The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.

Source: Marcos Alvarado via Alamy Stock Photo

A wide spectrum of data is being shared by employees through generative AI (GenAI) tools, researchers have found, legitimizing many organizations' hesitancy to fully adopt AI practices.

Every time a user enters data into a prompt for ChatGPT or a similar tool, the information is ingested into the service's LLM data set as source material used to train the next generation of the algorithm. The concern is that the information could be retrieved at a later date via savvy prompts, a vulnerability, or a hack, if proper data security isn't in place for the service.

That's according to researchers at Harmonic, who analyzed thousands of prompts submitted by users into GenAI platforms such as Microsoft, Copilot, OpenAI ChatGPT, Google Gemini, Anthropic's Clause, and Perplexity. In their research, they discovered that though in many cases employee behavior in using these tools was straightforward, such as wanting to summarize a piece of text, edit a blog, or some other relatively simple task, there were a subset of requests that were much more compromising. In all, 8.5% of the analyzed GenAI prompts included sensitive data, to be exact.

**Customer Data Most Often Leaked to GenAI**

The sensitive data that employees are sharing often falls into one of five categories: customer data, employee data, legal and finance, security, and sensitive code, according to Harmonic.

Customer data holds the biggest share of sensitive data prompts, at 45.77%, according to the researchers. An example of this is when employees submit insurance claims containing customer information into a GenAI platform to save time in processing claims. Though this might be effective in making things more efficient, inputting this kind of private and highly detailed information poses a high risk of exposing customer data such as billing information, customer authentication, customer profile, payment transactions, credit cards, and more.

Employee data makes up 27% of sensitive prompts in Harmonic's study, indicating that GenAI tools are increasingly used for internal processes. This could mean performance reviews, hiring decisions, and even decisions regarding yearly bonuses. Other information that ends up being offered up for potential compromise includes employment records, personally identifiable information (PII), and payroll data.

Legal and finance information is not as frequently exposed, at 14.88%, however, when it is, it can lead to great corporate risk, according to the researchers. Unfortunately, when GenAI is used in these fields, it's for simple tasks such as spell checks, translation, or summarizing legal texts. For something so small, the consequences are incredibly high, risking a variety of data such as sales pipeline details, mergers and acquisition information, and financial data. 

Security information and security code each compose the smallest amount of leaked sensitive data, at 6.88% and 5.64%, respectively. However, though these two groups fall short compared to those previously mentioned, they are some of the fastest growing and most concerning, according to the researchers. Security data inputted into GenAI includes penetration test results, network configurations, backup plans, and more, providing exact guidelines and blueprints as to how bad actors can exploit vulnerabilities and take advantage of their victims. Code inputted into these tools could put technology companies at a competitive disadvantage, exposing vulnerabilities and allowing competitors to replicate unique functionalities.

**Balancing GenAI Cyber-Risk & Reward**

If the research shows that GenAI offers high-risk potential consequences, should businesses continue to use it? Experts say they might not have a choice.

"Organizations risk losing their competitive edge of if they expose sensitive data," said the researchers in the report. "Yet at the same time, they also risk losing out if they don't adopt GenAI and fall behind."

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, agrees. "Companies that don’t adopt generative AI risk losing significant competitive advantages in efficiency, productivity, and innovation as the technology continues to reshape business operations," he said in an emailed statement to Dark Reading. "Without GenAI, businesses face higher operational costs and slower decision-making processes, while their competitors leverage AI to automate tasks, gain deeper customer insights, and accelerate product development."

Others, however, disagree that GenAI is necessary, or that an organization needs any artificial intelligence at all.

"Utilizing AI for the sake of using AI is destined to fail," said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement to Dark Reading. "Even if it gets fully implemented, if it isn't serving an established need, it will lose support when budgets are eventually cut or reappropriated."

Though Kowski believes that not incorporating GenAI is risky, success can still be achieved, he notes.

"Success without AI is still achievable if a company has a compelling value proposition and strong business model, particularly in sectors like engineering, agriculture, healthcare, or local services where non-AI solutions often have greater impact," he said.

If organizations do want to pursue incorporating GenAI tools but want to mitigate the high risks that come along with it, the researchers at Harmonic have recommendations on how to best approach this. The first is to move beyond "block strategies" and implement effective AI governance, including deploying systems to track input into GenAI tools in real time, identifying what plans are in use and ensuring that employees are using paid plans for their work and not plans that use inputted data to train systems, gaining full visibility over these tools, sensitive data classification, creating and enforcing workflows, and training employees on best practices and risks of responsible GenAI use.

Employees Enter Sensitive Data Into GenAI Prompts Far Too Often

As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses.

COMMENTARY

Hacking is innovation in its purest form. Like any other innovation, a successful hack requires developing a creative solution to the scenario at hand and then effectively implementing that solution. As technologies facilitate implementation, successfully preventing a hack (that is, blue teaming) or simulating an attack to test defenses (red teaming) will require a better understanding of how adversaries generate creative ideas.

In the 1990s, many organizations and vendors did not sufficiently prioritize security when designing systems. As a result, finding solutions to bypass their security measures took hackers relatively little time. The problem was that while many hackers could imagine attacks that would bypass these rudimentary security measures, few had the technical skills to implement those attacks. For instance, while hacking enthusiasts theoretically understood how to abuse vulnerabilities in insecure network protocols, most lacked the technical skills necessary to write a raw socket library to do so. The bottleneck was implementation.

Over the next two decades, automated tools were developed for almost every generalized attack pattern. Suddenly, the complicated solutions that a '90s hacker could only imagine but lacked the programming capability to execute became possible with the click of a button for anyone. While some attacks still require technical skills, today it is possible to hack by creatively chaining together the abundant functions of various automated hacking tools (e.g., Metasploit, Burp Suite, Mimikatz) to penetrate the system's cracks.

Similarly, it is easy to find help, such as Copilot apps and software developers on freelancing platforms, to write specific functions required to implement an attack. In other words, with the advent of new tools and platforms, the emphasis in a successful hack has been shifting from implementation (that is, being able to write the code for the attack you imagine) to creativity (being able to imagine a novel attack). Now, the advent of large language models (LLMs) with growing inventive capabilities means that pure creativity — rather than bottlenecks in technical capability — will drive the next era of hacking.

