Seemingly innocent "white pages," including an elaborate Star Wars-themed site, are bypassing Google's malvertising filters, showing up high in search results to lure users to second-stage phishing sites.

Source: Bits And Splits via Shtterstock

Threat actors appear to have found yet another innovative use case for artificial intelligence in malicious campaigns: to create decoy ads for fooling malvertising-detection engines on the Google Ads platform.

The scam involves attackers buying Google Search ads and using AI to create ad pages with unique content and absolutely nothing malicious about them. The goal is to use these decoy ads to then lure visitors to phishing sites for stealing credentials and other sensitive data.

With malvertising, threat actors create malicious ads that are rigged to surface high up in search engine results when people search for a particular product or service. The ads often spoof popular and trusted brands and involve webpages and content that are replicas of the originals but serve instead to redirect users to phishing pages or download an attacker's malware of choice on systems of users who interact with the malicious ads.

While many malvertisement campaigns are targeted at consumers, there have been several recently focused on corporate users as well. One example is a campaign that sought to distribute the Lobshot backdoor on corporate systems, and another that phished employees at Lowe's.

**A Steady, Post-Macro Increase in Malvertising**

"We are seeing more and more cases of fake content produced for deception purposes," researchers at Malwarebytes said in a report on the campaign this week. These so called "white pages," as they are being referred to in the criminal underground, serve as legitimate-looking decoys, or front-end webpages that hide malicious content and activities behind them, according to Malwarebytes.

Related:Manufacturers Lose Azure Creds to HubSpot Phishing Attack

"The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check," Malwarebytes security researcher Jerome Segura wrote. White pages, incidentally, are in contrast to "black pages," which are the actual malicious landing pages containing harmful content or malware.

The use of AI to plant decoy content on Google Ads adds a new wrinkle to malvertising scams, which have seen a remarkable surge in volume recently. Malwarebytes has pinned the increase to Microsoft's decision in 2022 to block macros in Word, Excel, and PowerPoint files downloaded from the Internet — a top malware vector for threat actors. That decision forced attackers to look for other malware distribution vectors, one of which happens to be malvertising, according to Malwarebytes.

Though Google and operators of other major online ad distribution networks have been battling against the scourge — and have gotten better at quickly identifying and removing malvertising content — bad actors have consistently managed to remain a step ahead. A Malwarebytes study found Amazon to be the most spoofed brand in malvertising campaigns, followed by Rufus, Weebly, NotePad++, and TradingView.

Related:CISA Directs Federal Agencies to Secure Cloud Environments

**Spoofing Brands With AI-Generated Content**

In its report, Malwarebytes provided two examples of AI-generated decoy ads it spotted recently on Google Ads. One of the decoy ads targeted users searching the Internet for the Securitas OneID mobile app, and the other targeted users of the Parsec remote desktop app, which is popular among gamers.

The Securitas OneID scam involved an entirely AI-generated website, complete with AI-generated images of supposed executives of the company.

"When Google tries to validate the ad, they will see this cloaked page with pretty unique content and there is absolutely nothing malicious within it," Segura wrote.

With the Parsec ad, the threat actors used some creative license of their own to generate a heavily Star Wars\-influenced website, replete with references to the parsec astronomical measurement unit. The artwork for the website even included several AI-generated Star Wars-themed posters, which while impressive, would likely have suggested to users that the site had nothing to do with the legitimate Parsec app.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

"Ironically, it is quite straightforward for a real human to identify much of the cloaked content as just fake fluff. Sometimes, things just don’t add up and are simply comical," Segura wrote. Even so, as a cloaking mechanism for a malvertising campaign," he added, "the website would have passed Google's validation checks.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malvertisers Fool Google With AI-Generated Decoy Content

Pallet liquidation is an attractive playing field for online scammers. Will you receive goods or get your credit card details stolen?

Pallet liquidation scams target people looking to purchase pallets of supposedly discounted merchandise, often from major retailers like Amazon.

Groups that engage in pallet liquidation sales are rampant on social media and it’s hard to discern the scammers from the legitimate ones (to be honest, I’ve always thought they were all scams, until someone told me there are legitimate ones), let alone the grey area in between.

The scams are based on the fact that many products are returned and can not be sold again for various reasons. But companies also offer overstock and out-of-season apparel for sale. Most of these companies have the first buyers sign non-disclosure agreements (NDAs) so when you scroll through different legitimate liquidation websites and marketplaces the origin of the pallet is almost never stated.

Depending on the reason of sale and the origin, the pallets may include a large quantity of one product or a mix of products, such as overstock or discontinued items, customer returns, or refurbished goods.

Given that the pallet liquidation market is a billion-dollar industry, it inevitably attracts scammers seeking to grab a piece of the action without putting in the work or risk.

In social media groups that specialize in pallet liquidation, you’ll find advertisements that promise valuable merchandise at significantly discounted prices, such as electronics, tools, or other high-demand items.

