Google has set a date for the introduction of Manifest V3 which will hurt the capabilities of many ad blockers.

Google has announced it will shut down Manifest V2 in June 2024 and move on to Manifest V3, the latest version of its Chrome extension specification that has faced criticism for putting limits on ad blockers. Roughly said, Manifest V2 and V3 are the rules that browser extension developers have to follow if they want their extensions to get accepted into the Google Play Store.

Manifest V2 is the old model. The Chrome Web Store no longer accepts Manifest V2 extensions, but browsers can still use them. For now. Manifest V3 is supported generally in Chrome 88 or later and will be the standard after the transition planned to take place in June 2024.

A popular type of browser extensions are ad blockers. Almost all these ad blockers work with block lists, which are long lists of domains, subdomains, and IP addresses that they filter out of your web traffic. These lists are commonly referred to as rulesets. One part of the transition will “improve” content filtering. And to be fair, Google has made some compromises when it comes to the version as it’s now in the planning, compared to what it originally planned to do.

*   Originally, each extension could offer users a choice of 50 static rulesets, and 10 of these rulesets could be enabled simultaneously. This changes to 50 extensions simultaneously and 100 in total.
*   Extensions could add up to 5,000 rules dynamically which encouraged using this functionality sparingly and made it easier for Google to detect abuse. Extensions can add rules dynamically to support more frequent updates and user-defined rules. But it comes with the risks of phishing or data theft because these “updates” are not checked during the Chrome Web Store review. For example, a redirect rule could be abused to inject affiliate links without consent. But Google has decided that block and allow are not that easily abused so it will allow up to 30,000 rules to be added dynamically.

However, this is still far from enough to fully reach the potential of the best ad blockers we have now. And it’s not just the hard limits on filtering rulesets, there are a lot of other new limits on filtering. Items can’t be filtered based on the response headers or according to the URL in the address bar. Also, extension developers are limited in what regular expressions they can use, along with other technical limitations.

Even if this is not targeted at ad blockers specifically, it’s still a major change that makes blocking requests less flexible. But the bottom line result is that it limits the API that many ad blockers use, and replace it with a less capable one.

Google’s will tell you that by limiting extensions, the browser can be lighter on resources, and Google can protect your privacy from extension developers and calls it “a step in the direction of privacy, security, and performance.” The Electronic Frontier Foundation (EFF) however calls Manifest V3 deceitful and threatening.

> “Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks.”

Under the new specifications, browser extensions that monitor and filter the web traffic between the browser and the website will have greatly reduced capabilities. This includes ad blockers and privacy-protective tracker blockers. No real surprise, considering Google has trackers installed on 75% of the top one million websites.

According to Firefox’s Add-on Operations Manager, most malicious extension that manage to get through the security review process, are usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. So in their mind, what would really help security is a more thorough review process, but that’s not something Google says it has plans for.

After looking at the arguments Google used to justify this transition, ArsTechnica came to the conclusion that there’s no justification for arbitrarily limiting the list of filter rules. It says once Manifest V3 happens, Chrome users will be limited to light ad blocker functionality while users will need to switch to Firefox or some other non-limited browser to get the full extension.

Nevertheless, Firefox said it will adopt Manifest V3 in the interest of cross-browser compatibility. And Chrome’s market share will certainly have influenced that decision as well.

Google Chrome Enterprise users with the “ExtensionManifestV2Availability” policy turned on will get an extra year of Manifest V2 compatibility.

If you want to help Malwarebytes get ready for the transition, you can test the beta version of Browser Guard for Manifest V3.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

**Black Friday sale**

Save 50% on our Home bundles for a limited time only!

 Chrome pushes forward with plans to limit ad blockers in the future 

What better way to kick off the holiday scamming season than by offering a Black Friday sale on one of the most popular products around: a Stanley cup.

Scammers never miss an opportunity to make a quick buck, and love to piggy back on the latest trends. So what better way to kick off the scamming season than by offering Black Friday sales on one of the most popular products around: a Stanley cup.

We found an ad on Facebook offering a Stanley Quencher for the low price of $19:

_Facebook ad for Stanley Quenchers_

Normally these Stanley cups sell for $45 on Amazon. They’re very popular since they reportedly keep drinks cold for 11 hours and hot for seven hours. Even if your car burns out.

