redirected to a page that looks like Google Ads’ home page, but oddly enough, it us hosted on Google Sites. These pages act as a sort of gateway to external websites specifically designed to steal the usernames and passwords from the coveted advertisers’ Google accounts.

_Figure 8: A malicious Google Sites page impersonating Google Ads_

There’s a good reason to use Google Sites, not only because it’s a free and a disposable commodity but also because it allows for complete impersonation. Indeed, you cannot show a URL in an ad unless your landing page (final URL) matches the same domain name. While that is a rule meant to protect abuse and impersonation, it is one that is very easy to get around.

_Figure 9: The rule that stipulates display URLs and final URLs must have matching domains_

Looking back at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since _sites**.google.com**_ uses the same root domains ads _ads**.google.com**_. In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC..

_Figure 10: The malicious ad does not violate Google’s rule on the use of the display URL_

_Back to top_

**Phishing for Google account credentials**

After the victims click on the “Start now” button found on the Google Sites page, they are redirected to a different site which contains a phishing kit. JavaScript code fingerprints users while they go through each step to ensure all important data is being surreptitiously collected.

_Figure 12: The actual phishing page that follows_

Finally, all the data is combined with the username and password and sent to the remote server via a POST request. We see that criminals even receive the victim’s geolocation, down to the city and internet service provider.

_Figure 12: POST web request with victim’s details_

_Back to top_

**Victimology**

There are multiple online reports of people who saw the fake Google Ads and shared their experiences:

*   Help with removing a dangerous scam in Google Ads (_Google Ads Help forum_)
*   Google Ads Phishing Scam (_Reddit_)
*   It’s just me or Google just sponsored a link to a phising site for Google ads? (_Reddit_)
*   Be aware of fake google page, clicked by accident (_Reddit_)
*   Warning! First sponsorized google answer for “Google ads” is a phishing attempt ! (_BlueSky_)

We were able to get in touch with a couple of victims who not only saw the ads but were actually scammed and lost money. Thanks to their testimony and our own research, we have a better idea of the criminals’ modus operandi:

*   Victim enters their Google account information into phishing page
*   Phishing kit collects unique identifier, cookies, credentials
*   Victim may receive an email indicating a login from an unusual location (Brazil)
*   If the victim fails to stop this attempt, a new administrator is added to the Google Ads account via a different Gmail address
*   Threat actor goes on a spending spree, locks out victim if they can

_Back to top_

**Who is behind these campaigns?**

We identified two main groups of criminals running this scheme but the more prolific by far is one made of Portuguese speakers likely operating out of Brazil. Victims have also shared that they had received a notification from Google indicating suspicious logins from Brazil. Unfortunately, those notifications often came too late or where dismissed as legitimate, and the criminals already had time to do some damage.

We should also note a third campaign that is very different from the other two, and where the threat actors’ main goal is to distribute malware. The Google Ads phishing scheme may have been a temporary run which was not their main focus.

**Brazilian team**

In the span of a few days, we reported over 50 fraudulent ads to the Google Ad team all coming from this Brazilian group. We quickly realized that no matter how many reported incidents and takedowns, the threat actors managed to keep at least one malicious ad 24/7.

_Figure 13_ shows the network traffic resulting from a click on the ad. You will see multiple hops before finally arriving to the phishing portal. The second URL shows the crooks are using a paid service to detect fake traffic.

Figure 13: Network traffic from the ‘Brazilian campaign’

Within the JavaScript code part of the phishing kit, there are comments in Portuguese. _Figure 14_ shows a portion of the code that does browser fingerprinting, which is a way of identifying users. Browser language, system CPU, memory, screen-width, and time zone are some of the data points collected and then hashed.

Figure 14: Identifying users via various settings

**Asian team**

The second group is using advertiser accounts from Hong Kong and appears to be Asia-based, perhaps from China. Interestingly, they also use the same kind of delivery chain by leveraging Google sites. However, their phishing kit is entirely different from their Brazilian counterparts.