Facebook pallet liquidation ad

You’ll also see sponsored ads on social media about pallet sales (note: these are almost always fake).

The risk of not receiving what you have paid for is an obvious one, but some of these scammers will go the extra mile and set up fake websites where they will try and harvest payment details.

**How to steer clear of pallet liquidation scams**

If you’re really looking to try your luck at this, there are a few tips that can help you get your money’s worth.

The first thing to keep in mind is the higher up you are in the chain, the better your chances of making a profit are. It usually also means buying large quantities (I’m talking about truckloads) and larger investments. And most sellers do not have a return policy. I realize the large shipments are not for everyone, so here are some things to remember:

**Red flags:**

Unbelievable prices. The people you’re buying from are not stupid. If they are offering goods for unbelievable prices, don’t take their word for it.

Payment methods. Sellers who insist on payment methods that do not offer buyer protection are likely scammers.

Only payment options without buyer protection

Lack of manifest. Sellers that are unwilling to disclose any information about the content of a pallet shouldn’t be trusted. There is definitely a higher risk of damaged items.

Time pressure. Slogans like “Act now!” or “Only 3 left” are often used to create a false sense of urgency, hoping victims will purchase without applying the research below.

**Research the seller:**

Find **contact information** and check the validity. Legitimate liquidation sites provide clear and easily accessible contact details, including physical address, phone number, and email address. Be wary of sites that lack this information or provide vague or unreliable contact details.

Verify the **physical address** of the liquidation site through online maps or directories. A legitimate company is more likely to have a verifiable physical presence. After all, you can hardly receive these pallets in a PO box.

For a website you can use online tools to find the **domain age and registration**. Legitimate domains have a longer history so they are easier to research. New domains should be regarded as suspicious, since scammers have the habit of moving on to the next domain leaving bad reviews behind.

Check if the website is listed on the Better Business Bureau (BBB) website and **review their rating and any associated complaints**. It also allows you to check how long they’ve been in business.

Do an **online search** for the name of the company and combine it with terms like “scam” or “complaint” to help you find problems others may have run into in dealing with this company.

Don’t trust **sponsored ads.** We have heard of scammers that can afford to pay millions to advertise on Meta, Google, and other platforms and still make a handsome profit.

Use **web protection** like Malwarebytes Browser Guard. It flags malicious websites and credit card skimmers that steal your information.

**Too late?**

If you suspect that your payment card details have been stolen, these are the recommended actions:

*   Regularly check account and card statements and notify your bank about any suspicious activity.
*   Where possible, set up fraud alerts with your bank or payment card provider.
*   Change the password and enable multi-factor authentication if you haven’t already.
*   Freeze your credit so nobody can open any new accounts in your name.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Pallet liquidation scams and how to recognize them 

## Summary

`jsii` is a TypeScript to JavaScript compiler that also extracts an interface definition manifest to generate RPC stubs in various programming languages. jsii is typically used as a command-line tool, but it can also be loaded as a library.
When loaded as a library into a larger application, prototype pollution may happen if untrusted user input is passed to the library. When used as a command line-tool, this pollution cannot occur.

## Impact

You may be impacted if you have written an application that loads jsii as a library, and passes untrusted user input into the `jsii.configureCategories()` function. In that case, a user can craft input in such a way that, following the invocation, a field named "category" with a user-controlled value is added to the JavaScript Object prototype. This will cause every object in the program (both new and existing) to have a field named "category", even if it shouldn't. 

**This will not affect jsii itself, but it might affect the application you have loaded jsii into.**

> The function `jsii.configureCategories()` is used to configure the severity (error, warning, etc.) of various jsii diagnostics.

**Impacted versions: <=5.7.2, <=5.6.3, <=5.5.14, <=5.4.45** 

**Example:**

```js
const jsii = require('jsii');

// prints 'undefined'
console.log(JSON.stringify({}.category))

// calling 'configureCategories' with user input
jsii.configureCategories(JSON.parse('{"__proto__": "user-input"}'))

// from this point onwards, every single object literal in the program
// will contain the 'category' key, with user controlled value
console.log(JSON.stringify({}.category)) // prints 'user-input'


// this can affect the execution of the main program in case it also makes 
// use of an object key called 'category'. for example, if the main programs 
// happens to have code like this:

const x = {} // some object in the main program (not necessarily empty)

if (x.category) {
  // this block will always be executed, effectively 
  // changing the behavior of the main program.
  console.log('Do something')
} else {
  console.log('Do something else')
}
```

For more information about javascript prototype pollution, see [1].

## Patches

A patch is included in versions [5.7.3](https://github.com/aws/jsii-compiler/releases/tag/v5.7.3), [5.6.4](https://github.com/aws/jsii-compiler/releases/tag/v5.6.4), [5.5.15](https://github.com/aws/jsii-compiler/releases/tag/v5.5.15), [5.4.46](https://github.com/aws/jsii-compiler/releases/tag/v5.4.46)

## Workarounds

Sanitize user input to configureCategories() by stripping the __proto__ property if detected.

