Malvertising made a resurgence in 2023, with cybercriminals creating malicious ads and websites imitating Amazon, TradingView, and Rufus.

On the internet, people need to worry about more than just opening suspicious email attachments or entering their sensitive information into harmful websites—they also need to worry about their Google searches.

That’s because last year, as revealed in our 2024 ThreatDown State of Malware report, cybercriminals flocked to a malware _delivery_ method that doesn’t require they know a victim’s email address, login credentials, personal information, or, anything, really.

Instead, cybercriminals just need to fool someone into clicking on a search result that looks remarkably legitimate.

This is the work of “malicious advertising,” or “malvertising,” for short. Malvertising is not malware itself. Instead, it’s a sneaky process of placing malware, viruses, or other cyber infections on a person’s computer, tablet, or smart phone. The malware that eventually slips onto a person’s device comes in many varieties, but cybercriminals tend to favor malware that can steal a person’s login credentials and information. With this newly stolen information, cybercriminals can then pry into sensitive online accounts that belong to the victim.

But before any of that digital theft can occur, cybercriminals must first ensnare a victim, and they do this by abusing the digital ad infrastructure underpinning Google search results.

Think about searching on Google for “running shoes”—you’ll likely see ads for Nike and Adidas. A Google search for “best carry-on luggage” will invariably produce ads for the consumer brands Monos and Away. And a Google search for a brand like Amazon will show, as expected, ads for Amazon.

But cybercriminals know this, and in response, they’ve created ads that _look_ legitimate, but instead direct victims to malicious websites that carry malware. The websites themselves, too, bear a striking resemblance to whatever product or brand they’re imitating, so as to maintain a charade of legitimacy. From these websites, users download what they think is a valid piece of software, instead downloading malware that leaves them open to further attacks.

_A malicious ad for the KeePass password manager appears as a legitimate ad._

__The real KeePass website (left) side-by-side with a malvertising site (right)__.

It’s true that malvertising is often understood as a risk to businesses, but the copycat websites that are created by cybercriminals can and often do impersonate popular brands for everyday users, too.

As revealed in our 2024 ThreatDown State of Malware report, the five most impersonated brands for malvertising last year included:

1.  Amazon
2.  Rufus
3.  Weebly
4.  NotePad++
5.  TradingView

These five brands may not all carry the same familiarity, but their products and services capture a broad swath of user interest, from Weebly’s website creation products, to TradingView’s investment trading platform, to Rufus’s niche-but-useful portable OS booting tool.

****Why the increase in malvertising last year?****

If Google ads have been around for more than a decade, why are they only being abused by cybercriminals now? The truth is, malvertising has been around for years, but a particular resurgence was recorded more recently.

In 2022, cybercriminals lost access to one of their favorite methods of delivering malware.

That summer, Microsoft announced that it would finally block “macros” that were embedded into files that were downloaded from the internet. Macros are essentially instructions that users can program so that multiple tasks can be bundled together. The danger, though, is that cybercriminals would pre-program macros within certain files for Microsoft Word, Excel, or PowerPoint, and then send those files as malicious email attachments. Once those attachments were downloaded and opened by users, the embedded macros would trigger a set of instructions directing a person’s computer to install malware from a dangerous website online.

Macros were a scourge for cybersecurity for years, as they were effective and easy to deliver.

But when Microsoft restricted macro capabilities in 2022, cybercriminals needed to find another malware delivery channel. They focused on malvertising.

Today’s malvertising is increasingly sophisticated, as cybercriminals can create and purchase online ads that target specific types of users based on location and demographics. Concerningly, modern malvertising can even avoid basic fraud detection as cybercriminals can create websites that determine whether a user is a real person or simply a bot that is trawling the web to find and flag malicious activity.

****How to protect against malvertising****

The threat of malvertising is multi-layered: There are the fraudulent ads that cybercriminals place on Google search results, the malicious websites that imitate legitimate brands and companies to convince users to download malware, and the malware infection itself.

As such, any successful defense strategy must be multi-layered.