Clicking the advertisement takes you to a shady-at-best website where you can take your pick of Stanleys.

_Website at domain d-sportinggoodsus\[.\]com_

Hint: look at the domain name. Malwarebytes doesn’t like it either.

_Malwarebytes customers are protected_

Both the site and the payment processor are registered in Hong Kong and will happily pocket your money without doing anything in return.

To gain the buyer’s trust, the Facebook comments are populated by bots and/or compromised accounts.

_Facebook comments of people claiming they received the goods_

As always, use your best spidey senses to pick up on scams like these. With this particular scam, you’re likely to only lose the money you paid to the scammers, but other scams can end in much higher losses.

**How do you avoid bad ads?**

*   **You probably have the URL you need**. It’s sometimes easier to search a brand name than put in the full URL, but if you go directly there you won’t get caught by any bad ads lurking in your search results.
*   **Careful searching**. If you _do_ need to go looking, cross reference the URLs you see in search engines with a search of your own. If it’s legitimate, you should see a large number of people and businesses referencing it.
*   **Report bad ads**. If a sponsored ad is up to no good, there should be a way to report from the search engine or social media platform in which you found it. You’re doing your part to help the next person who coes along to stay safe!
*   **The thorny blocking issue**. If you choose to block ads, be aware that the way you block may break functionality of the site you’re on. Some sites will insist you turn off your ad blocker. Others may simply not work anymore if you use script blocking or turn off JavaScript. It’s not so much a case of “job done”, as it is “job just getting started”.
*   **Remember, if it’s too good to be true it probably isn’t true**, and could mean someone is trying to trick you into paying for something you’re never going to get.

**Black Friday sale**

Save 50% on our Home bundles for a limited time only!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 $19 Stanley cup deal is a Black Friday scam 

Here are the innovations we’ve made in our products recently. Are you making the most of them?

At Malwarebytes, we’re constantly evolving to protect our customers. These days, our products don’t just protect you from malware, we protect your identity, defend you from ads, safeguard your social media, and keep your mobile safe too.

Here are the innovations we’ve made in our products recently. Are you making the most of them?

****Malwarebytes Premium******Windows**

**Tamper** / **Uninstall Protection**. This allows you to password protect your software so that it can’t be removed remotely.

**Trusted Advisor**. This dashboard provides an easy-to-understand assessment of your computer’s security with a single comprehensive protection score, and clear, expert-driven advice.

**Brute Force Protection**. This blocks Remote Desktop Protocol (RDP) attacks, which are attempts by cybercriminals to access a computer remotely. We do this by blocking IP addresses that exceed a threshold of invalid login attempts.

**Smart Scan.** This enables you to schedule scans at a time when you’re not using your computer, which is best for productivity.

**Mac**

The old adage about Macs not getting viruses is simply not true. Macs need protection too and our **Premium for Mac** is now compatible with macOS Sonoma.

**Mobile Security**

Whether you’re on iOS or Android, our Mobile Security app just got an upgrade. Our **Premium Plus** plan now includes a full-featured VPN to help keep your connections private, no matter where you are. Using the latest VPN technology, WireGuard® protocol, you can enjoy better online privacy at a quicker speed than traditional VPNs.

What you get with our apps:

*   **Android:** Scan for viruses and malware, and detect ransomware, android exploits, phishing scams, and even potentially unwanted apps.

*   **iOS:** Detect and stop robocalls and fake texts, phishing links, malicious sites, and annoying ad trackers (while browsing in Safari).

**Browser Guard**

Available for both Windows and Mac, Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. It’s the world’s first browser extension to do this, while at the same time identifying and stopping tech support scams.

Browser Guard adds an extra layer to your personal security, on top of your antivirus or firewall. Because it’s a browser extension, it can offer protection in the browser that other means of protection do not have access to.

We’ve recently made enhancements to Browser Guard:

*   **Improved protection:** Stops even more threats with enhanced phishing detection. 
*   **New scanning blocks:** Prevents websites from scanning for vulnerable network ports. 
*   **Facebook support:** Blocks ads and sponsored content from appearing on Facebook feeds. 
*   **Monthly overview:** Summary showcases what has been blocked. 