## References

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our issue reporting page [2] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

[1] https://learn.snyk.io/lesson/prototype-pollution/

[2] [https://aws.amazon.com/security/issue-reporting](https://aws.amazon.com/security/vulnerability-reporting)

**Summary**

jsii is a TypeScript to JavaScript compiler that also extracts an interface definition manifest to generate RPC stubs in various programming languages. jsii is typically used as a command-line tool, but it can also be loaded as a library.  
When loaded as a library into a larger application, prototype pollution may happen if untrusted user input is passed to the library. When used as a command line-tool, this pollution cannot occur.

**Impact**

You may be impacted if you have written an application that loads jsii as a library, and passes untrusted user input into the jsii.configureCategories() function. In that case, a user can craft input in such a way that, following the invocation, a field named "category" with a user-controlled value is added to the JavaScript Object prototype. This will cause every object in the program (both new and existing) to have a field named "category", even if it shouldn't.

**This will not affect jsii itself, but it might affect the application you have loaded jsii into.**

> The function jsii.configureCategories() is used to configure the severity (error, warning, etc.) of various jsii diagnostics.

**Impacted versions: <=5.7.2, <=5.6.3, <=5.5.14, <=5.4.45**

**Example:**

const jsii \= require('jsii');

// prints 'undefined'
console.log(JSON.stringify({}.category))

// calling 'configureCategories' with user input
jsii.configureCategories(JSON.parse('{"\_\_proto\_\_": "user-input"}'))

// from this point onwards, every single object literal in the program
// will contain the 'category' key, with user controlled value
console.log(JSON.stringify({}.category)) // prints 'user-input'

// this can affect the execution of the main program in case it also makes 
// use of an object key called 'category'. for example, if the main programs 
// happens to have code like this:

const x \= {} // some object in the main program (not necessarily empty)

if (x.category) {
  // this block will always be executed, effectively 
  // changing the behavior of the main program.
  console.log('Do something')
} else {
  console.log('Do something else')
}

For more information about javascript prototype pollution, see \[1\].

**Patches**

A patch is included in versions 5.7.3, 5.6.4, 5.5.15, 5.4.46

**Workarounds**

Sanitize user input to configureCategories() by stripping the **proto** property if detected.

**References**

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our issue reporting page \[2\] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

\[1\] https://learn.snyk.io/lesson/prototype-pollution/

\[2\] https://aws.amazon.com/security/issue-reporting

**References**

*   GHSA-m56h-5xx3-2jc2
*   https://github.com/aws/jsii-compiler/releases/tag/v5.4.46
*   https://github.com/aws/jsii-compiler/releases/tag/v5.5.15
*   https://github.com/aws/jsii-compiler/releases/tag/v5.6.4
*   https://github.com/aws/jsii-compiler/releases/tag/v5.7.3

GHSA-m56h-5xx3-2jc2: Prototype pollution in jsii.configureCategories

An online repository of screenshots where victims filled out their payment card details online was publicly accessible.

Another day, another exposed S3 bucket.

This time, 5 million US credit cards and personal details were leaked online. The Leakd.com security team discovered that 5 terabytes of sensitive screenshots were exposed in a freely accessible Amazon S3 bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

In this case we don’t know who’s behind the leak, although it seems clear from the screenshots that it’s a phishing operation and the credit and debit card information was exactly the data they were after. Although they probably didn’t intend to share it with the whole world.

Unfortunately, not knowing who left the data exposed makes it harder to plug the hole, but the AWS Abuse team initiated an investigation based on the information provided by Leakd.

The leaked information contains 5 terabytes of screenshots where victims filled out their details on websites that offered “free iPhones” and heavily discounted holiday gifts.

Image courtesy of Leakd.com

Looking at how those screenshots are organized, there are two possible sources.

*   Information stealers, many infostealers are capable of taking screenshots and naming them in a way that helps the attackers track and organize the stolen data.
*   Phishing using websites that were especially set up for this task. This seems to most likely scenario, because of the content of the screenshots.

As Leakd.com describes it:

> “The leaked screenshots often featured instances of users entering personal and financial details into seemingly innocent promotional forms.”

Image courtesy of Leakd.com

**What do I need to do?**

Stolen payment card details are bad enough, as they can be used for financial fraud, identity theft, and cause privacy issues.

The timing just weeks before Christmas makes it even worse. It is hard enough to keep track of your own spending for some of us, let alone when a criminal decides to spend some of our money. And having to cancel your payment card because someone else might use it is most inconvenient right now.

But if you suspect that your payment card details have been stolen, these are the recommended actions:

*   Regularly check account and card statements and notify your bank about any suspicious activity.
*   Where possible, set up fraud alerts with your bank or payment card provider.
*   Change the password and enable multi-factor authentication if you haven’t already.
*   Freeze your credit so nobody can open any new accounts in your name.