For safe browsing, people can rely on Malwarebytes Browser Guard, a browser extension that blocks third-party tracking and flags malicious websites known to be in the control of cybercriminals. As we wrote before:

> “Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers. Thanks to its built-in heuristic engine it can also proactively block never-before-seen malicious websites.”

The problem with malvertising, though, is that new malicious websites are created every single day. Cybersecurity defenders, then, are often caught in a game of catch-up.

Here, users can find safety from Malwarebytes Premium, which provides real-time protection to detect and stop any cyberthreats that get installed onto a device, even if those threats are masquerading as legitimate apps or software.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Malvertising: This cyberthreat isn’t on the dark web, it’s on Google 

A Ukrainian national that is being accused of operating the Raccoon Infostealer in a Malware-as-a-Service has been extradited to the US.

A Ukrainian national, Mark Sokolovsky, has been indicted for crimes related to fraud, money laundering and aggravated identity theft and extradited to the United States from the Netherlands, the US Attorney’s Office of the Western District of Texas has announced.

In March 2022, around the same time of Sokolovsky’s arrest by Dutch authorities, the FBI and law enforcement partners in Italy and the Netherlands dismantled the digital infrastructure supporting the Raccoon Infostealer, taking its then existing version offline.

On September 13, 2022, the Amsterdam District Court ordered Sokolovsky’s extradition to Texas, where many of his victims were located. After the Sokolovsky’s appeal was dismissed in June of 2023, the extradition could take place.

Sokolovsky is suspected of operating the Raccoon Infostealer as a malware-as-a-service (MaaS). This means criminals intent on stealing information could “hire” the malware and the infrastructure to steal data from victim computers.

For this reason Sokolovsky is charged with one count of conspiracy to commit fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft. He made his initial court appearance February 9, and is being held in custody pending trial. If convicted, he will be sentenced to a maximum of 20 years for wire fraud and money laundering, five years for computer fraud charges, and a mandatory two-year term for identity theft offenses.

The Raccoon Infostealer operation is a tightly-run ship, to the extent that customers have digital signatures tied to their executables. If files end up on malware scanning services, the malware authors know exactly where the leak originated.

Raccoon’s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&C) server.

The main targets of the stealer are credit card data, autofill entries, browser passwords, and cryptocurrency wallets.

The FBI identified at least 50 million unique credentials stolen by Raccoon Infostealer from victims worldwide. Because of this, the agency has created a dedicated website, raccoon.ic3.gov, where potential victims can check if their data has been stolen. All they need to do is to enter their email address. Note, however, that the website only contains data for US-based victims. 

The FBI also encourages potential victims to fill out a detailed complaint and share the harm the malware caused them at the FBI’s Crime Complaint Center (IC3).

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Raccoon Infostealer operator extradited to the United States 

LockBit's position as ransomware's biggest beast is suddenly in doubt.

For the last two years the absolute worst, most prolific, most globally significant “big game” ransomware gang has been LockBit.

This evening its position as ransomware’s biggest beast is suddenly in doubt, following some non-consensual website redecoration at the hands of the UK’s National Crime Agency (NCA).

The LockBit data leak site has a new look

The LockBit dark web site usually hosts the names and data of organisations that refused to pay ransoms. That’s been replaced by a message from the NCA, saying:

> This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.

Repleat with the flags and badges of the countries and agencies involved, the new look site promises there is more to come. “We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation. Return here for more information at: 11:30 GMT on Tuesday 20th Feb.

Since the demise of Conti in 2022, LockBit has been unchallenged as the most prolific ransomware group in the world. In the last 12 months it has racked up more than two and half times as many known attacks as ALPHV, its closest rival.

Top 5 ransomware gangs by known attacks, February 2023 – January 2024

At this stage we have no idea how serious the damage to LockBit is, and law enforcement is only claiming that the group has been “disrupted”. However, even if that disruption isn’t fatal, it will doubtless raise serious questions among LockBit’s criminal associates.

LockBit sells ransomware-as-a-service (RaaS) to “affiliates”, criminal gangs who use the service to carry out ransomware attacks. Even if LockBit can rebuild its infrastructure elsewhere those affiliates now have every reason to question its credibility.