Figure 15: Web traffic for the ‘Chinese campaign’

_Figure 16_ below shows a code extract with comments in Chinese, as well as a function called _xianshi_, which could be in reference to a Chinese general of the late Qing dynasty or even a superhero from more modern gaming and literature.

Figure 16: Code with comments in Chinese

**Third campaign (possibly Eastern European)**

We observed another campaign which has a very different modus operandi. Google Sites is not involved at all, and instead they rely on a fake CAPTCHA lure and heavy obfuscation of the phishing page.

Interestingly, the malicious ad we found was for Google Authenticator, despite the obvious ads-goo\[.\]click domain name. However, for about day or so, the redirect from that domain lead directly to a phishing portal hosted at _ads-overview\[.\]com_.

The reason why we suggest the threat actors may be Eastern Europeans here is because of the type of redirects and obfuscation. There is also a distant feel of ‘software download via Google ads’ we have reported on previously (see _Threat actor impersonates Google via fake ad for Authenticator_).

Figure 17: A malicious ad for Google Authenticator and fake CAPTCHA

A PHP script (_cloch.php_) then determines if the visitor is genuine or not (likely doing a server-side IP check). VPNs, bot and detection tools will get a “white” page showing some bogus instructions on how to run a Google Ads campaign. Victims are instead redirected to _ads-overview\[.\]com_ which is a phishing portal for Google accounts.

Figure 18: Cloaking in action with a ‘white’ page or the phishing page

When we checked back on this campaign a few days later, we saw that the ad URL now redirected to a fake Google Authenticator site, likely to download malware. The redirection mechanism is shown in _Figure_ 20:

Figure 19: Web traffic for fake Google Authenticator site

_Back to top_

**Fuel for other malware and scam campaigns**

Stolen Google Ads accounts are a valuable commodity among thieves. As we have detailed it many times on this blog, there are constant malvertising campaigns leveraging compromised advertiser accounts to buy ads that push scams or deliver malware.

*   Printer problems? Beware the bogus help
*   Malicious ad distributes SocGholish malware to Kaiser Permanente employees
*   Hello again, FakeBat: popular loader returns after months-long hiatus
*   Large scale Google Ads campaign targets utility software

If you think about it for a second, crooks are using someone else’s budget to further continue spreading malfeasance. Whether those dollars are spent towards legitimate ads or malicious ones, Google still earns revenues from those ad campaigns. The losers are the hacked advertisers and innocent victims that are getting phished.

As result, taking action on compromised ad accounts plays a key part in driving down malvertising attacks. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored, despite their own policy on the subject (_Figure 20_). For example, we recently saw a case where the same advertiser that had already been reported 30 times, was still active.

_Figure 20: Google’s policy regarding violations_

As the scourge of fraudulent ads continues, we urge users to pay particular attention to sponsored results. Ironically, it’s quite possible that individuals and businesses that run ad campaigns are not using an ad-blocker (to see their ads and those from their competitors), making them even more susceptible to fall for these phishing schemes.