If you don’t want to become a victim of these cybercriminals:

*   Don’t get phished. Be aware of the signs and don’t respond to unsolicited emails and texts.
*   Shy away from sites making too-good-to-be-true offers.
*   Use web protection like Malwarebytes Browser Guard. It flags malicious websites and credit card skimmers that steal your information.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 5 million payment card details stolen in painful reminder to monitor Christmas spending 

The marketing of illegal drugs on open platforms is “gaining prominence,” authorities note, while the number of drug transactions on the darkweb has decreased in recent years.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

For every illegal drug, there is a combination of emojis that dealers and consumers use to evade detection on social media and messaging platforms. Snowflakes, snowfall, and snowmen symbolize cocaine. Love hearts, lightning bolts, and pill capsules mean MDMA, or “molly.” Brown hearts and dragons represent heroin. Grapes and baby bottles are the calling cards for codeine-containing cough syrup, aka “lean.” The humble maple leaf, meanwhile, is the universal symbol for all drugs.

The proliferation of open drug dealing on Instagram, Snapchat, and X—as well as on encrypted messaging platforms Telegram and WhatsApp—has transformed the fabric of illegal substance procurement, gradually making it more convenient, and arguably safer, for consumers, who can receive packages in the mail without meeting people on street corners or going through the rigmarole of the dark web. There is no reliable way to gauge drug trafficking on social media, but the European Union Drugs Agency acknowledged in its latest report on the drivers of European drug sales that purchases brokered through such platforms “appear to be gaining in prominence.”

Initial studies into drug sales on social media began to be published in 2012. Over the next decade, piecemeal studies began to reveal a notable portion of drug sales were being mediated by social platforms. In 2021, it was estimated some 20 percent of drug purchases in Ireland were being arranged through social media. In the US in 2018 and Spain in 2019, a tenth of young people who used drugs appear to have connected with dealers through the internet, with the large majority doing so through social media, according to one small study.

Some dealers these days are even brazen enough to boost their posts and pay for sponsored advertising. “Mushrooms and marijuana used to be hard to get and now they’re being marketed to me in beautiful packaging on Instagram,” says one 34-year-old in Austin, Texas that WIRED spoke to. Dealers ran hundreds of paid advertisements on Meta platforms in 2024 to sell illegal opioids and what appeared to be cocaine and ecstasy pills, according to a report this year by the Tech Transparency Project, and federal prosecutors are investigating Meta over the issue.

“You’re seeing a more sophisticated commoditization of the available marketplaces,” says Adam Winstock, a British consultant psychiatrist and addiction medicine specialist who is also the founder of the Global Drug Survey. The current drug-using younger generation are entirely used to getting everything online, he adds, reflecting the increasing integration of social media in people’s lives. “It’s convenient, \[and\] there’s less chance of violence.”

There are heightened concerns over the presence of super-strength opioids like fentanyl in drugs. But despite some contaminated pills having lethal effects on those who purchased them on the internet, Winstock says that drugs purchased through online networks are subject to “potentially better quality control”—with Telegram channels devoted to discussing the quality of drugs purveyed by certain dealers, and Amazon-style feedback sections within some vendors’ stores. “The question is where in the food chain that they’re cut,” Winstock says.

The menus provided by dealers through messaging apps and on social media are often lengthy and diverse, featuring prized varieties advertised for their purity and sold at significantly lower costs than equivalents available on the streets of London and New York. However, there’s been no formal evaluation of online and street drug sales that can attest to the relative purity and safety of what’s sold in either place—and illegal drugs always come with a safety risk, regardless of where they are bought from.

Even while traditional drug transactions continue to dominate, the apparent rise in sales of drugs through social media has coincided with a steep increase in the average value of transactions on the dark web, amid a fall in the overall number of transactions, according to the UN Office on Drugs and Crime’s 2024 World Drug Report. To the UNODC, this suggests “an increase in wholesale activities” on the dark web—though this could also reflect consumers who buy smaller quantities shifting from the darknet to the clearnet and encrypted messaging apps.

“End users seem to be buying their drugs on the dark web to a lesser extent than in previous years,” the UNODC said in its 2023 report. “Qualitative information provided by people who use social media suggests that the use of such media for drug purchasing purposes has been increasing, especially at the retail level.”

The shifting market trends also bring troubling developments. New and potentially more vulnerable population segments can be reached by exploitative drug dealers as they begin to sell on social platforms and the number of drug consumers in the US and around the world grows. The US Drug Enforcement Administration has warned that because dealers are “no longer confined to street corners and the dark web,” social media users’ posts and inboxes can be peppered by dealers seeking to purvey these addictive and, when misused, harmful drugs. “Social media extends the reach of the Sinaloa and Jalisco cartels directly into drug users’ phones, with potentially fatal consequences,” the DEA said in its 2024 national drug threat assessment report, bemoaning that dealers are more difficult to apprehend online than the streets.