**A New Breed of Hackers**

How will this new breed of hackers differ in terms of how they devise new cyberattacks? In many cases, this creativity will take the form of designing a novel prompt, as implementation will increasingly happen through LLMs and their various plug-ins (for instance, Anthropic's Claude 3.5 Sonnet model can already use computers). Most importantly, because many of them will not have a background in computer science, their reasoning will build on ideas and solutions from different domains — also known as analogical transfer. Many fighters in history designed novel martial arts by drawing inspiration from the behaviors of different animals. In a similar vein, a recently developed side-channel attack uses signals from wireless devices in a building to map the bodies of the people inside (analogous to how bats use echolocation to find their prey). Research has also found that information can be stolen even from air-gapped systems not connected to the Internet by examining the electromagnetic wave patterns emitted by a screen's cable or by analyzing the acoustic sound patterns of the screen itself to reconstruct the contents displayed on the computer's screen (perhaps analogous to reconstructing the recent history of a black hole by analyzing faint remnant signals in the form of Hawking radiation).

It's likely that novel prompts making similar analogies will lead to creative uses of LLMs in devising new and unexpected attack patterns. They may draw inspiration from famous battles, chess games, or business strategies, resulting in novel attack patterns or techniques. This also means that successfully preventing such attacks or emulating them for red-teaming purposes will require using research methods from behavioral sciences — such as marketing — to extrapolate common or uncommon prompts an attacker might try.

Research into potential prompts for designing an attack can take various forms. Traditional research methods, such as idea generation experiments, surveys, and in-depth interviews, can provide insights into common and uncommon prompts people may consider. Additionally, research from search engines and social media platforms may offer ideas about common combinations of knowledge (for instance, market basket analysis), which can be valuable for estimating potential analogies that people interested in hacking may be more likely to generate. Finally, crowdsourcing-based research, such as hacking challenges, will again be an asset, but the focus will be not only on the attack but also on the prompts used to develop that attack. Prompts that result in novel attacks are likely to be regularly utilized by both blue and red teams, much like Google Dorks are employed today.

As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses. Insights from behavioral sciences like marketing will play a key role in achieving this goal.

**About the Authors**

Reader (Associate Professor) in Digital Innovation and Information Security, King's College London

Aybars Tuncdogan is a reader (associate professor) in digital innovation and information security at King’s College London. He is also a research affiliate of the King’s AI Institute and a member of both the Cybersecurity Research Centre (King’s Informatics Department) and the Cyber Security Research Group (King’s War Studies Department). 

Professor of Marketing & Innovation, King's College London

Oguz A. Acar is a professor of marketing and innovation and head of generative AI at King's Business School, King's College London. He is also a research affiliate at Laboratory of Innovation Science at Harvard University and an expert at World Economic Forum.

Leveraging Behavioral Insights to Counter LLM-Enabled Hacking

Unless you have been gifted with a photographic memory, this is likely going to sound very familiar. Picture it: You’re away from your desk and you need to access one of your apps from your phone. You attempt to sign in and get the dreaded message: “the username and password entered do not match our records.” Thus begins the time-consuming process of requesting a password reset, including coming up with a new password that doesn’t match something you’ve already used in the past. Despite the frustration you feel, passwords have been the cornerstone of keeping our online data secure fo

Unless you have been gifted with a photographic memory, this is likely going to sound very familiar. Picture it: You’re away from your desk and you need to access one of your apps from your phone. You attempt to sign in and get the dreaded message: “the username and password entered do not match our records.” Thus begins the time-consuming process of requesting a password reset, including coming up with a new password that doesn’t match something you’ve already used in the past. Despite the frustration you feel, passwords have been the cornerstone of keeping our online data secure for decades. In today’s digital landscape, however, we need more than passwords. Here’s a look at some of the key reasons why:

**Vulnerability to cyberattacks**

*   Passwords are frequently targeted by phishing attacks, brute-force attempts, and credential stuffing.
*   Stolen passwords are often sold on the dark web, putting sensitive information at risk.

**Human limitations**

*   People struggle to remember complex passwords, leading to weak or reused credentials.
    *   With advancements in AI, hackers can guess passwords faster and bypass traditional defenses.
*   Common passwords like _123456_ or password remain pervasive despite awareness campaigns.
    *   Password managers, though helpful, aren't foolproof and can be compromised.

**User frustration**

*   Password resets account for a significant share of IT help desk requests, creating frustration for users and costs for businesses.
    *   “We’re reaching out to let you know that you haven’t updated your Dropbox Password since mid-2012, you’ll be prompted to update it next time you sign in. ...” - Dropbox Forces Password Reset for Older Users

**Data breaches**

*   In 2023 alone, billions of credentials were leaked globally due to weak or reused passwords, becoming a year of record-breaking data breaches.
    *   Enterprises spend millions annually on password-related issues, including resets, support and security measures. According to IBM, the average total cost of a data breach is $4.88 million.
*   Reports show that over 65% of hacking-related breaches involve compromised credentials.

**Passwordless authentication**

Passwordless authentication can be used as a method of verifying a user's identity without relying on traditional passwords. Instead, it uses other forms of verification, such as:

*   Hardware tokens: security token or smartphone.
*   Biometrics: fingerprints, facial recognition or retina scans.
*   Special links: links shared with the user that log them in automatically.
*   A combination of all forms of verification.

Passwordless authentication methods typically rely on public-key cryptography infrastructure where a pair of keys are generated. The security of public-key cryptography depends on keeping the private key secret, while the public key can be openly distributed without compromising security. Thus, the public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device (security token, smartphone) and ideally can only be accessed by providing an additional authentication factor (PIN, biometric).

**How passwordless authentication mitigates common cybersecurity threats**

The main problem associated with password reuse is credential stuffing, and it involves reusing the password obtained from a data breach from one site to try and access accounts on other sites. Users typically reuse passwords across multiple sites, thus one breach could compromise all their accounts. In passwordless authentication, passwords aren’t used, thus users can’t be subject to credential stuffing.

Phishing is a form of social engineering as well as a scam where attackers deceive people into revealing sensitive information. For the use case we are dealing with, this sensitive information would be an authentication factor such as a password, the hardware token or the log-in link. As you can guess, in a passwordless workflow, the password doesn’t exist, and users are also quite reluctant to share their security keys or their biometric data.