The takedown comes just two months after LockBit’s biggest rival, ALPHV, also suffered a serious mauling at the hands of international law enforcement, before staggering back to its feet.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

You can learn more about the threat of big game ransomware like LockBit and ALPHV in our 2024 State of Malware report.

 LockBit, the world&#8217;s worst ransomware, is down 

CISA has issued an advisory after the discovery of documents containing information about a state government organization’s network environment on a dark web brokerage site.

CISA (the Cybersecurity & Infrastructure Security Agency) has issued a cybersecurity advisory after the discovery of documents containing host and user information of a state government organization’s network environment—including metadata—on a dark web brokerage site.

An attacker managed to compromise network administrator credentials through the account of a former employee of the organization. The attacker managed to authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.

CISA suspects that the account details fell in the hands of the attacker through a data breach. This would not have posed a problem if the account had been disabled when the employee left. But the account still had access with administrative privileges to two virtualized servers including SharePoint and the workstation.

The incident responders’ logs revealed the attacker first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range.

On the SharePoint server, the attacker obtained global domain administrator credentials that were stored locally on the server. This account also provided the attacker with access to the on-premises Active Directory (AD) and Azure AD.

The attacker executed LDAP queries to collect user, host, and trust relationship information. The results of these queries are believed to have been among the information that was offered for sale.

**Mitigation advice**

When an employee leaves there may be several possible reasons not to immediately remove all their accounts. But you should at least remove their privileges as soon as possible and change the password.

The CISA advisory lists several points of advice about user accounts:

*   Review current administrator accounts and only maintain those that are essential for network management.
*   Restrict the use of multiple administrator accounts for one user.
*   Create separate administrator accounts for on-premises and Azure environments to segment access.
*   Implement the principle of least privilege and grant only access to what is necessary. It makes sense to revoke privileges after the task they were needed for is done.
*   Use phishing-resistant multifactor authentication (MFA). The only widely available phishing-resistant authentication is FIDO/WebAuthn authentication.

More general tips are:

*   **Account and group policies**: Set up a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.
*   **Awareness of your environment**: Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
*   **Patching procedures**: If you do not have a Vulnerability and Patch Management solution, establish a routine patching cycle for all operating systems, applications, and software.
*   **Monitoring and logging**: It’s essential to keep an eye on what is happening in your environment so you are aware of atypical events and logs that can help you figure out what happened exactly.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Why keeping track of user accounts is important 

A list of topics we covered in the week of February 12 to February 18 of 2024

February 16, 2024 - A group of cybercriminals is committing bank fraud by convincing victims to scan their IDs and faces.

February 16, 2024 - One of Microsoft's Patch Tuesday fixes has flipped from "Likely to be Exploited" to “Exploitation Detected”.

February 15, 2024 - Personal data belonging to 200,000 Facebook Marketplace users has been published online, including email addresses and phone numbers.

February 14, 2024 - In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns.

February 14, 2024 - The PC Security Channel tested Malwarebytes against 2015 files. Here's how we did.

 A week in security (February 12 &#8211; February 18) 

A group of cybercriminals is committing bank fraud by convincing victims to scan their IDs and faces.

Well, the GoldPickaxe Trojan does not literally steal your face, but it does steal an image of your face in order to be able to identify as you.

Researchers have found a family of Trojans, attributed to a financially motivated Chinese group, which come in versions for iOS and Android.

Cybercriminals try to trick victims into scanning their faces along with identification documents. The victims are approached through phishing and smishing messages claiming to be from local governments or other trusted sources. They ask the target to install a fake government service app.

At this stage there is a crossroads where Android and iOS infections are different. While Android users go straight to the malicious app, due to measures taken by Apple the criminals ask the iOS users to install a disguised Mobile Device Management (MDM) profile. MDM allows a controller to remotely configure devices by sending profiles and commands to the device. As such MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and obtain the information they need.

The criminals then request that the victim take a photo of an official ID and scan their face with the app. Additionally, the criminals request the target’s phone number in order to get more details about them, particularly their bank accounts.

Once the criminals have a scan of the face they can use artificial intelligence (AI) to perform face-swaps. Face swapping is a technique that allows you to replace faces in images with others.