Social media companies are under growing pressure to eradicate drug dealing on their platforms, says Ashly Fuller, a PhD candidate at University College London researching the sale and advertisement of illegal drugs to young people on social media. Data released by social media companies shows that millions of pieces of drug-related content are already taken down every year. (Facebook and Instagram took action against 9.3 million pieces of drug-related content last year, while Snapchat says it did so in 241,227 cases in the second half of 2023.) But these companies’ actions are sometimes indiscriminate. The accounts of organizations promoting drug harm reduction and social media personalities who post content about drugs and psychedelics, but who do not sell them, are being caught in the crossfire of efforts to get a grip on the issue.

A study by Fuller last year indicates that as many as 13 percent social media posts may advertise illegal drugs—underlining the scale of the issue Meta, X, TikTok, and Snapchat have on their hands. Drug sale advertisements could even be increasing in prevalence, according to a forthcoming study by Fuller which was shared with WIRED. She surveyed 1,100 13- to 18-year-olds and found that 60 percent of young people have seen drug-related content on social media (mostly for cannabis and psychedelics, which have been legalized or decriminalized in a few parts of the world). “They’re common enough that young people stumble upon them on TikTok and Instagram.”

In response, social media companies’ algorithms to detect drug-selling behavior are getting smarter and are aggregating images and emojis, Fuller says. “There is an understanding that seeing these ads on social media is correlated to a decreased risk perception, and young people are led to think the drugs are safer.” Of the teenagers she sampled, 10 percent reported purchasing drugs via social media. “Those exposed to drug ads were 17 times more likely to purchase drugs on social media compared to those who had not seen such ads,” she adds.

But according to Meta, no more than 1 in 2,000 views on Facebook is of content that violates its restricted goods policy. Between July and September 2024, Meta says that 96 percent of drug sales content that violated its terms was removed before a user reported it. TikTok, meanwhile, removed 99.5 percent of content violating its policy on alcohol, tobacco, and drugs before it was reported, according to its Community Guidelines Enforcement Report for the second quarter of 2024.

Meta, SnapChat, and TikTok declined to offer an on-the-record statement. X did not respond to requests for comment. A Telegram spokesperson said: “Telegram actively combats misuse of the platform, including for the sale of illicit substances. Moderators, empowered with custom AI and machine learning tools, remove millions of pieces of harmful content each day to keep the platform safe.”

The world’s first internet-facilitated sale, in the early 1970s and on the internet precursor Arpanet, was for an undetermined amount of cannabis. The agreement was between students. Today, strangers may contact you on social media offering drugs to buy. For as many people who believe this is something of a utopian development, you can be sure many more view it as dystopian—especially if the dealers are in fact scammers or selling dodgy goods.

“We were wondering if you will be interested in having a trip with our products,” one Instagram account messaged me recently. On X, meanwhile, posts related to psychedelics are regularly infiltrated by bots directing traffic to dealers. “Virtually all psychedelic post\[s\] are followed by bots selling microdoses,” leading psychedelics researcher Matthew Johnson posted on X in December. “All my blocking & spam reporting seems futile.” An account recently replied to one of my posts, linking to the profile of their apparent boss: “He’s got all Psyche meds & acids.”

Some dealers lurking on social media are even more shady. The drug information organization Pill Report has told of people wiring cash to dealers and getting duped, with nothing sent to them. When one such person interviewed by WIRED sent money for cannabis through a cash transfer app but received nothing in the mail, he reported the account. “It became a threatening match and they sent photos of thugs with guns saying they were going to come for me,” he says.

In a VICE documentary on drug sales on social media, it took the host just 5 minutes to connect with a dealer in London. “Anyone can sell nowadays,” another dealer told the journalist. “You see little kids, 12-year-olds and everything, setting up accounts. It’s easy, isn’t it? You can sit at home, make an account, and make money. Who doesn’t want to do that?” As part of a separate research project, a 15-year-old was able to locate an account selling Xanax tablets in mere seconds on Instagram.

Telegram’s drug markets remain somewhat complicated to access for the average person, but are still far easier to access than those on the darknet. “The problem with darknet markets is that you need to install Tor, get a PGP, and have cryptocurrencies,” says Francois Lamy, an associate professor at Mahidol University in Thailand who researches the sociology of drug use. “It’s a little bit more difficult to navigate. With Telegram, you type a few keywords, and there you go. You can find everything.”

When the Telegram founder Pavel Durov was arrested outside of Paris, France, in August, prosecutors cited the scale of drug trafficking on the platform as part of the justification. The next month, a new Telegram user policy was introduced to “discourage criminals” and hand over the data of users who are accused of illegal behavior on the platform by authorities with search warrants. “While 99.999% of Telegram users have nothing to do with crime, the 0.001% involved in illicit activities create a bad image for the entire platform, putting the interests of our almost billion users at risk,” Durov said in a statement at the time.