A brute-force attack is like a digital battering ram—attackers attempt to gain access to an account or system by trying every possible password combination until they find the right one. It's a method of trial and error, relying on sheer computational power rather than any sophisticated trickery. In a passwordless environment, such attacks are almost ineffective because public key cryptography is much more difficult to break than a password due to the computational effort needed for a brute-force attack to succeed. In addition, having more than one authentication factor, such as a biometric scanner or a security key, makes it virtually impossible for such attacks to happen.

In summary, many of the attacks that could occur in a password-based environment are minimized, or even eliminated, if we use a passwordless authentication workflow.

**Why move from password to passwordless?**

There are several reasons to make the move to passwordless authentication. In fact, some large companies like Mastercard have already spoken about their intent to move to a passwordless model and use biometrics instead. As organizations begin to analyze whether to make the move, the key benefits fall into the following categories:

**Enhanced security**

*   Passwordless methods (biometrics, passkeys or hardware tokens) eliminate vulnerabilities like phishing and brute-force attacks.
*   Relying on more secure systems, such as public key cryptography, nearly impossible to crack.
*   Authentication shifts from relying on passwords to using the individual's unique physical or behavioral characteristics, such as their fingerprint, face or voice, to verify their identity. In other words, a person’s inherent traits, rather than a memorized password, serve as the key to access.

**Better user experience**

*   Users no longer need to remember multiple passwords or go through reset or rotation password processes.
*   Authentication becomes faster and more user-friendly, improving satisfaction and reducing churn.
*   Surveys show that users prefer passwordless options, such as biometrics or device-based authentication, due to convenience and security.
*   Users are more likely to trust a system that ensures their data is safe without relying on them to create secure passwords.

**Industry adoption**

*   Regulatory bodies, like NIS2, emphasize stricter security measures, often recommending alternatives to passwords.

**Why take a layered approach to security?**

The challenges of identity management and access controls are not solved by one approach or single solution alone. Instead, it’s important to take a layered approach, often achieved through a collection of tools and solutions working together. In the case of passwordless authentication, it can be further enhanced by using Multi-Factor Authentication (MFA) and Single Sign-On (SSO). Let’s explain these terms before going into more detail on the reasons why.

**What is MFA?**

MFA is a security system that requires more than one method of authentication to verify a user's identity. Instead of relying solely on a password, MFA uses a combination of two or more of the following factors:

*   Ownership factors (“Something the user has”) such as a security token, a phone or a smartcard.
*   Knowledge factors (“Something the user knows”) such as a password or a PIN.
*   Inherence factors (“Something the user is”) like fingerprints, retinal scans, face or voice recognition and other biometric identifiers.

**What is SSO?**

SSO is a user authentication process that allows you to access multiple applications or services with one set of log-in credentials. Rather than logging into each service separately, SSO provides a unified log-in experience. It provides more streamlined access, as once the user is authenticated, they can access all associated services without re-entering their credentials.

**Unlock security: passwordless+MFA+SSO**

By eliminating traditional passwords, you bolster protection against breaches while streamlining the log-in process. Integrating MFA adds an extra layer of security, ensuring that only authorized users gain access. Meanwhile, SSO enhances the user experience by allowing simpler access to multiple applications with just one login. Together, these technologies provide a robust and user-friendly solution for the modern security landscape.

For organizations seeking to strengthen their security posture and simplify user authentication, Identity Management in Red Hat Enterprise Linux is equipped with a range of features designed to enhance security and improve the user experience by offering multiple MFA and SSO options. Passkey provides a modern and secure approach to authentication using FIDO2 devices. Smartcards, based on the established PIV standard, offer another layer of security. Furthermore, its External Identity Provider (EIdP) capability allows for streamlined integration with external identity providers such as Red Hat Single Sign-On, Microsoft and Google, using the widely adopted OAuth2 protocol.

Passwords: a thin line between love and hate

New order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?

Source: UPI via Alamy Stock Photo

As President Biden prepares to hand over the government to the incoming Trump administration, he has issued a new cybersecurity executive order (EO) outlining an aggressive cyber-defense plan for today's most dangerous national cyber threats — including China, and rampant software supply chain vulnerabilities across government and the private sector.

Sweeping and ambitious, the EO reads like a detailed US cybersecurity status report from the Biden administration, focused on laying groundwork for the incoming team. And with threats on the rise across the world, party affiliation and partisan predilections aside, America and Americans' cybersecurity relies on a smooth handoff from Biden to Trump, experts say.

The signs are positive so far. The order is a reflection of a forthright and responsible transition to the Trump administration, according to Tom Cross, a cybersecurity strategist at WitFoo.

"Cybersecurity is not a partisan issue — everyone in the United States has a shared interest in protecting our nation against foreign cyber threats, such as spying and network disruption," Cross wrote in a statement responding to the new Biden cybersecurity executive order. "By issuing this EO now, the Biden administration is able to put its best thinking on these topics in motion, giving the Trump administration time to put new leaders in place and develop its strategy going forward.”

The EO is a bookend to Biden's 2021 cybersecurity executive order, issued early in his term, and reflects a country plagued by a new set of geopolitical adversaries armed with increasingly sophisticated technology, including generative artificial intelligence (GenAI).

The order acknowledges the brazen rise in malicious cyber activity from China, including breaches of the US Treasury and at least nine telecommunications networks in a vast espionage operation carried out by Salt Typhoon and other advanced persistent threats (APTs) sponsored by the Chinese government. While the EO only covers federal agencies, the Biden administration has long used federal cybersecurity policies and resources as a way to push the private sector into adopting more secure standards in turn.

"The Biden administration’s latest cyber executive order is focused on securing critical infrastructure, adopting AI for defense, and transitioning to post-quantum cryptography with an ambitious agenda," Andrew Borene, executive director of global security for Flashpoint and a former Office of the Director of National Intelligence (ODNI) senior official, tells Dark Reading. "However, the real power of this executive order may lie in its ability to institutionalize some best practices as American multinational businesses and government agencies face a new Cold War's dangerous digital environment."

**Securing the Federal Software Supply Chain, Cloud, Space**

Biden's latest EO starts with the federal software supply chain, mandating that agencies develop secure software acquisition standards and only do business with software vendors that can attest to secure development practices and provide evidence of compliance with those standards. Within the next 60 days, a consortium is ordered to be convened, including the cecretary of commerce and National Institute of Standards and Technology (NIST) officials, to develop those standards, which will include practices, procedures, controls, and implementation examples, according to the EO.