On top of that, Malwarebytes Premium Security users (Windows only) can now take advantage of:

*   **Content control:** Take control of your browsing experience and define what’s appropriate for you and your family. Fully customize the content you want to block while browsing.
*   **Import and export:** Use your preferences and customized rules with all your browsers, even on other devices. This helps you to experience a consistent and clean web experience. Discover on this video how to transfer Malwarebytes Browser Guard settings to another browser.
*   **Historical Detection Statistics:** View past detections and see what we’ve protected you from.  

Want to see Browser Guard in action? Read the 25 most popular websites vs Malwarebytes Browser Guard

****Malwarebytes Identity Theft Protection****

Newly released, Malwarebytes Identity Theft Protection scours the dark web for your personal information, prevents your social media account from being hacked, and even keeps an eye on your credit (US only) — and it’s all backed by an up-to-$2 million identity theft insurance. (Insurance coverage is $1 or $2 million depending on selected package (latter only available in the US plan **Ultimate)**)

Here’s what you get (based on your selected plan):

*   Ongoing monitoring: Peace of mind that we are actively working in the background to keep you safe
*   Real-time alerts: Immediate notifications if we identify suspicious activity
*   Recommendations and best practices: Advice on how to prevent identity theft, and help if it happens
*   Identity restoration helpline and top-notch customer support.

 Malwarebytes consumer product roundup: The latest 

Google's recently been accused of "privacy washing", despite claiming its a privacy-focused company. But what is privacy washing?

Question: Who said the sentence below?

> “Privacy is at the heart of everything we do.”

Answer: Sundar Pichai, the CEO of Alphabet and its largest subsidiary Google. And if you look at the recent actions Google has announced, you’d be tempted to take his word for it:

*   An initiative to let Chrome hide your IP address.
*   Strengthening the safeguard measures for Google Workspace customers.
*   Changing data retention practices to make auto-delete the default.

But at the same time, Google is under fire because some of its actions seem half-baked. Allegedly Google’s option to “browse privately” is nothing more than a word play.

Let’s be fair. Google makes lots and lots of money by knowing what we are looking for. And to achieve that goal it needs to gather as much information as possible about us. Maybe not specifically about us as a person, but at least about us as a group.

Data are the most coveted currency of our era, and technology giants like Facebook, Google, and Amazon are considered the behemoths of the data gathering industry. If they don’t already, they want to know everything about each and every one of us.

We’re not all equally valued though. Certain milestones in a person’s life prompt major changes in buying patterns, whether that’s becoming a parent, moving home, getting married, buying a car, or going through a divorce. Some of the most personal and secretive troves of data rank as the most expensive.

In a recent blog, privacy company Proton explained how Google is spending millions lobbying and actively fighting against privacy laws that would protect you from online surveillance.

Proton used the expression, “privacy washing” which compares Google’s disparity between actions and words to those of the world’s largest environmental polluters who portray themselves as eco-conscious, known as “green washing.“

According to lobbying reports and other records, Alphabet and its subsidiaries have spent more than $125 million on federal lobbying, campaign contributions, and trade associations since 2019.

This is done under the guise that Google wants regulators to let companies decide themselves what’s good for you and for society. But so far, big tech is consistently letting us down in this regard.

A small but telling example was a recent court case where a judge ruled that car manufacturers collecting users’ text messages and call logs did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In other words they can steal all the data they want as long as you can’t prove that it doesn’t hurt your business, yourself or your reputation. Does that sound fair to you?

Several US states are going through the process of passing new comprehensive consumer privacy laws, in an attempt to give American citizens more control over their personal data. Privacy advisor IAPP reckons that by 2026, 13 state privacy laws will have taken effect, as newly enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas will join California, Colorado, Connecticut, Utah, and Virginia.

The European Union (EU) is a pioneer when it comes to privacy laws, so it’s easy to see why Big Tech has spent so much money (about $30 million in 2021) lobbying European lawmakers to protect their data gathering practices. Google has been among the most aggressive to water down or slow down the expansion of consumer protections through additional regulations — in particular the Digital Markets Act, Digital Services Act, and ePrivacy Regulation. Google happily bragged about stalling the ePrivacy Regulation, which would crack down on tracking cookies.

It’s common for industries to lobby lawmakers on issues affecting their business. But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians, The Markup has found.

So, Sundar Pichai, we would like you to put your money where your mouth is. And make some real changes to improve our privacy, rather than engage in privacy washing.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 Explained: Privacy washing 

Nothing's new message app Chats has been pulled from Google Play after harsh criticism about security issues.

