A list of topics we covered in the week of September 9 to September 15 of 2024

September 13, 2024 - Car manufacturer Ford Motor Company has filed a patent application for an in-vehicle advertisement presentation system based on information derived from...

September 12, 2024 - Meta has admitted to scraping Australian Facebook user's public photos, posts and other data to train its AI models, including those of kids on adult profiles.

September 12, 2024 - We dug into PartnerLeak, the site behind the "your partner is cheating on you" emails, including how and where the scammers get their information.

September 10, 2024 - Payment gateway provider Slim CD has notified 1.7 million users that their credit card information may have been leaked.

September 10, 2024 - Scammers are now throwing in the name of the partner of the targeted victim, telling them that their partner is cheating on them.

 A week in security (September 9 &#8211; September 15) 

Car manufacturer Ford Motor Company has filed a patent application for an in-vehicle advertisement presentation system based on information derived from...

Car manufacturer Ford Motor Company has filed a patent application for an in-vehicle advertisement presentation system based on information derived from several trip and driver characteristics. Among those characteristics—human conversations.

In the abstract of the patent application publication Ford writes:

> “An example method includes determining vehicle information for a trip, the vehicle information including any one or more of a current vehicle location, a vehicle speed, a drive mode, and/or traffic information, the user information including any one or more of a route prediction, a speed prediction for the trip, and/or a destination, determining user preferences for advertisements from any one or more of audio signals within the vehicle and/or historical user data, selecting a number of the advertisements to present to the user during the trip, and providing the advertisements to the user during the trip through a human-machine interface (HMI) of the vehicle.”

Further one it details that “the controller may monitor user dialogue to detect when individuals are in a conversation.”

Based on this info, the controller can decrease or increase the number of advertisements. And “the conversations can be parsed for keywords or phrases that may indicate where the occupants are travelling to.”

Okay.

Essentially, the car you’re driving would not only spy on your driving behavior, your present and future locations, and your requested driving routes, but it would also eavesdrop on you. And let’s not forget the safety implications of displaying advertisements while you’re driving.

We have spoken about cars and privacy at length and came to the conclusion they’re not very good at it. Many politicians in the US agree with that point of view. US senators have asked the Federal Trade Commission (FTC) to investigate car makers’ privacy practices and Texas Attorney General Ken Paxton sued General Motors for selling customer driving data to third parties.

We explained why car location tracking needs an overhaul and we’ve implored that automakers work together to help users by providing them with the ability to turn tracking features off (a serious vulnerability for people fleeing from an abusive relationship).

Yet nowhere in the entire document exists one word about how Ford intends to keep the acquired information secure. We’d advise all car companies remediate existing security vulnerabilities before introducing potential new ones.

What’s next, Ford? Will you stop working if we drive past one of the establishments that sponsor your ads? Or was that “feature” to disable a functionality of a component of the vehicle or to place the vehicle in a lockout condition only for the repossession plans you attempted to patent earlier on?

Another controversial Ford patent filed in July described technology that would enable vehicles to monitor the speed of nearby cars, photograph them and send the information to police.

In a statement to Fortune, the company clarified that filing a patent is a standard practice to explore new ideas and doesn’t necessarily indicate immediate plans to release such a system.

We realize that advertisements make the internet go round. Many useful websites could not exist without them. But do these in-vehicle advertisements benefit the owner of the car? If it makes the cars cheaper, I’d be willing to pay some extra to not be bothered and eavesdropped on while driving. How about you? Let us know in the comments.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Ford seeks patent for conversation-based advertising 

Beware before calling Apple for assistance as scammers are creating malicious ads and fake pages to lure you in.

We’ve uncovered a malicious campaign going after Mac users looking for support or extended warranty from Apple via the AppleCare+ support plans. The perpetrators are buying Google ads to lure in their victims and redirect them to bogus pages hosted on GitHub, the developer and code repository platform owned by Microsoft.

The goal of this scam is to get unsuspecting people on the phone with someone pretending to be working for Apple. From there, fraudulent call center agents will social engineer their victims in order to extract money from them.