Federal agencies were also ordered to implement NIST supply chain risk management practices. The Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) will evaluate how to securely manage open source software inside federal networks.

Biden's order additionally addresses emerging attack surfaces across the federal government, including cloud and space/satellite systems, and calls for the implementation of identity and access management (IAM) practices across agencies.

On the cloud front, the order mandates that FedRAMP marketplace service providers such as Google or Amazon provide federal agencies with recommendations on cloud configuration.

"I am particularly happy to see that cloud providers will be required to publish information to clients on how to operate securely," Chris Hauk, consumer privacy champion at Pixel Privacy, wrote in a statement. "Too many data breaches have been due to misconfigured cloud data buckets, many times leaving the data stored in those buckets open to anyone with an Internet connection and a little bit of knowledge."

Space systems meanwhile are ordered to receive continuous analysis to ensure US systems are keeping up with the latest threats, the EO explained.

"As cybersecurity threats to space systems increase, these systems and their supporting digital infrastructure must be designed to adapt to evolving cybersecurity threats and operate in contested environments," the EO reads. "In light of the pivotal role space systems play in global critical infrastructure and communications resilience, and to further protect space systems and the supporting digital infrastructure vital to our national security, including our economic security, agencies shall take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation."

**Securing Federal Communications**

China's espionage activities have highlighted the need to secure federal communications networks, according to the EO. The Biden administration thus has established guidelines for shoring up communications network cybersecurity, including implementing identity controls, encrypting DNS traffic, and encrypting all emails, voice, video, and messaging.

Regarding cryptography, the Biden EO said new rules for protecting and auditing cryptographic keys will be developed by NIST. Further, agencies should require post-quantum cryptography, where applicable, the EO states.

These cryptography and authentication controls requirements are also applicable to other critical national security systems, Flashpoint's Borene points out.

"From energy grids to satellites, the directive emphasizes the need to secure the systems that underpin our national security and daily life," he adds. "The push for universal encryption and authentication protocols is particularly timely, given the frequency and scale of recent attacks."

**Unleashing AI to Secure Critical Infrastructure**

Artificial Intelligence must be deployed to protect US critical infrastructure from cyberattack, according to the Biden EO. The order establishes a program to explore the use of AI to bolster US cyber defenses and push for additional research.

And indeed, AI will place an increasing role in protecting the US from cyberattacks in the future, according to Christian Geyer, CEO and founder of Actfore.

"While it's crucial to recognize the expanding attack surface that AI may bring, we can be optimistic about the incredible potential it holds for enhancing security and efficiency," Geyer wrote in a statement. "The main challenge lies in navigating the complexities of government processes, but with the right approach, these challenges can be overcome, ensuring that technology initiatives are both effective and secure."

Ransomware and the development of digital identification for secure online transactions are also included in the Biden administration's cybersecurity wish list.

The EO is clearly comprehensive and wide-ranging. But without buy-in from Trump's cyber team, many of the EO's efforts could be stymied, researchers warn. It's unclear for now how it will go.

The Trump administration has already signaled a distaste for regulation, and put it into practice throughout Trump's first term, according to Coleman Mehta, head of global public policy and strategy at Infoblox. Yet, he was willing to build on previous cybersecurity policies from the Obama administration.

"Similarly, President Biden often built on policies set by Trump," Mehta tells Dark Reading. "The fundamentals of that continuity should stay the same; focus on the threat from Chinese cyber adversaries, strengthen supply chain security, and continue to build public-private collaboration."

During his recent Senate confirmation hearings for secretary of state, Sen. Marco Rubio (R-Fla.) indicated an interest in seeing policy changes that address the global cyber supply chain threat, Flashpoint's Borene points out.

"Looking ahead, the new administration inherits a world of rapidly escalating state threats from adversaries like China, Russia, Iran, along with a growing network of cyber proxies and even transnational criminal extortion groups," Borene says. "A well-executed handoff of some of the executive order’s provisions could bolster US cyber defenses at a time when proactive information security has never been more critical."

Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for Defense

It's an especially brazen form of malvertising, researchers say, striking at the heart of Google's business; the tech giant says it's aware of the issue and is working quickly to address the problem.

Source: Primakov via Shutterstock

In an especially brazen tactic, multiple threat actors are impersonating Google Ads login pages to trick advertisers into handing over their account credentials.

The attackers — from regions as geographically dispersed as South America, Asia, and Eastern Europe — are then using the hijacked accounts in real-time to buy and distribute malicious advertisements and malware via Google Ads.

**'Most Egregious' Malvertising Campaign Ever**

The scammers appear to be succeeding in many cases because their ads are allowed to show an ads.google.com URL. This makes them virtually indistinguishable from legitimate Google ads, according to researchers at Malwarebytes, who spotted the malicious activity recently.

"This is the most egregious malvertising operation we have ever tracked, getting to the core of Google's business and likely affecting thousands of their customers worldwide," Malwarebytes researcher Jerome Segura wrote in a blog post this week. "We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication."

Google Ads is an advertising platform that enables businesses and individuals to display targeted ads across Google's search results, websites, mobile apps, and other online properties, based on user search behavior and interests. Often, the top search results are sponsored, meaning someone paid for that high visibility. For context, Google Search generated some $175 billion in ad revenue in 2023.

Related:CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

According to Segura, there has been a recent flood of fake sponsored ads for Google Ads directed at businesses and individuals looking to advertise on Google Search or wanting to sign in to their Google Ads accounts. The ads appear to be from Google and purport to either help people sign up for a Google Ads account or to sign in to an existing account. Users clicking on these ads are directed to a fake Google Ads home page from which they are directed to external sites designed specifically to steal usernames and passwords to the advertiser's Google accounts.

The attackers are using Google's free website creation platform, Google Sites, to host the lure pages. It is a tactic that Segura says allows them to trivially bypass a Google policy that allows advertisers to include a URL in their ads only if the URL matches the domain name of the advertiser. "Looking back at the ad and the Google Sites page, we see that \[the\] malicious \[ads do\] not strictly violate the rule since sites.google.com uses the same root domains as ads.google.com," Segura said. "In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC."

Related:OWASP's New LLM Top 10 Shows Emerging AI Threats

**Google Is Actively Investigating Cyberattacks**

In an emailed comment, a Google spokesman said the company is currently "actively investigating" the issue and working on a quick fix for the problem. "We expressly prohibit ads that aim to deceive people in order to steal their information or scam them," the spokesperson said.