With the face swap and the photo of the ID the criminals can identify themselves as the victim to the victim’s bank and withdraw funds from their account. Many financial organizations use facial recognition for transaction verification and login authentication. Although the researchers found no evidence that bank fraud was the goal of the cybercriminals, their story was confirmed by warnings from the Thai police.

Although this group is mainly active in Asia, more precisely in Thailand, it makes sense to expect such a successful method to be copied.

Malwarebytes and ThreatDown solutions detect the GoldPickaxe Trojan as Android/Trojan.Agent.prn1.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 GoldPickaxe Trojan steals your face! 

One of Microsoft's Patch Tuesday fixes has flipped from "Likely to be Exploited" to “Exploitation Detected”.

As it turns out, there was another actively exploited vulnerability included in Microsoft’s patch Tuesday updates for February.

When Microsoft said in its update guide for CVE-2024-21410 that the vulnerability was likely to be exploited by attackers, they weren’t kidding. Soon after they changed the status to “Exploitation Detected”.

Today, I was alerted to the fact after spotting a warning by the German Federal Office for Information Security (BSI) about the same vulnerability, Something the BSI does not do lightly.

The Exchange vulnerability is listed in the Common Vulnerabilities and Exposures (CVE) database as CVE-2024-21410, an elevation of privilege vulnerability with a CVSS score of 9.8 out of 10.

Microsoft’s description of the vulnerability is a bit more revealing:

> “An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”

In a Windows network, NTLM (New Technology LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. An attacker being able to impersonate a legitimate user could prove to be catastrophic.

Microsoft Exchange Servers, and mail servers in general, are central communication nodes in every organization and as such they are attractive targets for cybercriminals. Being able to perform a pass-the-hash attack would provide an attacker with a paved way into the heart of the network.

As part of the update, Microsoft has enabled Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14). Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook).

If you are running Exchange Server 2019 CU13 or earlier and you have previously run the script that enables NTLM credentials Relay Protections then you are protected from this vulnerability. However, Microsoft strongly suggests installing the latest cumulative update.

Last year, Microsoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23.

If you are unsure whether your organization has configured Extended Protection, you can use the latest version of the Exchange Server Health Checker script. The script will provide you with an overview of the Extended Protection status of your server.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Microsoft Exchange vulnerability actively exploited 

Malwarebytes researchers have discovered a prolific campaign of fraudulent energy ads shown to users via Google searches.

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.

Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.

This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.

However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.

This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.

**Fraudulent utility scam ads**

The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.

We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.

In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.

The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.

The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.

**Large scamming infrastructure**

The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.

We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.

However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.

In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.

**Keep your identity and money safe from scammers**

This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.

Here are some additional tips:

*   **Watch out for a sense of urgency**. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
*   **Never disclose personal details** over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
*   **Beware requests for money transfers or prepaid cards**. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
*   **Contact your bank immediately** if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
*   **Report the scam** to the proper authorities, which may be the FTC.

**Malwarebytes protection**

Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.