In this blog post, we expose the techniques behind this scam and provide mitigation steps to stay away from them. We’d like to thank GitHub for their quick response in taking down the malicious accounts we reported to them.

**Hey Siri, google “Apple phone support”**

While Apple products are designed with simplicity in mind, we’ve all come across an issue at some point that we need assistance with. Google, who reportedly paid Apple $20 billion to be the default search engine, will display results in Safari, along with ads, hence the lucrative partnership.

Those “Sponsored” results can appear at the top or further down the search results page. In the image seen below, a malicious ad appears at the very top, right before Apple’s official phone number. In other cases we encountered, multiple malicious ads were displayed before any legitimate results.

Clicking on one of those will redirect to a fake AppleCare+ customer service page, inviting users to call a 1-800 phone number supposedly belonging to Apple. In reality, in just 2 simple clicks victims are connected with scammers located in call centers overseas.

The fake Apple customer service pages are hosted on Microsoft’s GitHub source code repository as standalone HTML templates using Apple’s branding. Scammers are creating several accounts on GitHub with one or multiple repositories with the same fraudulent _index.html_ template:

During an active campaign, they can easily swap phone numbers in case one got reported and blocked. In fact, we saw scammers do just that thanks to GitHub’s commit history:

There is also an interesting piece of code within the page (autoDial) that automatically pops up the phone dialog menu. This ensures that victims have one less thing to click on to get connected with a scammer impersonating Apple:

**Risks and mitigations**

This particular scheme is exceptionally easy to fall for due to the combination of malicious Google ads and lookalike pages. Scammers are preying on unsuspecting users to trust that they are real Apple service agents and that it’s okay to give them personal information.

The biggest risk to consumers is being defrauded for hundreds, and often thousands of dollars. Scammers typically instruct victims to withdraw money from their bank account and send it to them, in various ways.

In some cases we investigated this year, fraudsters will ask for the victim’s name, address, social security number and banking details. With that information, they can easily blackmail them directly or share their profile with other scammers who will pretend to help from the original incident.

We advise users to be extremely cautious when looking for phone or online support related to any of the most popular brands. Microsoft is usually highly targeted by scammers due to its dominance in the computer market share. Keep in mind that whenever you click on a sponsored result or ad, you are taking a chance of being redirected to a malicious site.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Scammers advertise fake AppleCare+ service via GitHub repos 

Meta has admitted to scraping Australian Facebook user's public photos, posts and other data to train its AI models, including those of kids on adult profiles.

Facebook has admitted that it scrapes the public photos, posts and other data from the accounts of Australian adult users to train its AI models. Unlike citizens of the European Union (EU), Australians are not offered an opt-out option to refuse consent.

At an inquiry as to whether the social media giant was hoovering up the data of all Australians in order to build its generative artificial intelligence tools, senator Tony Sheldon asked whether Meta (Facebook’s owner) had used Australian posts from as far back as 2007 to feed its AI products.

At first Meta’s global privacy director Melinda Claybaugh denied this but senator David Shoebridge challenged her claim.

> “The truth of the matter is that unless you have consciously set those posts to private since 2007, Meta has just decided that you will scrape all of the photos and all of the texts from every public post on Instagram or Facebook since 2007, unless there was a conscious decision to set them on private. That’s the reality, isn’t it?”

Claybaugh said yes, but she added that accounts of people under 18 were not scraped. However, when Senator Sheldon asked Claybaugh whether public photos of his children on his own account would be scraped, Claybaugh acknowledged they would.

When asked whether the company scraped data from previous years of users who were now adults, but were under 18 when they created their accounts, the question remained unanswered.

It is not new that Meta uses public Facebook and Instagram posts to train its AI, and Meta is not the only social media platform that does this. European privacy watchdogs accused X of unlawfully using personal data of 60 million+ users to train its AI Grok as well.