As context, the spokesperson pointed to the growing sophistication and scale of malvertising campaigns and noted instances where threat actors have created thousands of malicious accounts simultaneously to distribute malicious ads on Google properties. Often these actors are using techniques such as text manipulation to get around automation detection mechanisms. In other instances, they use cloaking tactics to show Google reviewers and systems different ads from the ones that users end up seeing. "To provide a sense of the scale of our enforcement efforts in 2023, we removed over 3.4 billion ads, restricted over 5.7 billion ads, and suspended over 5.6 million advertiser accounts," the spokesman said.

**Impersonating Google Ads: Simple & Effective Social Engineering**

Related:Apple Bug Allows Root Protections Bypass Without Physical Access

In comments to Dark Reading, Segura says the most notable part of the new malicious activity is the impersonation of the Google Ads brand by combining Google Sites URLs with the ads. "It's a simple and yet effective trick that makes those ads incredibly hard to differentiate from the real ones," Segura says. Complicating matters is the fact that bad actors are often using compromised Google Ads accounts to place even more fake ads in Google Search, making the activity challenging to stop.

Google should be making it harder for bad actors to pull off such impersonation schemes, he says. "The 'how' is more complicated, as it involves reviewing business practices and … existing security policies."

Segura says Malwarebytes is tracking and reporting each malvertising incident it comes across via a live tracker that the Google Ads team can access. "This has been a helpful tool for us, not only to make the reporting process easier but also to keep a historical record," he notes. Google's response has consisted of taking action on ads that Malwarebytes report. "\[But\] the threat actors are able to get right back as if the campaign never stopped. We are talking about dozens of accounts that get burned but yet there are enough to keep this going indefinitely."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Hijack Google Advertiser Accounts to Spread Malware

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.…

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients. Within 90 minutes, 1,165 malicious emails bombarded 22 user inboxes, aiming to trick users into clicking on malicious links.

Researchers at SlashNext have published new findings revealing attackers using tactics similar to the **Black Basta ransomware gang**, targeting 22 inboxes within 90 minutes. The attack was swift and targeted, aiming to overwhelm users and bypass traditional security measures.

According to their **blog post**, shared with Hackread.com, this Black Basta-style attack utilizes a ransomware scam that deceives employees into granting remote access to their computers. 

SlashNext’s investigation of this phishing wave revealed five key tactics used by attackers: masquerading as popular platforms like WordPress and Shopify, using legitimate-looking domains to send fake account creation and subscription emails, utilizing seemingly harmless domains, using unusual characters or minor variations in subject lines, and targeting different user roles to increase attention.

The attackers first flood inboxes with seemingly legitimate emails like newsletters or payment receipts. The emails used subject lines like “Account Confirmation” and “Subscription Notice” to entice users to click malicious links, causing a sense of urgency. Attackers further employed social engineering tactics by incorporating foreign languages or odd characters to bypass basic keyword filters. 

This initial barrage creates confusion and makes it difficult to distinguish genuine emails from malicious ones. When users are overwhelmed, attackers swoop in, often via phone calls or messages impersonating IT support. By speaking confidently, they gain trust and trick users into installing remote access software like **TeamViewer or AnyDesk**. Once this software is installed, attackers gain a foothold in the system, potentially spreading malware or compromising sensitive data on the network.

Targeted Campaign Stats and the types of scams (Via SlashNext)

Fortunately, SlashNext’s Integrated Cloud Email Security (ICES) quickly identified hundreds of red flags targeting a small group of users. Within a mere 90 minutes, a whopping 1,165 emails bombarded 22 mailboxes, averaging over 50 emails per user in rapid bursts. This tactic aimed to create panic and encourage impulsive clicks.

The ICES platform’s early detection allowed the client to respond proactively and prevent the attack from spreading. SlashNext’s AI-powered security system, SEER™, proactively identified and blocked these emails in real time. SEER™ analyzes email behaviour beyond simple keyword checks, detecting suspicious patterns like encoded URLs and fake login pages. Researchers noted a sudden rise in these attacks across the web between November and December. SlashNext was the first to launch an automated AI-powered defence to handle the situation in real time.

The incident shows the increasing nature of cybersecurity threats, with attackers using sophisticated techniques to evade traditional security measures. Organizations should prioritize threat detection and response, and regular security assessments to identify vulnerabilities and improve overall security.

1.  **‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks**
2.  Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Flaws
3.  Russian APT29 Using NSO Group-Style Exploits in Attacks: Google
4.  Iranian Hackers Team Up with Ransomware Gangs in Attacks on US
5.  BlackByte Ransomware Exploits VMware Flaw in VPN-Based Attacks

Top/Feature Image via Freepik

Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes

Evidence suggests that some of the payloads and extensions may date as far back as April 2023.

Source: VS148 via Shutterstock

A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee's Google Chrome Web Store account and publishing a malicious version of Cyberhaven's Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue.

Further research into the incident suggests that this attack was likely part of two separate, but potentially related, campaigns to target multiple extension developers to distribute malicious extensions, experts say. The campaigns may have begun as early as April 2023.

"Currently we know about two different campaigns that have been targeting different objectives," says Amit Assaraf, CEO of Extension Total, a third-party extension security platform provider. Extension Total researchers have uncovered several malicious extensions over the past several weeks and have been looking at how they relate to each other.

**A Tale of Two Campaigns**

One campaign created extensions that steal cookies, session tokens, and possibly passwords, and targeted Facebook and OpenAI accounts, Assaraf says. The campaign relied on phishing to target extension developers and a malicious OAUTH application to take over Google Chrome Web Store accounts. Cyberhaven was one of the victims of this campaign.

There is some disagreement among experts over when the first malicious extension associated with this campaign appeared. Assaraf points to the Chrome extension "GPT 4 Summary with OpenAI," which was added to the Google Chrome Web Store in August. John Tuckner, founder of browser-extension management service Secure Annex, believes the "AI Assistant – ChatGPT and Gemini for Chrome" extension, which was uploaded to the Chrome Web Store in May, was the first extension used by this campaign.

"As far as I can tell, that is the first example of this type of code being used, but some of the related domain registrations go back to around Sept. 25, 2023, so this could have been planned for a while," Tuckner says.