**Indicators of Compromise**

**Google advertiser accounts**

**Advertiser name**

**Advertiser ID**

**Number of ads**

Telesoft

N/A

1

Digitron

04170244641179828225

4

Syed muhammad Adnan

08157637715521699841

15

Progressix

02149758434478653441

2

Umair Jameel

11899369518209695745

1

Laiba Mazhar

14248337572488019969

1

Syed Shahmeer Hussain

12265272419404480513

6

Snow Tech

N/A

1

Muhammad Pirzada

12480474916866490369

145

Eco Designs (Private) Limited

17013467067027816449

5

Right Path Solutions

11370048952557633537

21

Rehman Munawar

06906645958470139905

1

ANDREW PAUL GUZMAN

09045338907926855681

17

Economical Deals

09045708721790910465

4

Qasim Ahmed

15768816743289454593

20

Summaira

14596269127925497857

3

Citrex Solutions (Private) Limited

16648988995463675905

19

Get Energy Promo

08074609881656590337

6

Brightboost LLC

07744256527850012673

5

AA DIGITAL LABS (SMC-PRIVATE) LIMITED

10871392529253662721

1

Malik Muhammad Shahroz Ibrahim

N/A

1

HongKong AdTiger Media Co., Limited

14567350391567024129

1

Mah Noor

07681945004880691201

12

Usama Ashfaq

06711852389684477953

2

Ali Raza

04534984293432164353

15

Muhammad Usman Tariq

17723433991509377025

5

SHABNUM FATIMA SHAH

02536959185141104641

4

QASMIC L.L.C-FZ

11321807192694194177

1

**Phone numbers**

888\[-\]960\[-\]3984  
888\[-\]315\[-\]9188  
888\[-\]715\[-\]1808  
888\[-\]873\[-\]0295  
888\[-\]317\[-\]0580  
888\[-\]316\[-\]0466  
888\[-\]983\[-\]0288  
888\[-\]439\[-\]0639  
888\[-\]312\[-\]2983  
844\[-\]967\[-\]9649  
855\[-\]200\[-\]3417  
888\[-\]842\[-\]0793  
888\[-\]207\[-\]3713  
833\[-\]435\[-\]0029  
888\[-\]494\[-\]4956

888\[-\]928\[-\]6404  
888\[-\]374\[-\]1693  
888\[-\]834\[-\]1050  
888\[-\]497\[-\]3560  
888\[-\]960\[-\]2303  
888\[-\]430\[-\]0128  
800\[-\]353\[-\]5613  
888\[-\]407\[-\]1004  
855\[-\]216\[-\]2411  
844\[-\]679\[-\]7635  
888\[-\]483\[-\]2851  
888\[-\]657\[-\]2401  
888\[-\]580\[-\]0106  
888\[-\]326\[-\]7299  
888\[-\]870\[-\]2661

888\[-\]203\[-\]1692  
855\[-\]428\[-\]7345  
888\[-\]641\[-\]0108  
888\[-\]960\[-\]0688  
888\[-\]347\[-\]7462  
888\[-\]448\[-\]0550  
888\[-\]834\[-\]0998  
888\[-\]470\[-\]8496  
888\[-\]554\[-\]0461  
855\[-\]980\[-\]1080  
888\[-\]539\[-\]0722  
866\[-\]685\[-\]0355  
888\[-\]715\[-\]1806  
888\[-\]960\[-\]2550  
888\[-\]641\[-\]0096  
888\[-\]996\[-\]5133

**Scammer domains**

360billingservices\[.\]com  
aadigital\[.\]online  
citrexsolutions\[.\]co  
digitelcare\[.\]com  
eco-designs\[.\]store  
economical-deals\[.\]co  
electricenergybundle\[.\]com  
electricenergyservice\[.\]com  
electricpowerdeal\[.\]com  
energpaybill\[.\]com  

energybilling\[.\]net  
energybillservice\[.\]online  
energycredits\[.\]online  
energyhelpcenter\[.\]com  
energypayment\[.\]shop  
energypoweroffer\[.\]com  
globalenergysolutionz\[.\]com  
homeutilityservices\[.\]com  
makeabillpayment\[.\]com  
paysenergy\[.\]online

powerelectricoffers\[.\]com  
qasmic\[.\]com  
rebornsolutions\[.\]co  
telecombilling\[.\]us  
telecomcredits\[.\]us  
thepowerpayllc\[.\]org  
uenergyproviders\[.\]store  
utilitybillsolution\[.\]site  
utilitybillspayments\[.\]org  
utilitydiscounts\[.\]store  
utilityservices\[.\]us

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Massive utility scam campaign spreads via online ads 

Personal data belonging to 200,000 Facebook Marketplace users has been published online, including email addresses and phone numbers.

Personal data belonging to Facebook Marketplace users has been published online, according to BleepingComputer.

A cybercriminal was allegedly able to steal a partial database after hacking the systems of a Meta contractor.

The leak consists of around 200,000 records that contain names, phone numbers, email addresses, Facebook IDs, and Facebook profile information of the affected Facebook Marketplace users. BleepingComputer was able to verify the some of the data.

Marketplace was introduced by Facebook in 2016 and quickly became a popular platform to sell items to local buyers. It’s often preferred over other marketplaces because you can find or sell items locally that would be too expensive to ship, but you can easily pick up yourself.