**We don’t just report on threats—we block them**

_Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today._

_Back to top_

**Indicators of Compromise**

Fake Google Sites pages

sites\[.\]google\[.\]com/view/ads-goo-vgsgoldx  
sites\[.\]google\[.\]com/view/ads-word-cmdw  
sites\[.\]google\[.\]com/view/ads-word-makt  
sites\[.\]google\[.\]com/view/ads-word-whishw  
sites\[.\]google\[.\]com/view/ads-word-wwesw  
sites\[.\]google\[.\]com/view/ads-word-xvgt  
sites\[.\]google\[.\]com/view/ads3dfod6hbadvhj678  
sites\[.\]google\[.\]com/view/adwoord  
sites\[.\]google\[.\]com/view/aluado01  
sites\[.\]google\[.\]com/view/ap-rei-pandas  
sites\[.\]google\[.\]com/view/appsd-adsd  
sites\[.\]google\[.\]com/view/asd-app-goo  
sites\[.\]google\[.\]com/view/connectsing/addss  
sites\[.\]google\[.\]com/view/connectsingyn/ads  
sites\[.\]google\[.\]com/view/entteraccess  
sites\[.\]google\[.\]com/view/exercitododeusvivo  
sites\[.\]google\[.\]com/view/fjads  
sites\[.\]google\[.\]com/view/goitkm/google-ads  
sites\[.\]google\[.\]com/view/hdgstt  
sites\[.\]google\[.\]com/view/helpp2k  
sites\[.\]google\[.\]com/view/hereon/1sku4yf  
sites\[.\]google\[.\]com/view/hgvfvd  
sites\[.\]google\[.\]com/view/joaope-defeijao  
sites\[.\]google\[.\]com/view/jthsjd  
sites\[.\]google\[.\]com/view/logincosturms/ads  
sites\[.\]google\[.\]com/view/logins-words-officails  
sites\[.\]google\[.\]com/view/logins-words-officsdp  
sites\[.\]google\[.\]com/view/marchatrasdemarcha  
sites\[.\]google\[.\]com/view/newmanage/page  
sites\[.\]google\[.\]com/view/one-vegas  
sites\[.\]google\[.\]com/view/one-vegasw  
sites\[.\]google\[.\]com/view/onvg-ads-word  
sites\[.\]google\[.\]com/view/oversmart/new  
sites\[.\]google\[.\]com/view/pandareidel  
sites\[.\]google\[.\]com/view/polajdasod6hbad  
sites\[.\]google\[.\]com/view/ppo-ads  
sites\[.\]google\[.\]com/view/quadrilhadohomemtanacasakaraio  
sites\[.\]google\[.\]com/view/ricobemnovinhos  
sites\[.\]google\[.\]com/view/s-ad-offica  
sites\[.\]google\[.\]com/view/s-wppa  
sites\[.\]google\[.\]com/view/sdawjj  
sites\[.\]google\[.\]com/view/semcao  
sites\[.\]google\[.\]com/view/sites-gb  
sites\[.\]google\[.\]com/view/soarnovo  
sites\[.\]google\[.\]com/view/so-ad-reisd  
sites\[.\]google\[.\]com/view/spiupiupp-go  
sites\[.\]google\[.\]com/view/start-smarts  
sites\[.\]google\[.\]com/view/start-smarts/homepage/  
sites\[.\]google\[.\]com/view/umcincosetequebratudo  
sites\[.\]google\[.\]com/view/vewsconnect  
sites\[.\]google\[.\]com/view/vinteequatroporquarenta  
sites\[.\]google\[.\]com/view/xvs-wods-ace  
sites\[.\]google\[.\]com/view/zeroumnaoezerodois  
sites\[.\]google\[.\]com/view/zeroumonlinecomosmp

Phishing domains

account-costumers\[.\]site  
account-worda-ads\[.\]benephica\[.\]com  
account-worda-ads\[.\]cacaobliss\[.\]pt  
account\[.\]universitas-studio\[.\]es  
accounts-ads\[.\]site  
accounts\[.\]google\[.\]lt1l\[.\]com  
accounts\[.\]goosggles\[.\]com  
accounts\[.\]lichseagame\[.\]com  
accousnt-ads\[.\]tmcampos\[.\]pt  
accousnt\[.\]benephica\[.\]pt  
accousnt\[.\]hyluxcase\[.\]me  
accousnt\[.\]whenin\[.\]pt  
ads-goo\[.\]click  
ads-goog\[.\]link  
ads-google\[.\]io-es\[.\]com  
ads-overview\[.\]com  
ads1.google.lt1l.com  
ads1\[.\]google\[.\]veef8f\[.\]com  
adsettings\[.\]site  
adsg00gle-v3\[.\]vercel\[.\]app  
adsgsetups\[.\]shop  
advertsing-acess\[.\]site  
advertsing-v3\[.\]site  
as\[.\]vn-login\[.\]shop  
benephica\[.\]pt  
cacaobliss\[.\]pt  
colegiopergaminho\[.\]pt  
docs-pr\[.\]top  
tmcampos\[.\]pt  
vietnamworks\[.\]vn-login\[.\]shop

_Back to top_

Source

Malwarebytes