Both extensions are no longer on the Chrome Web Store.

Regardless of when this campaign began, the impact has been widespread. Researchers have found 22 extensions related to it so far, affecting 1.46 million users, Assaraf says. Some of these have been removed completely from the Chrome Web Store, and others have been updated to a "safe" version.

The second campaign is aimed at tracking user activity, telemetry, and sites visited, "probably with intention to sell this data," Assaraf says. Its earliest appearance was in April 2023, and researchers have identified 15 extensions thus far as belonging to this campaign.

A Google spokesperson says the company has shut down malicious Chrome Web Store accounts identified as part of this investigation and continues to investigate reports from Extension Total regarding extensions still available in the store.

It's unclear at this time whether one attacker is behind both campaigns, though there is evidence — shared JavaScript payloads injected into unauthorized updates between August 2024 and December 2024 — suggesting "a synchronized campaign," says Bugcrowd founder Casey John Ellis.

"This also suggests centralized control over the hijacked developer accounts and a common threat actor," he says.

At this point, both campaigns appear to be contained; no additional extensions have been discovered, according to Assaraf.

**Extensions as Low-Hanging Fruit for Attackers**

Cyberhaven's internal security team was able to respond to the breach quickly, which helped expose the breadth of the extension poisoning. Many of the affected extensions are hobbyist projects, which means they likely do not have the tools or security support to be regularly monitoring for malware.

Therein lies the dilemma for detecting malicious Chrome extensions in the wild, experts say. It also explains why ensuring that extensions used within a corporate browser are safe is such a tricky scenario for organizations to navigate. While some are managed by companies with dedicated teams to ensure the extensions remain clean, many are maintained by private individuals and, thus, don't have this kind of oversight.

That complicates security within a corporate environment because browsers, like Chrome, grant extensions broad permissions, including access to sensitive user data, cookies, and even the ability to capture credentials and sessions, according to Matt Johansen, security researcher at Vulnerable U.

"Extensions still operate with a significant degree of trust, and once compromised, they can access everything a user can," Johansen says. "They also have less scrutiny to install than traditional desktop software, even in enterprises."

Because of their ability to compromise so many users and have access to so much information by poisoning a browser extension, it's a no-brainer for attackers.

"Controlling an extension gives an adversary a powerful vantage point for all browser activities," concurs Lionel Litty, chief security architect at Menlo Security.

Indeed, poisoning a Chrome extension is "actually a very convenient way for attackers to spread malicious code," Assaraf adds. "You only need to fool one person, one developer, and you get access to hundreds of thousands of machines," he says.

People often forget they've installed browser extensions, yet they continue to run in the background and update automatically, giving attackers wide access to sensitive data, he adds.

**Closing the Browser Security Gap**

Given their reach, why, then, are browsers and their extensions given such little thought when it comes to an organization's security posture? It could merely be that their security teams are so overwhelmed with responsibilities that browsers are the least of their worries — though that could now change, notes Secure Annex's Tuckner.

Organizations can take specific steps now to shore up the security of extensions running in corporate browsers, he says. Teams should start with collecting a real-time inventory of the browsers in the organization and which extensions are installed on them. This step should be followed by enrolling browsers in some kind of centralized management to set up an allowlist of known extensions, keeping only those that "drive core business value" and adding future ones on a case-by-case basis, Tuckner adds. The inventory will help security teams understand the scope of an incident when something happens.

"Few teams choose to or are able to prioritize browser security on top of everything else that they have to deal with," he says. "Many see browser security as a lower-risk item, but I believe that is quickly changing with incidents like this."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Extension Poisoning Campaign Highlights Gaps in Browser Security

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Source: DD Images via Shutterstock

North Korea's Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

"Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants," according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus' goals to fund the regime of North Korean leader Kim Jong Un.

"By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to," according to the report.

**North Korea's History of Targeting Developers**

The campaign builds on previous tactics by the group to target developers with various malware, including 2021's Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus' long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea's widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

"In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns," says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, "enabling them to effectively deceive victims," he adds.

"By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers," Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it's becoming "easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns," Sherstobitoff says.

For this reason, mitigation strategies "should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees," he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and "should be approached with skepticism," Sherstobitoff says.

"Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software," especially over platforms like LinkedIn or email, he says. "These channels can be easily manipulated by attackers posing as legitimate entities."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Lazarus APT Evolves Developer-Recruitment Attacks

Cybersecurity researchers have alerted to a new malvertising campaign that's targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google.
"The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages," Jérôme Segura, senior director of

Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes

An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

**Table of contents**

*   Overview
*   Criminals impersonate Google Ads
*   Lures hosted on Google Sites
*   Phishing for Google account credentials
*   Victimology
*   Who is behind these campaigns?
*   Fuel for other malware and scam campaigns
*   Indicators of Compromise

**Overview**

Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads.

The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.

This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.

The following diagram illustrates at a high level the mechanism by which advertisers are getting fleeced:

_Figure 1: Process flow for this Google Ads heist campaign_

_Back to top_

**Criminals impersonate Google Ads**

Advertisers are constantly trying to outbid each other to reach potential customers by buying ad space on the world’s number one search engine. This earned Google a whopping $175 billion in search-based ad revenues in 2023. Suffice to say, the budgets spent in advertising can be considerable and of interest to crooks for a number of reasons.

We first started noticing suspicious activity related to Google accounts somewhat accidentally, and after a deeper look we were able to trace it back to malicious ads for… Google Ads itself! Very quickly we were overwhelmed by the onslaught of fraudulent “Sponsored” results, specifically designed to impersonate Google Ads, as can be seen in _Figure 2_:

_Figure 2: A malicious ad masquerading as Google Ads_

While it is hard to believe such a thing could actually happen, the proof is there when you click on the 3-dot menu that shows more information about the advertiser. We have partially masked the victim’s name, but clearly it is not Google; they are just one of the many accounts that have already been compromised and abused to trick more users:

_Figure 3: The advertiser behind this ad is not affiliated with Google at all_

People who will see those ads are individuals or businesses that want to advertise on Google Search or already do. Indeed, we saw numerous ads specifically for each scenario, sign up or sign in, as seen in _Figure 4_:

_Figure 4: Two ads for signing up and sign in to Google Ads respectively_

The fake ads for Google Ads come from a variety of individuals and businesses, in various locations. Some of those hacked accounts already had hundreds of other legitimate ads running, and one of them was for a popular Taiwanese electronics company.