In June, the EU’s Data Protection Commission (DPC) reached an agreement with Meta to pause its plans to train its large language model using public content shared by adults on Facebook and Instagram across the EU. This decision followed intensive engagement between the DPC and Meta.

Australia recently revealed plans to set a minimum age limit for children to use social media, citing concerns around mental and physical health.

Prime Minister Anthony Albanese said his government would run an age verification trial before introducing age minimum laws for social media this year. The Prime Minister didn’t specify an age but said it would likely be between 14 and 16.

The reasoning behind the age limit had nothing to do with data scraping. He stated:

> “I want to see kids off their devices and onto the footy fields and the swimming pools and the tennis courts. … We want them to have real experiences with real people because we know that social media is causing social harm.”

But nevertheless, the scraping could be a factor when the final decision about the age limit comes around.

**What to do**

Wherever you are in the world, we encourage you to think carefully about sharing photos of your kids online. Of course it’s lovely to post their photos for your friends and family to see, but once something is posted online you lose control about where that image is, and who has access to it.

If you really do want to share photos, lock your profile down as much as possible and keep your photos away from just anyone.

If you’re an adult and worried about image scraping, check the terms and conditions for accounts and see if you can opt-out. If there’s no option, carefully consider whether you want to post to that service at all.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Facebook scrapes photos of kids from Australian user profiles to train its AI 

We dug into PartnerLeak, the site behind the "your partner is cheating on you" emails, including how and where the scammers get their information.

Earlier this week, we reported on a new type of scam that tells you your partner is cheating on you. However, we hit a dead end because we were unable to get hold of an original copy of the email.

That was until the scammers were “kind enough” to send one to one of our co-workers.

your partner is cheating on you and we have proof

> “Hi (target’s name\],
> 
> \[Partner’s name\] is cheating on you. Here is proof.
> 
> As a company engaged in cyber security we’ve found information related to \[partner’s name\] that might interest you.
> 
> We made a full backup of \[his/her\] disk. (We have all \[his/her\] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all \[his/her\] contacts) and are willing to give you a full access to this data. For more details visit our website.”

With this, we were able to investigate the scammers’ intentions.

All three of the links in the email (Here, website, and Check now) point to the same website. Through a landing page located at click\[.\]cardfoolops\[.\]com visitors are redirected to partnerleak\[.\]com.

The partnerleak\[.\]com domain was registered on August 1, 2024, with NameCheap anonymously. Anonymous registration doesn’t automatically mean the person registering is up to no good, but it did block us from researching this avenue any further.

The registration date, however, matches with the first complaints we started seeing about these emails.

Malwarebytes blocks partnerleak\[.\]com

During the redirection process, your email address is passed on, which means when you register at the site your email address is already filled out.

Email address is transmitted and pre-filled

The PartnerLeak site itself says it offers anonymity, as well as “crucial insights” into the behaviour of the one you love.

> “completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior.”

> “**Are You Concerned About Your Partner’s Honesty?**
> 
> If you’ve decided to take a leap into a relationship but find yourself questioning your partner’s honesty, or if you’ve been together for a while and something feels off, we have a solution for you.
> 
> **Our Service**
> 
> Our completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior. Here’s how it works:
> 
> Data Backup Access: You can download a backup from iCloud or Google, which includes:
> 
> *   Device location tracking
> *   Movement history with timestamps
> *   Correspondence from popular messaging apps like Telegram, WhatsApp, and iMessage
> *   Photo and video materials stored on the smartphone
> 
> Social Media Analysis: Utilizing AI and extensive data, our service can:
> 
> *   Check user registration and analyze behavior on platforms like Facebook and Twitter
> *   Investigate activity on popular dating apps such as Tinder, AdultFriendFinder, Hinge, and OkCupid
> 
> This comprehensive analysis helps you verify the reliability of your potential partner based on criteria that matter most to you.
> 
> **Commitment to Anonymity and Privacy**
> 
> *   Anonymous Transactions: We prioritize your anonymity by processing payments through cryptocurrencies, ensuring that your partner will remain unaware of your inquiries.
> *   Data Privacy: Your privacy is of utmost importance. We offer the option to permanently delete any data related to you from our system.
> 
> Take control of your relationship concerns today with our discreet and effective service!”