Smaller businesses also use it as well to get their ecommerce side of the business started. Statistics say that every month, on average 40% of Facebook users are Marketplace users, and an estimated 485 million or 16% of active users log in to Facebook for the sole purpose of shopping on Facebook Marketplace.

Depending on the buyer of the leaked data, both the email addresses and the phone numbers could be used in phishing attacks. Phishing is the art of sending an email with the aim of getting users to open a malicious file or click on a link to then steal credentials. The combination of email addresses and phone numbers could also be used in SIM swapping attacks.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but one of the most common methods involves tricking the target’s phone carrier into porting the phone number to a new SIM which is under the control of the attacker. Having control over or access to the victim’s email combined with the knowledge of the associated phone number makes a SIM swap relatively easy.

**Protect yourself from a SIM card swap attack**

*   **Don’t reply to calls, emails, or text messages that request personal information.** Should you get a request for your account or personal information, contact the company asking for it by using a phone number or website that you know is real.
*   **Limit the personal information you share online.**
*   **Set up a PIN or password on your cellular account.** This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
*   **Use Multi-Factor Authentication (MFA), especially on accounts with sensitive personal or financial information.** If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Facebook Marketplace users’ stolen data offered for sale 

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns.

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits. The gang’s novel approach challenged a bottleneck that makes it hard to scale ransomware attacks, and other gangs may try to replicate its approach in 2024.

Big game ransomware attacks are devastating but relatively rare compared to other forms of cyberattack. There were about 4,500 known ransomware attacks in 2023, although the true figure is probably twice that. These attacks extorted more than $1 billion in ransoms in 2023, according to blockchain data platform Chainalysis.

The potential riches are enormous and there’s no other form of cybercrime that’s so lucrative, so why aren’t we seeing more attacks? It doesn’t seem to be a lack of targets, in fact the evidence suggests that the gangs are picky about who they attack. The most likely reason is that each attack takes a lot of work. Broadly speaking, an attack requires a team of people that: Breaks in to an internet-connected computer, researches the target to see if they’re worth the effort of an attack, explores their network, elevates their privileges until they’re an all-conquering administrator, steals and stores terabytes of data, attacks security software and backups, positions ransomware, runs it, and then conducts negotiations.

Doing all of this efficiently requires people, tools, infrastructure, expertise, and experience, and that seems to make it a difficult business model to scale up. The number of known ransomware attacks a year is increasing steadily, by tens of percentage points rather than exploding by thousands. This suggests that most of the people who are drawn to this life of crime are probably already doing it, and there isn’t a vast pool of untapped criminal talent waiting in the wings.

Known ransomware attacks, July 2022-December 2023

Before 2023, cybercrime’s best answer to this scalability problem was Ransomware-as-a-Service (RaaS), which splits the work between vendors that provide the malware and infrastructure, and affiliates that carry out the attacks.

CL0P found another way. It weaponised zero-day vulnerabilities in file transfer software, notably GoAnywhere MFT and MOVEit Transfer, and created automated attacks that plundered data from them. Hundreds of unsuspecting victims were attacked in a pair of short, sharp campaigns lasting a few days, leaving Cl0P as the third most active gang of the year, beating ransomware groups that were active in every month of 2023.

It remains to be seen if other gangs can or will follow CL0P’s lead. The repeated use of zero-days signaled a new level of sophistication for a ransomware gang and it may take a while for its rivals to catch up. However, the likes of LockBit—the most prolific group of them all—don’t want for resources so this is probably a matter of time and will, rather than a fundamental barrier.

There is also a question mark about how successful the attacks were. While automation allowed CL0P to increase its reach, it’s reported that a much lower percentage of victims paid a ransom than normal. However, ransomware incident response firm Coveware believes the group managed to compensate by demanding higher ransoms, earning the gang as much as $100 million.

Because of CL0P’s actions, the shape of ransomware in 2024 is in flux and organisations need to be ready. To learn more about how big game ransomware is evolving, the threat of zero-day ransomware, and how to protect against them, read our 2024 State of Malware report.

Source

Malwarebytes