Sometimes it’s all in the name. The Nothing Chats beta has been pulled from the Google Play Store after reports that the company behind it has access to your (unencrypted) messages.

Nothing Phone 2 owners were promised a first-of-its-kind app developed in partnership with Sunbird, which allowed them to message other iMessage users via blue bubbles on their Nothing Phone.

And, as promised, the beta version was made available for download in the Play Store on Friday November 17, 2023. But today the Nothing Chats page says:

> We’ve removed the Nothing Chats beta from the Play store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.

Now, it’s pretty normal for beta releases to have some bugs that need ironing out. That’s what they are in beta for. But these weren’t some mildly annoying bugs.

Basically, Nothing Chats is just a reskinned version of the existing Sunbird application, which is currently available on the Google Play Store. In essence the Nothing Chats app routes your messages through a macOS virtual machine that sends them on as iMessages. But to do this the Nothing Chats application is required to send your Apple ID credentials to its servers, so it can authenticate on your behalf.

According to Nothing, Sunbird’s architecture provides a system to deliver a message from one user to another without ever storing it at any point in its journey. But only one day after the release of the beta, Texts.com published a blog titled Sunbird / ‘Nothing Chats’ is Not Secure.

Members of the Texts.com reverse engineering team took it upon themselves to take a look into the Sunbird application and its security practices, and found a few vulnerabilities and implementation issues.

> texts team took a quick look at the tech behind nothing chats and found out it's extremely insecure
> 
> it's not even using HTTPS, credentials are sent over plaintext HTTP
> 
> backend is running an instance of BlueBubbles, which doesn't support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
> 
> — Kishan Bagaria (@KishanBagaria) November 17, 2023

While Sunbird tries to implement end-to-end-encryption (E2EE), its implementation is overshadowed by decrypting, and then storing the unencrypted payloads in its database.

The apps route all data relating to a message sent by Sunbird, and Nothing Chat, including the contact information, message contents, and attachment URLs to the Sunbird’s Sentry. This Sentry acts as a debugging platform, which allows access to the data in plaintext by authorized parties within the company.

Which is not what Nothing promised:

> All Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.

Other investigators found that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text.

> Thread time!
> 
> Summary:  
> – Sunbird has access to every message sent and received through the app on your device.
> 
> – All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.
> 
> – Nothing Chats is not end-to-end encrypted.
> 
> — Dylan Roussel (@evowizz) November 18, 2023

Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, researchers found all data was sent and stored through Firebase. They found over 630,000 media files currently stored by Sunbird via Firebase including images, videos, PDFs, audio, and more. So, while it may be true that Sunbird doesn’t store user data on its own servers, the data does get stored.

This isn’t a major problem for everyone, but the authentication is. By sending our Apple ID to a third-party service, we are not only trusting the third-party with our texts, but should they become compromised, our photos, videos, contacts, notes, keychain, and more are at risk.

Users worried about a spill of sensitive data should read our guide: Involved in a data breach? Here’s what you need to know.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Nothing Chats pulled from Google Play 

Browser push notifications are becoming a problem on macOS. Learn how to remove them.

Scammers are abusing an Apple feature that allows websites to create push notifications that look like they’re coming from macOS, or apps. The notifications try to scare users into clicking a link with fake virus alerts or messages saying their account has been hacked.

Years ago we warned our readers about the introduction of browser push notifications because we felt they were a feature waiting to be abused. At the time we focused on Windows users, but recently we are seeing examples of macOS users being plagued by this pest.

As Apple proudly announced:

> Use the Apple Push Notifications Service to send notifications to your website users, right on their Mac desktop — even when Safari isn’t running. Safari Push Notifications work just like push notifications for apps. They display your website icon and notification text, which users can click to go right to your website.

Do you see the problems?

*   “Even when Safari isn’t running.” So how are users supposed to know where the notifications are coming from?
*   “Work just like push notifications for apps.” My point exactly. How can we distinguish them from actual system notifications?
*   “They display your website icon.” Website icons are controlled by the website owner, so they can used the system settings icon for their website, making their notifications look like system notifications.

The Websites section in Safari settings shows a website that uses the macOS System Settings icon

These settings can appear in Safari Settings or System Settings, and you can remove them by following the instructions below.