Nowhere on the site does it specify how much such an investigation would cost, but after registration you can start a search at which point it will tell you to top up your balance.

You don’t have free search. Please top up balance or try use different email.

To top up your balance there are three payment options:

*   Credit card
*   Bitcoin
*   Ethereum

We checked the balances on the cryptocurrency accounts they provided and we are happy to report that those are both dead in the water. We can only hope that the PartnerLeak revenue from credit cards looks the same, although that is probably wishful thinking on our part.

An empty and inactive Bitcoin wallet

An equally empty Ethereum account

Our investigation into where the scammers were getting the necessary information always pointed in the same direction: The Knot, a wedding services company.

However, we couldn’t find any breaches of its site or any tangible evidence that it was anything more than just a source of information. Like many other similar sites, it is easy to find a partner name on the site if you already have the name and email of the other partner.

But since many victims, including our co-worker, used The Knot’s services, we contacted them and received this statement from a spokesperson:

> “We were notified of user concerns, and after investigation by our cybersecurity team, determined there is no evidence of unauthorized access to our systems.”

Regardless of where the scammers are getting their data, let’s keep their balance at zero and spread the word.

**How to react to your partner “is cheating on you” emails**

First and foremost, never reply to emails of this kind. That tells the sender that someone is reading the emails sent to that address, and will lead to them trying other ways to defraud you.

*   If the email includes a password, make sure you are not using it any more _on any account_. If you are, change it as soon as possible.
*   If you are having trouble remembering all your passwords, have a look at a password manager.
*   Don’t let yourself get rushed into doing something. Scammers rely on time pressure that leads to people making quick decisions.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious, or even appears to be your own.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 PartnerLeak scam site promises victims full access to &#8220;cheating&#8221; partner&#8217;s stolen data 

Payment gateway provider Slim CD has notified 1.7 million users that their credit card information may have been leaked.

Payment provider Slim CD has disclosed a security incident that may have exposed the full credit card information of anyone paying at a merchant that uses Slim CD’s services.

The Florida-based gateway system, which allows merchants to take any kind of electronic payment, said on June 15 it noticed “suspicious activity” within its environment.

A subsequent investigation by a third-party specialist revealed that cybercriminals had access to Slim CD’s systems for 10 months, between August 17, 2023, and June 15, 2024. However, the company said the criminals only had access to credit card and other information between June 14 and June 15, 2024.

Slim CD said that the compromised information included full names, physical addresses, and credit card numbers including expiration dates.

The company said it is not aware of anyone yet using the exposed information:

> “Although Slim CD presently has no evidence that any such information has been used to commit identity theft or fraud, Slim CD is providing information about the event, Slim CD’s response, and resources available to individuals to help protect their information from possible misuse.”

Even though there is no mention of credit card verification numbers being included in the breached data, Slim CD is still warning about the possible risks:

> “We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors.”

Customers are often unaware which payment provider is used by their online shops, so a data breach notice may come as a surprise to many of the 1,693,000 affected people.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Payment provider data breach exposes credit card information of 1.7 million customers 

Scammers are now throwing in the name of the partner of the targeted victim, telling them that their partner is cheating on them.

As if they weren’t annoying enough already, scammers have recently introduced new pressure tactics to their sextortion and scam emails.

Last week we reported how cybercriminals are using photographs of targets’ homes in order to scare them into paying money. Now they’re throwing in the name of targets’ partners, telling the receiver that their partner is cheating on them.

The general outline of the scammy email looks like this:

> “Hi (target’s name\],
> 
> \[Partner’s name\] is cheating on you. Here is proof.
> 
> As a company engaged in cyber security we’ve found information related to \[partner’s name\] that might interest you.
> 
> We made a full backup of \[his/her\] disk. (We have all \[his/her\] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all \[his/her\] contacts) and are willing to give you a full access to this data. For more details visit our website.”