But experts warn that any increased enforcement on Telegram will simply cause dealers to go elsewhere, disrupting a market that has largely established itself as a safer source of drugs. “If one supply avenue is closed by enforcement, another is soon found to replace it,” says Steve Rolles, senior policy analyst at the Transform Drug Policy Foundation, a UK-based NGO. “Enforcement has, somewhat ironically, actually accelerated these innovations—driving the evolution of ever more sophisticated sales models. The only way such markets can be defeated in the longer term is to replace them through legal regulation.”

Drug Dealers Have Moved Onto Social Media

Task scams are a new type of scams where victims are slowly tricked into paying to get paid for repetitive simple tasks

An unfamiliar type of scam has surged against everyday people, with a year-over-year increase of some 400%, putting job seekers at risk of losing their time and money.

The emerging threat is delivered in “task scams” or “gamified job scams.” While these scams were virtually non-existent in 2020, the FTC reported 5,000 cases in 2023 and a whopping 20,000 cases in the first half of 2024.

In these scams, online criminals prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually organized in sets of 40 tasks that will take the victim to a “next level” once they are completed.

Sometimes the victim will get a so-called double task that earns a bigger commission. The trick is that the scammers will make the victim think they are earning money to raise trust in the system. The money can be fake and only displayed in the system, but some victims report actually receiving small sums.

But at some point, the scammers will tell the victims, they have to make a deposit to get the next set of tasks or get your earnings out of the app. So, victims are likely to make that deposit, or all their work will have been for naught.

Scammers use cryptocurrency like USDT (a digital stable-coin with a value tied to the value of the US dollar) to make their payments.

Task scams typically begin with unsolicited text messages or messages via platforms like WhatsApp, Telegram, or other messaging apps. These messages often come from unknown numbers or profiles that may appear professional to gain trust. Reportedly, these scams like to impersonate legitimate companies such as Deloitte, Amazon, McKinsey and Company, and Airbnb.

Scammers count on the urge that victims do not want to “cut their losses” and will try to pull victims in even deeper, sometimes inviting them into groups where newcomers can learn and hear success stories from (fake) experienced workers.

**How to avoid task scams**

Once you know the red flags, it is easier to shy away from task scams.

*   Do not respond to unsolicited job offers via text messages or messaging apps.
*   Never pay to get paid.
*   Verify the legitimacy of the employer through official channels.
*   Don’t trust anyone who offer to pay for something illegal such as rating or liking things online.

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov.

 Task scams surge by 400%, but what are they? 

Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

Your main business is healthcare, so your excuse when you get hacked is that you didn’t have the budget to secure your network. Am I right?

So, in order to prevent a ransomware gang from infiltrating your network, you could just give them what they want—all your data.

The seemingly preferred method to accomplish this is to leave the information unprotected and unencrypted in an exposed Amazon S3 bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

Security researcher Jeremiah Fowler is always looking for exposed cloud storage. And recently he found one that contained over 4.8 million documents with a total size of 2.2 TB.

He soon found out that it belonged to a Canadian company offering AI software solutions to support optometrists in delivering enhanced patient care, called Care1. Care1 Canada provides software tools that “take patient care to the next level.”

The information Jeremiah found included eye exam results, which detailed patient PII, doctor’s comments, and images of the exam results. The database also contained lists of patients which included their home addresses, Personal Health Numbers (PHN), and details regarding their health.

In the Canadian healthcare system, a Personal Health Number (PHN) is a unique lifetime identifier that is used to share a patient’s health information among healthcare providers.

This type of healthcare information can be used in phishing attacks, identity theft, and can cause health privacy issues. Ransomware gangs know this is highly coveted, which is why ThreatDown numbers regularly show that 5 to 6% of ransomware attacks are targeting the healthcare industry.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 4.8 million healthcare records left freely accessible 

Learn how blockchain and smart contracts improve cybersecurity factors in online transactions, remove the element of fraud, and…

Learn how blockchain and smart contracts improve cybersecurity factors in online transactions, remove the element of fraud, and promote trust with automation and transparency.

In this connected age, where data breaches and online fraud are rising concerns, blockchain technology and smart contracts have become powerful solutions for secure transactions. Their ability to provide transparency, remove middlemen, and enable fraud-resistant mechanisms has made them a key part of today’s financial systems and more.

****How Blockchain Builds a Secure Foundation****

Blockchain is best known as the technology behind cryptocurrencies like Bitcoin and Ethereum, but its uses go well beyond digital currencies. It works as a decentralized ledger, recording transactions across multiple points in a network, which makes it incredibly secure and nearly impossible for cybercriminals to tamper with or hack.

When it comes to digital payments, this decentralization is key. Traditional payment systems rely on central authorities, which are vulnerable to malware attacks, breaches and fraud.