_Figure 5: Victim accounts spending their own budgets on fake Google Ads_

To get an idea of the geographic scope of these campaigns, we performed the same Google search simultaneously from several different geolocations (using proxies). First, here’s the malicious ad from a U.S. IP address belonging to a business registered in Paraguay:

_Figure 6: U.S.-based search showing fake Google ad_

Now, here’s that same ad that appears on Google Search in several other countries:

_Figure 7: The same ad found in different countries_

_Back to top_

**Lures hosted on Google Sites**

Once victims click on those fraudulent ads, they are redirected to a page that looks like Google Ads’ home page, but oddly enough, it us hosted on Google Sites. These pages act as a sort of gateway to external websites specifically designed to steal the usernames and passwords from the coveted advertisers’ Google accounts.

_Figure 8: A malicious Google Sites page impersonating Google Ads_

There’s a good reason to use Google Sites, not only because it’s a free and a disposable commodity but also because it allows for complete impersonation. Indeed, you cannot show a URL in an ad unless your landing page (final URL) matches the same domain name. While that is a rule meant to protect abuse and impersonation, it is one that is very easy to get around.

_Figure 9: The rule that stipulates display URLs and final URLs must have matching domains_

Looking back at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since _sites**.google.com**_ uses the same root domains ads _ads**.google.com**_. In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC..

_Figure 10: The malicious ad does not violate Google’s rule on the use of the display URL_

_Back to top_

**Phishing for Google account credentials**

After the victims click on the “Start now” button found on the Google Sites page, they are redirected to a different site which contains a phishing kit. JavaScript code fingerprints users while they go through each step to ensure all important data is being surreptitiously collected.

_Figure 12: The actual phishing page that follows_

Finally, all the data is combined with the username and password and sent to the remote server via a POST request. We see that criminals even receive the victim’s geolocation, down to the city and internet service provider.

_Figure 12: POST web request with victim’s details_

_Back to top_

**Victimology**

There are multiple online reports of people who saw the fake Google Ads and shared their experiences:

*   Help with removing a dangerous scam in Google Ads (_Google Ads Help forum_)
*   Google Ads Phishing Scam (_Reddit_)
*   It’s just me or Google just sponsored a link to a phising site for Google ads? (_Reddit_)
*   Be aware of fake google page, clicked by accident (_Reddit_)
*   Warning! First sponsorized google answer for “Google ads” is a phishing attempt ! (_BlueSky_)

We were able to get in touch with a couple of victims who not only saw the ads but were actually scammed and lost money. Thanks to their testimony and our own research, we have a better idea of the criminals’ modus operandi:

*   Victim enters their Google account information into phishing page
*   Phishing kit collects unique identifier, cookies, credentials
*   Victim may receive an email indicating a login from an unusual location (Brazil)
*   If the victim fails to stop this attempt, a new administrator is added to the Google Ads account via a different Gmail address
*   Threat actor goes on a spending spree, locks out victim if they can

_Back to top_

**Who is behind these campaigns?**

We identified two main groups of criminals running this scheme but the more prolific by far is one made of Portuguese speakers likely operating out of Brazil. Victims have also shared that they had received a notification from Google indicating suspicious logins from Brazil. Unfortunately, those notifications often came too late or where dismissed as legitimate, and the criminals already had time to do some damage.

We should also note a third campaign that is very different from the other two, and where the threat actors’ main goal is to distribute malware. The Google Ads phishing scheme may have been a temporary run which was not their main focus.

**Brazilian team**

In the span of a few days, we reported over 50 fraudulent ads to the Google Ad team all coming from this Brazilian group. We quickly realized that no matter how many reported incidents and takedowns, the threat actors managed to keep at least one malicious ad 24/7.

_Figure 13_ shows the network traffic resulting from a click on the ad. You will see multiple hops before finally arriving to the phishing portal. The second URL shows the crooks are using a paid service to detect fake traffic.

Figure 13: Network traffic from the ‘Brazilian campaign’

Within the JavaScript code part of the phishing kit, there are comments in Portuguese. _Figure 14_ shows a portion of the code that does browser fingerprinting, which is a way of identifying users. Browser language, system CPU, memory, screen-width, and time zone are some of the data points collected and then hashed.

Figure 14: Identifying users via various settings

**Asian team**

The second group is using advertiser accounts from Hong Kong and appears to be Asia-based, perhaps from China. Interestingly, they also use the same kind of delivery chain by leveraging Google sites. However, their phishing kit is entirely different from their Brazilian counterparts.

Figure 15: Web traffic for the ‘Chinese campaign’

_Figure 16_ below shows a code extract with comments in Chinese, as well as a function called _xianshi_, which could be in reference to a Chinese general of the late Qing dynasty or even a superhero from more modern gaming and literature.

Figure 16: Code with comments in Chinese

**Third campaign (possibly Eastern European)**

We observed another campaign which has a very different modus operandi. Google Sites is not involved at all, and instead they rely on a fake CAPTCHA lure and heavy obfuscation of the phishing page.

Interestingly, the malicious ad we found was for Google Authenticator, despite the obvious ads-goo\[.\]click domain name. However, for about day or so, the redirect from that domain lead directly to a phishing portal hosted at _ads-overview\[.\]com_.

The reason why we suggest the threat actors may be Eastern Europeans here is because of the type of redirects and obfuscation. There is also a distant feel of ‘software download via Google ads’ we have reported on previously (see _Threat actor impersonates Google via fake ad for Authenticator_).

Figure 17: A malicious ad for Google Authenticator and fake CAPTCHA

A PHP script (_cloch.php_) then determines if the visitor is genuine or not (likely doing a server-side IP check). VPNs, bot and detection tools will get a “white” page showing some bogus instructions on how to run a Google Ads campaign. Victims are instead redirected to _ads-overview\[.\]com_ which is a phishing portal for Google accounts.

Figure 18: Cloaking in action with a ‘white’ page or the phishing page

When we checked back on this campaign a few days later, we saw that the ad URL now redirected to a fake Google Authenticator site, likely to download malware. The redirection mechanism is shown in _Figure_ 20:

Figure 19: Web traffic for fake Google Authenticator site

_Back to top_

**Fuel for other malware and scam campaigns**

Stolen Google Ads accounts are a valuable commodity among thieves. As we have detailed it many times on this blog, there are constant malvertising campaigns leveraging compromised advertiser accounts to buy ads that push scams or deliver malware.