For some people, the links in the mail lead to a site where you can “buy the data” for around $2500 in Bitcoin. Others report they were sent to a site that presented them with a login screen.

But where did the scammers get the partner’s name from?

Based on speculation among Reddit users, BleepingComputer contacted a wedding planning site called The Knot, which was listed as a possible source, but received no reply. Looking at our data, we can confirm that 3,677 users of The Knot have had their login credentials compromised at some point in time, but not all at once, so The Knot is not necessarily the source of the data.

There are many other ways that scammers can dig through or combine breached data to find out who your partner is and compose such a personalized email, or they could spend a small amount of time on social media to find out relatively quickly.

Regardless of where the scammers got the information, please don’t let this type of email ruin your relationship or even one minute of your day. Send the emails straight to the trash.

**How to react to your partner “is cheating on you” emails**

First and foremost, never reply to emails of this kind. That tells the sender that someone is reading the emails sent to that address, and will lead to them trying other ways to defraud you.

*   If the email includes a password, make sure you are not using it any more _on any account_. If you are, change it as soon as possible.
*   If you are having trouble remembering all your passwords, have a look at a password manager.
*   Don’t let yourself get rushed into doing something. Scammers rely on time pressure that leads to people making quick decisions.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious, or even appears to be your own.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Your partner “is cheating on you” scam asks you to pay to see proof 

This week on the Lock and Code podcast, we speak with Eva Galperin about the arrest of Telegram's CEO and how it impacts security and privacy.

_This week on the Lock and Code podcast…_

On August 24, at an airport just outside of Paris, a man named Pavel Durov was detained for questioning by French investigators. Just days later, the same man was charged in crimes related to the distribution of child pornography and illicit transactions, such as drug trafficking and fraud.

Durov is the CEO and founder of the messaging and communications app Telegram. Though Durov holds citizenship in France and the United Arab Emirates—where Telegram is based—he was born and lived for many years in Russia, where he started his first social media company, Vkontakte. The Facebook-esque platform gained popularity in Russia, not just amongst users, but also the watchful eye of the government.

Following a prolonged battle regarding the control of Vkontake—which included government demands to deliver user information and to shut down accounts that helped organize protests against Vladimir Putin in 2012—Durov eventually left the company and the country all together.

But more than 10 years later, Durov is once again finding himself a person of interest for government affairs, facing several charges now in France where, while he is not in jail, he has been ordered to stay.

After Durov’s arrest, the X account for Telegram responded, saying:

“Telegram abides by EU laws, including the Digital Services Act—its moderation is within industry standards and constantly improving. Telegram’s CEO Pavel Durov has nothing to hide and travels frequently in Europe. It is absurd to claim that a platform or its owner are responsible for abuse of the platform.”

But how true is that?

In the United States, companies themselves, such as YouTube, X (formerly Twitter), and Facebook often respond to violations of “copyright”—the protection that gets violated when a random user posts clips or full versions of movies, television shows, and music. And the same companies get involved when certain types of harassment, hate speech, and violent threats are posted on public channels for users to see.

This work, called “content moderation,” is standard practice for many technology and social media platforms today, but there’s a chance that Durov’s arrest isn’t related to content moderation at all. Instead, it may be related to the things that Telegram users say in private to one another over end-to-end encrypted chats.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Electronic Frontier Foundation Director of Cybersecurity Eva Galperin about Telegram, its features, and whether Durov’s arrest is an escalation of content moderation gone wrong or the latest skirmish in government efforts to break end-to-end encryption.

> “Chances are that these are requests around content that Telegram can see, but if \[the requests\] touch end-to-end encrypted content, then I have to flip tables.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 What the arrest of Telegram&#8217;s CEO means, with Eva Galperin (Lock and Code S05E19) 

A list of topics we covered in the week of September 2 to September 8 of 2024

September 5, 2024 - Criminals are impersonating MyLowesLife, Lowes' HR portal for current and former employees.