Blockchain, on the other hand, distributes the transaction record across a network, reducing the risk of a single point of failure. The stability of blockchain also means that once a transaction is recorded, it cannot be changed, adding another layer of trust and accountability.

****The Role of Smart Contracts****

Smart contracts take blockchain’s security a step further. These self-executing agreements operate based on established criteria rules written into code. Once the conditions are met, the contract automatically executes, removing the need for intermediaries.

For example, imagine buying a digital service. A smart contract can be programmed to release payment only when the service is delivered and verified. This reduces the risk of fraud and disputes, as the terms are enforced automatically.

Another benefit is efficiency. By automating processes, smart contracts not only save time but also reduce costs associated with manual verification and third-party oversight. This makes them especially appealing for industries like supply chain management, insurance, and real estate, where trust and speed are paramount.

However, security vulnerabilities have also affected smart contracts, which need to be addressed by skilled blockchain developers or specialized auditing teams. According to Onchainpay, a European secure cryptocurrency payment gateway, smart contract vulnerabilities are one single major factor that continues to pose security risks within the blockchain infrastructure.

A recent systematic literature review identified 101 distinct vulnerabilities in Ethereum smart contracts, categorized into ten groups. In particular, in the first quarter of 2024 alone, exploits targeting these vulnerabilities resulted in nearly $45 million in losses across 16 incidents, averaging $2.8 million per exploit.

****Real-World Applications****

Nevertheless, despite ups and downs, Blockchain and smart contracts are already being used to secure payments and transactions globally. As noticed by Halborn, Microsoft, JPMorgan Chase, Walmart, IBM and Amazon are just some major examples.

In international payments, they enable faster and more transparent transfers without the hefty fees associated with traditional banking. In e-commerce, smart contracts can automate escrow services, protecting both buyers and sellers.

Even outside of payments, blockchain is enhancing security. From safeguarding healthcare records to verifying the authenticity of luxury goods, its applications are vast.

****What This Means for Businesses****

As cybersecurity threats grow, businesses opting for blockchain and smart contracts gain a competitive advantage in security and efficiency. For consumers, this means safer and more reliable transactions.

While the technology isn’t without challenges, such as regulatory hurdles and technical complexity, its benefits are clear. Businesses looking to adopt secure payment systems should consider solutions that leverage blockchain and smart contracts to protect their data and enhance trust in their transactions.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **5 Platforms for Identifying Smart Contract Vulnerabilities**
3.  **Growing Importance of Secure Crypto Payment Gateways**
4.  **Best Crypto Marketing Agencies for Web3 Security Brands**
5.  **Why Hosting firms have started accepting crypto payments**
6.  **Top 5 Platforms for Identifying Smart Contract Vulnerabilities**

The Role of Blockchain and Smart Contracts in Securing Digital Transactions

Open source Prometheus servers and exporters are leaking plaintext passwords and tokens, along with API addresses of internal locations.

Statue of PrometheusSource: luminous via Alamy Stock Photo

Reseachers have discovered hundreds of thousands of servers running Prometheus open source monitoring software on the open Web are exposing passwords, tokens, and opportunities for denial of service (DoS) and remote code execution.

As a leader among open source observability tools, Prometheus is used widely by organizations to monitor the performance of their applications and cloud infrastructure. But it comes with a catch: As noted in its documentation, "It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information."

Apparently, a whole lot of users either aren't aware of the ways in which Prometheus is exposed by default, or don't realize the value of the data that's exposed along the way. Using Shodan, researchers from Aqua Nautilus discovered more than 40,000 exposed Prometheus servers, and more than 296,000 exposed "exporters," which the program uses to collect data from monitored endpoints. The researchers found sensitive data in those servers and exporters, and opportunities for "repojacking" and DoS attacks.

**What Prometheus Exposes**

On first impression, the data Prometheus collects might seem rather bland: application performance metrics, metrics associated with particular cloud tools, CPU, memory, and disk usage, for example.

"We think that it's only statistics — it's only information about the health of the system. That's the problem," says Assaf Morag, director of threat intelligence at Aqua Nautilus. Probing the data from the perspective of an attacker reveals all kinds of information that could lubricate cyberattacks.

"We noticed that we can actually see plaintext passwords and tokens, and API addresses of internal locations that should be kept hidden," Morag says. For example, he found one exposed and unauthenticated instance of Prometheus belonging to Skoda Auto, the Czech automobile manufacturer, which revealed some of the company's subdomains, and Docker registries and images.

Besides exposing secrets, open Web Prometheus servers and exporters also carry a risk of DoS. There's the '/debug/pprof' endpoint, for example, which helps users profile remote hosts, and is enabled by default by most Prometheus components. In their testing, the researchers demonstrated that they could overload the endpoint to disrupt communications or outright crash Amazon Web Services Elastic Compute Cloud (AWS EC2) instances or Kubernetes pods.