**Application Notifications**

Open your Apple **System Settings** and then select the **Notifications** tab along the left.

Scroll down the list under **Application Notifications** and look for any websites that have permission to send you notifications. The entry may have a name designed to mislead you, such as “ask you” or “Notifications”.

Under each item you will be able to see what type of notification permissions it has. To stop these, just click on the entry and turn off the slider at the top which will disable notifications for this item.

A website listed under Application Notifications with a misleading name and icon

**Safari Settings**

In the Safari app on your Mac, choose **Safari** and click **Settings**. Click **Websites**, then click **Notifications**.

Scroll through the list of websites and look for websites that don’t want to receive notifications from. Anything that shows **Allow** can send you messages, so switch them to **Deny** if you do not want to see their messages.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 How to stop fake System notifications on macOS 

The Australian Cyber Security Centre has provided 10 steps for small and medium businesses to store customers' personal data securely.

In an advisory aimed at the protection of customers’ personal data, the Australian Cyber Security Centre (ACSC) has emphasized that businesses should only collect personal data from customers that they need in order to operate effectively.

While that may seem like kicking in an open door, it’s really not. It’s relatively easy to decide which personal data you _need_ to have for a new customer. It’s a bit harder to stop there. Many small business use pre-formatted questionnaires that ask for information they don’t actually need for day to day operations, and it’s hard to keep track of data they no longer need.

The advisory, titled Securing Customer Personal Data for Small and Medium Businesses, is written for small and medium businesses, but many larger corporations could benefit from it as well. The guide was written because data breaches against Australian businesses and their customers are increasing in complexity, scale, and impact.

It outlines a few steps businesses can take to organize, minimize, and control the personal data they collect, in order to contain the impact of a data breach. With the growing tendency to do business online, businesses have a responsibility to keep the personal data they collect safe.

The ACSC recommends implementing 10 steps to secure customer personal data:

*   **Create a register of personal data**. Keep an inventory of the types of data you have collected and where they are stored. For example, a register of databases and data assets.
*   **Limit the personal data you collect**. Do not collect data “just in case.” You don’t have to worry about what you don’t have stored.
*   **Delete unused personal data**. Probably the hardest step, it takes policies stipulating how long customers’ personal data should be stored before it is deleted.
*   **Consolidate personal data repositories**. Consolidating customers’ personal data into centralized locations or databases allows businesses to focus on key data repositories and apply enhanced security practices.
*   **Control access to personal data**. Employees should only have access to customers’ personal data that they need in order to do their job.
*   **Encrypt personal data**. Full disk encryption should be applied to devices that access or store customers’ personal data, such as servers, mobile phones and laptops. Customers’ personal data should be protected by encryption when communicated between different devices over the internet. Additionally, businesses may choose to implement file-based encryption to add an extra layer of protection in the event that systems are compromised as part of a cyberattack.
*   **Backup personal data**. Backups are an essential measure to ensure an organization can recover important business data in case of damage, loss or destruction. Backups are also critical in protecting customers’ personal data from common incidents such as ransomware attacks or physical damage to devices.
*   **Log and monitor access to personal data**. Implementing logging and monitoring practices can assist businesses in detecting unauthorized access to customers’ personal data.
*   **Implement secure Bring Your Own Device (BYOD) practices**. Businesses that employ BYOD policies need to have appropriate protections in place to ensure that this is done securely and does not increase the risk of data breaches. It’s important to have a clear policy and rules to enforce it.
*   **Report data breaches involving personal data**. Make sure you are aware of the existing local reporting obligations in case you are the victim of a data breach involving customers’ personal data.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Why less is more: 10 steps to secure customer data 

Compromised websites are being used to redirect to fake browser updates and deliver malware onto Mac users.

Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, we described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.

With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.

**Discovery**

ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of smart contracts to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.

On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:

The Safari template mimics the official Apple website and is available in different languages:

Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:

**Atomic Stealer**

The payload is made for for Mac users, a DMG file purporting to be a Safari or Chrome update. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.

Looking at the strings from the malicious application, we can see those commands which include password and file grabbing capabilities:

find-generic-password -ga 'Chrome' | awk '{print $2}' SecKeychainSearchCopyNext:
/Chromium/Chrome /Chromium/Chrome/Local State FileGrabber tell application "Finder"
set desktopFolder to path to desktop folder
set documentsFolder to path to documents folder
set srcFiles to every file of desktopFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}
set docsFiles to every file of documentsFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}

In the same file, we can find the malware’s command and control server where the stolen data is sent to:

**Macs need protection too**

Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.

Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it. We recommend leveraging web protection tools to block the malicious infrastructure associated with this threat actor.

Malwarebytes users are protected against Atomic Stealer:

**Indicators of Compromise**

Malicious domains

longlakeweb\[.\]com
chalomannoakhali\[.\]com
jaminzaidad\[.\]com
royaltrustrbc\[.\]com

AMOS stealer

4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464  
be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

AMOS C2

194.169.175\[.\]117

 Atomic Stealer distributed to Mac users via fake browser updates 

Ransomware group Scattered Spider aka Octo Tempest are masters at social engineering tactics like SIM swapping.

As you may have read in our November Ransomware Review, Scattered Spider is a relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider aka Octo Tempest employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.

In a joint cybersecurity advisory (CSA) on Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) provided detailed information about the techniques leveraged by Scattered Spider. The advisory was issued in response to the recent activity by Scattered Spider against the commercial facilities sector and subsectors.

CISA and the FBI consider Scattered Spider to be experts that use multiple social engineering techniques, especially phishing, push bombing, and SIM swap attacks, to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA).

Push bombing is a targeted MFA attack in which an attacker triggers multiple login attempts against the target’s single-sign-on (SSO) portal or publicly exposed corporate apps and services. The objective is that the target will grow tired of the notifications or make a mistake and allow the access.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but one of the most common methods involves tricking the target’s phone carrier into porting the phone number to a new SIM under the control of the attacker.

Scattered Spider is a group that typically targets large companies and their contracted information technology (IT) help desks. To lend credibility to their phishing mails they often register domains like victimname-sso\[.\]com, victimname-servicedesk\[.\]com or victimname-okta\[.\]com.

Once the groups establish access, Scattered Spider often searches the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails or conversations regarding the intrusion, along with any security response to see if their attack has been discovered.

The advisory describes how elaborate these efforts can be:

> “The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses.”

According to several sources, Scattered Spider has a relationship to ALPHV/BlackCat and has recently started using their ransomware for data exfiltration and file encryption.

The FBI seemingly struggles to arrest group members, even though they’re believed to be based in the US and other Western countries, because victims don’t come forward and share details about their incidents. For that reason, the FBI and CISA have urged victim organizations to share information about attacks with the agencies.

Another initiative that may hinder Scattered Spider’s tactics is the fact that the US Federal Communications Commission (FCC) has adopted new rules to protect US consumers from SIM-swapping attacks and port-out scams. These new rules require US wireless providers to use secure methods of authenticating a customer when they request porting a SIM card to a new device or their phone number to a new carrier.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Scattered Spider ransomware gang falls under government agency scrutiny 

We’ve got good news. Malwarebytes is now offering 50% off our products to students, wherever you are in the world.

Technology is now an indispensable part of student life, used for everything from socialising and calling home, to writing and researching essays. Unfortunately, that makes students taking their first steps into adult life a prime target for cybercrime.

But how can you be sure the Wi-Fi network you’re connecting to at your library or local coffee shop is safe? What about when you’re inside college walls? More than that, your social media accounts likely hold a lot of information about you, information you don’t want to get into the wrong hands.

It’s hard to know who to trust online, and one click on a dodgy link could lead to compromised accounts, identity theft or even malware.

And, as one student we spoke to said “Nothing is worse than losing a school essay”.

We know you need to protect yourself and your important files online, but we also know that you’re probably feeling strapped for cash at the moment.

We’ve got good news. Malwarebytes is now offering 50% off our products to students, wherever you are in the world.

Here’s what we can help with:

*   Protect your important essays from ransomware and other nasties with Premium Security
*   Help you shop online safer, with protection against infected ad and credit card skimmers in Browser Guard
*   Keep your identity safe and protect your social media accounts with Identity Theft Protection
*   Block trackers and ads with Browser Guard
*   Work safely in coffee shops, libraries and other public places with Privacy VPN
*   Game faster and in peace while staying protected by using Play mode to suspend notifications

Find out more and see pricing on our student discount page.

Source

Malwarebytes