*   Printer problems? Beware the bogus help
*   Malicious ad distributes SocGholish malware to Kaiser Permanente employees
*   Hello again, FakeBat: popular loader returns after months-long hiatus
*   Large scale Google Ads campaign targets utility software

If you think about it for a second, crooks are using someone else’s budget to further continue spreading malfeasance. Whether those dollars are spent towards legitimate ads or malicious ones, Google still earns revenues from those ad campaigns. The losers are the hacked advertisers and innocent victims that are getting phished.

As result, taking action on compromised ad accounts plays a key part in driving down malvertising attacks. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored, despite their own policy on the subject (_Figure 20_). For example, we recently saw a case where the same advertiser that had already been reported 30 times, was still active.

_Figure 20: Google’s policy regarding violations_

As the scourge of fraudulent ads continues, we urge users to pay particular attention to sponsored results. Ironically, it’s quite possible that individuals and businesses that run ad campaigns are not using an ad-blocker (to see their ads and those from their competitors), making them even more susceptible to fall for these phishing schemes.

**We don’t just report on threats—we block them**

_Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today._

_Back to top_

**Indicators of Compromise**

Fake Google Sites pages

sites\[.\]google\[.\]com/view/ads-goo-vgsgoldx  
sites\[.\]google\[.\]com/view/ads-word-cmdw  
sites\[.\]google\[.\]com/view/ads-word-makt  
sites\[.\]google\[.\]com/view/ads-word-whishw  
sites\[.\]google\[.\]com/view/ads-word-wwesw  
sites\[.\]google\[.\]com/view/ads-word-xvgt  
sites\[.\]google\[.\]com/view/ads3dfod6hbadvhj678  
sites\[.\]google\[.\]com/view/adwoord  
sites\[.\]google\[.\]com/view/aluado01  
sites\[.\]google\[.\]com/view/ap-rei-pandas  
sites\[.\]google\[.\]com/view/appsd-adsd  
sites\[.\]google\[.\]com/view/asd-app-goo  
sites\[.\]google\[.\]com/view/connectsing/addss  
sites\[.\]google\[.\]com/view/connectsingyn/ads  
sites\[.\]google\[.\]com/view/entteraccess  
sites\[.\]google\[.\]com/view/exercitododeusvivo  
sites\[.\]google\[.\]com/view/fjads  
sites\[.\]google\[.\]com/view/goitkm/google-ads  
sites\[.\]google\[.\]com/view/hdgstt  
sites\[.\]google\[.\]com/view/helpp2k  
sites\[.\]google\[.\]com/view/hereon/1sku4yf  
sites\[.\]google\[.\]com/view/hgvfvd  
sites\[.\]google\[.\]com/view/joaope-defeijao  
sites\[.\]google\[.\]com/view/jthsjd  
sites\[.\]google\[.\]com/view/logincosturms/ads  
sites\[.\]google\[.\]com/view/logins-words-officails  
sites\[.\]google\[.\]com/view/logins-words-officsdp  
sites\[.\]google\[.\]com/view/marchatrasdemarcha  
sites\[.\]google\[.\]com/view/newmanage/page  
sites\[.\]google\[.\]com/view/one-vegas  
sites\[.\]google\[.\]com/view/one-vegasw  
sites\[.\]google\[.\]com/view/onvg-ads-word  
sites\[.\]google\[.\]com/view/oversmart/new  
sites\[.\]google\[.\]com/view/pandareidel  
sites\[.\]google\[.\]com/view/polajdasod6hbad  
sites\[.\]google\[.\]com/view/ppo-ads  
sites\[.\]google\[.\]com/view/quadrilhadohomemtanacasakaraio  
sites\[.\]google\[.\]com/view/ricobemnovinhos  
sites\[.\]google\[.\]com/view/s-ad-offica  
sites\[.\]google\[.\]com/view/s-wppa  
sites\[.\]google\[.\]com/view/sdawjj  
sites\[.\]google\[.\]com/view/semcao  
sites\[.\]google\[.\]com/view/sites-gb  
sites\[.\]google\[.\]com/view/soarnovo  
sites\[.\]google\[.\]com/view/so-ad-reisd  
sites\[.\]google\[.\]com/view/spiupiupp-go  
sites\[.\]google\[.\]com/view/start-smarts  
sites\[.\]google\[.\]com/view/start-smarts/homepage/  
sites\[.\]google\[.\]com/view/umcincosetequebratudo  
sites\[.\]google\[.\]com/view/vewsconnect  
sites\[.\]google\[.\]com/view/vinteequatroporquarenta  
sites\[.\]google\[.\]com/view/xvs-wods-ace  
sites\[.\]google\[.\]com/view/zeroumnaoezerodois  
sites\[.\]google\[.\]com/view/zeroumonlinecomosmp

Phishing domains

account-costumers\[.\]site  
account-worda-ads\[.\]benephica\[.\]com  
account-worda-ads\[.\]cacaobliss\[.\]pt  
account\[.\]universitas-studio\[.\]es  
accounts-ads\[.\]site  
accounts\[.\]google\[.\]lt1l\[.\]com  
accounts\[.\]goosggles\[.\]com  
accounts\[.\]lichseagame\[.\]com  
accousnt-ads\[.\]tmcampos\[.\]pt  
accousnt\[.\]benephica\[.\]pt  
accousnt\[.\]hyluxcase\[.\]me  
accousnt\[.\]whenin\[.\]pt  
ads-goo\[.\]click  
ads-goog\[.\]link  
ads-google\[.\]io-es\[.\]com  
ads-overview\[.\]com  
ads1.google.lt1l.com  
ads1\[.\]google\[.\]veef8f\[.\]com  
adsettings\[.\]site  
adsg00gle-v3\[.\]vercel\[.\]app  
adsgsetups\[.\]shop  
advertsing-acess\[.\]site  
advertsing-v3\[.\]site  
as\[.\]vn-login\[.\]shop  
benephica\[.\]pt  
cacaobliss\[.\]pt  
colegiopergaminho\[.\]pt  
docs-pr\[.\]top  
tmcampos\[.\]pt  
vietnamworks\[.\]vn-login\[.\]shop

_Back to top_

Tag

#google