"The result was conclusive: We ended up stopping virtual machines each time we ran our script," Morag reports. To drive home the significance of such an attack scenario, he jokes, "I read somewhere that Kubernetes clusters run in fighter jets. I don't think that they are exposed to the Internet, but \[it goes to show\] we run Kubernetes in lots of places today."

**Repojacking Opportunities in Prometheus**

Users can protect their Prometheus servers and exporters by taking them offline, or at least adding a layer of authentication to keep out prying eyes. And, of course, there are tools designed to mitigate DoS risks.

Less easily solved is a third issue in the platform: Several of its exporters were found vulnerable to repojacking attacks.

The opportunity for repojacking can occur whenever a developer changes or deletes their account on GitHub and doesn't perform a namespace retirement. Simply, an attacker registers the developer's old username, then plants malware under the same title as the developer's old, legitimate projects. Then any projects that reference this repository but aren't updated with the correct redirect link can end up ingesting the malicious copycat.

Prometheus' official documentation referenced several exporters associated with freely claimable usernames, meaning that any attacker could have stepped in and taken advantage to perform remote code execution. Aqua Nautilus reported the issue to Prometheus, and it has since been addressed.

Repojacking opportunities are likely far more widespread than is realized, Morag emphasizes, so organizations need to be monitoring any discrepancies between the projects they rely on and the links they follow to access them. "It's not that difficult," he says. "But if you're doing it for millions of open source projects, that's where the problem starts. If you use an automated \[scanning tool\], you could be safe."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

336K Prometheus Instances Exposed to DoS, 'Repojacking'

Researchers at Cavero have created a correlating numbers mechanism, adding a layer of privacy that even threat actors can't gain enough information to breach.

Source: ArtemisDiana via Alamy Stock Photo

A future that uses quantum computing is not far off — but not quite here either. When it does arrive, it will ultimately render the methods we use to encrypt information useless. And while some organizations and businesses may be slow to act, bad actors are already preparing, stealing large amounts of encrypted data and putting it on hold until a later date, when quantum capabilities become available and allow them to decrypt it.

These attacks are known as harvest now, decrypt later (HNDL) attacks — and they pose a serious threat in the future, should bad actors gain access to quantum computers and find the means to actually use them.

"What we need is a new way for us to be able to encrypt data which protects that data now and in the future as well," says Frey Wilson, co-founder and CTO at Cavero Quantum.

**The Cavero Method**

Cavero has created a cryptographic system that uses symmetric keys in two different ways, one using computation complexity and the other using an information theoretical method. The latter typically uses physical resources, but Wilson notes that Cavero achieves it by using the properties of random numbers.

"If you can create two correlated data sets and ensure that any third data set is correlated \[but\] not in the same way as the initial two, then from the correlated data, you can use essentially low entropy sections of that data to be able to generate a key mutually," says Wilson, ahead of a Black Hat Europe 2024 briefing on the approach.

Related:Library of Congress Offers AI Legal Guidance to Researchers

These keys aren't passkeys, though the intention is on the same track, Wilson stresses. Passkeys fall under the category of asymmetric keys, a cryptographic method of encrypting and decrypting data. The risk with this, however, is that passkeys are limited within their own ecosystems, such as Apple or Amazon, unable to cross-correlate with other ecosystems.

"Because this key is sent from a central server initially, there's a moment that the key is in transit to get to a device," says James Trenholme, CEO of Cavero Quantum. "It has the potential to be hacked or viewed by a third party."

Cavero aims to solve this problem by providing a solution that doesn't share any information publicly. Keys are mutually generated for each party using the correlating numbers mechanism, so that even if a threat actor is watching the exchange in the middle, they are unable to gather enough information to calculate or intercept the key, Trenholme adds.

**The Past & Future of Cryptography Keys**

Wilson says the solution, which uses smaller key sizes and is deployable on any device regardless of the size, is unique in its approach.

Related:'White FAANG' Data Export Attack: A Gold Mine for PII Threats

"That appeal to history is absolutely something that we hear regularly," says Wilson of their solution, which is nearly 12 years in the making. "This is based off a body of work that has existed here that we’ve taken, and we've expanded on. It just so happens that we've taken it in a direction that's been slightly different to other people."

Wilson plans to go into detail on that at Black Hat Europe, noting that "it's a new way of looking at the methodology that sits underneath it."

Going forward, the pair would like to see Cavero's keys used as the cornerstone in many, if not all, types of communications. And while its natural for a CEO to say this about their company's product, it seems as though Cavero's keys are in the best interest of communications processes in the name of privacy and security.

Some industries will benefit from Cavero's technology sooner than others, like those that manage high-value data or have a long-term data source.

"We'd like to see it used in every kind of communication, whether it be a voice call, a message, a data transfer, logging applications, the list goes on," says Trenholme, including telecommunications, defense, financial services, identity frameworks, and more.

Related:'Bootkitty' First Bootloader to Take Aim at Linux

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Tag

#amazon