September 5, 2024 - Intermountain Planned Parenthood of Montana suffered a cyberattack which has been claimed by a ransomware group

September 4, 2024 - " Hello pervert" sextortion mails keep adding new features to their email to increase credibility and urge victims to pay

September 4, 2024 - With the elections at full throttle we are seeing several types of scams resurfacing and undoubtedly more will come

September 3, 2024 - Transport for London (TfL) is apparently fighting a cybersecurity incident but is rather sparing in providing details

 A week in security (September 2 &#8211; September 8) 

Criminals are impersonating MyLowesLife, Lowes' HR portal for current and former employees.

In mid-August, we identified a malvertising campaign targeting Lowes employees via Google ads. Like many large corporations, Lowe’s has their own employe portal called MyLowesLife, for all matters related to schedule, pay stubs, or benefits.

Lowe’s employees who searched for “myloweslife” during that time, may have seen one or multiple fraudulent ads. The threat actor, who does not strictly limit themselves to Lowe’s but also targets other institutions, aims to gain access to the login credentials of current and former employees.

**My Lowe’s Life ads**

Combining ads with a phishing page is a proven recipe for success. Indeed, unsuspecting users often rely on Google Search to take them to the site they are looking for, rather than manually entering its full URL in the browser’s address bar. It is somewhat suspicious to see ads for an internal HR portal, but then again it could be easy to overlook that oddity.

We found two different advertiser accounts impersonating MyLowesLife, and in one instance, we even saw 3 malicious ads from both accounts one after the other. The URL listed for each ad is different, and does not match the legitimate one (myloweslife.com), a well-known technique of lookalikes criminals often employ.

**Phishing site built with AI**

The threat actor registered several similarly looking domain names in order to trick their victims:

myloveslife\[.\]net  
mylifelowes\[.\]org  
mylifelowes\[.\]net  
myliveloves\[.\]net

What’s interesting is how the home page for each of those is not what you’d expect. In fact, what we see is a generic ‘retail store’ template which appears to have been built using AI.

There is a simple reason for this: if anyone was to investigate those potentially fraudulent websites, they would not see anything malicious. As a result, it will be difficult to convince a domain registrar or hosting provider to take any action such as suspending the site.

**Phishing page**

When victims click on the Google ad, they are taken directly to the phishing page, contained within a directory named ‘wamapps’, which interestingly matches the structure of the real Mylowe’s Life website:

https://lius.myloweslife.com/wamapps/wamlogin

This an exact replica of the real Lowe’s portal that prompts users for their Sales Number and Password:

Looking at the page’s source code, we can see how these two fields are being sent back to the threat actor using a POST request via xxx.php, the phishing kit. After collecting this data, a second page asks users for their security question. This is presumably a feature used by Lowe’s to secure accounts if they detect unusual login activity:

Finally, after providing those details, victims are redirected to the real MyLowesLife website where they will be asked for their login details again. While that could raise suspicion, it’s possible many users will think it’s simply a glitch with the system and won’t look back again.

It’s unclear what the threat actor does with the stolen credentials, but likely they are a broker reselling them to other criminals.

**Mitigations**

Brand impersonation via Google ads is a very popular technique leveraged by threat actors of all kind. They know people will open up their default browser, do a quick search and that’s exactly where they can target them.

To avoid many of the phishing campaigns that abuse Google ads, we strongly recommend against clicking on sponsored results. You are better off scrolling down further and visiting the official websites directly.

For an online portal you regularly visit (bank, grocery store, etc.) it’s a good idea to bookmark the website into your browser’s favorites: it’s quicker and safer to visit a site that you trust in that manner.

We reported these malicious ads to Google and to our knowledge this ad campaign is no longer running. Malwarebytes customers were protected on day 1 via both the Malwarebytes Browser Guard and Malwarebytes Premium Security. If you suspect you have been a victim of identity theft, feel free to check out Malwarebytes Identity Theft Protection (also available to customers via our premium security products).

Source

Malwarebytes