From Chinese cyberspies breaching US telecoms to ruthless ransomware gangs disrupting health care for millions of people, 2024 saw some of the worst hacks, breaches, and data leaks ever.

Every year has its own mix of digital security debacles, from the absurd to the sinister, but 2024 was particularly marked by hacking sprees in which cybercriminals and state-backed espionage groups repeatedly exploited the same weakness or type of target to fuel their frenzy. For attackers, the approach is ruthlessly efficient, but for compromised institutions—and the individuals they serve—the malicious rampages had very real consequences for people's privacy, safety, and security.

As political turmoil and social unrest intensify around the world, 2025 will be a complicated—and potentially explosive—year in cyberspace. But first, here's WIRED's look back on this year's worst breaches, leaks, state-sponsored hacking campaigns, ransomware attacks, and digital extortion cases. Stay alert, and stay safe out there.

**China's Salt Typhoon Telecom Breaches**

Espionage operations are a fact of life, and relentless Chinese campaigns have been a constant in cyberspace for years now. But the China-linked espionage group Salt Typhoon carried out a particularly noteworthy operation this year, infiltrating a slew of US telecoms including Verizon and AT&T (plus others around the world) for months. And US officials told reporters earlier this month that many victim companies are still actively attempting to remove the hackers from their networks.

The attackers surveilled a small group of people—less than 150 by current count—but they include individuals who were already subject to US wiretap orders as well as state department officials and members of both the Trump and Harris presidential campaigns. Additionally, texts and calls from other people who interacted with the Salt Typhoon targets were inherently also caught up in the espionage scheme.

**Snowflake Customer Breaches**

Throughout the summer, attackers were on a tear, breaching prominent companies and organizations that were all customers of the cloud data storage company Snowflake. The spree barely qualifies as hacking, since cybercriminals were simply using stolen passwords to log in to Snowflake accounts that didn't have two-factor authentication turned on. The end result, though, was an extraordinary amount of data stolen from victims including Ticketmaster, Santander Bank, and Neiman Marcus. Another prominent victim, the telecom giant AT&T, said in July that “nearly all” records relating to its customers' calls and texts from a seven-month stretch in 2022 were stolen in a Snowflake-related intrusion. The security firm Mandiant, which is owned by Google, said in June that the rampage impacted roughly 165 victims.

In July, Snowflake added a feature so account administrators could make two-factor authentication mandatory for all of their users. In November, suspect Alexander “Connor” Moucka was arrested by Canadian law enforcement for allegedly leading the hacking spree. He was indicted by the US Department of Justice for the Snowflake tear and faces extradition to the US. John Erin Binns, who was arrested in Turkey for an indictment related to a 2021 breach of the telecom T-Mobile, was also indicted on charges related to the Snowflake customer breaches.

**Change Healthcare Ransomware Attack**

At the end of February, the medical billing and insurance processing company Change Healthcare was hit with a ransomware attack that caused disruptions at hospitals, doctor's offices, pharmacies, and other health care facilities around the US. The attack is one of the all-time largest breaches of medical data, impacting more than 100 million people. The company, which is owned by UnitedHealth, is a dominant medical billing processor in the US. It said days after the attack started that it believed ALPHV/BlackCat, a notorious Russian-speaking ransomware gang, was behind the assault.

Personal data stolen in the attack included patient phone numbers, addresses, banking and other financial information, and health records including diagnoses, prescriptions, and treatment details. The company paid a $22 million ransom to ALPHV/BlackCat at the beginning of March in an attempt to contain the situation. The payment seemingly emboldened attackers to hit health care targets at an even greater rate than usual. With ongoing, rolling notifications to more than 100 million victims—with more still being discovered—lawsuits and other blowback has been mounting. This month, for example, the state of Nebraska sued Change Healthcare, alleging that “failures to implement basic security protections” made the attack much worse than it should have been.

**Russia's Midnight Blizzard Hit Microsoft**

Microsoft said in January that it had been breached by Russia's “Midnight Blizzard” hackers in an incident that compromised company executives' email accounts. The group is tied to the Kremlin's SVR foreign intelligence agency and is specifically linked to SVR's APT 29, also known as Cozy Bear. After an initial intrusion in November 2023, the attackers targeted and compromised historic Microsoft system test accounts that then allowed them to access what the company said were “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” From there, the group exfiltrated “some emails and attached documents.” Microsoft said that the attackers seemed to be looking for information about what the company knew about them—in other words, Midnight Blizzard doing reconnaissance on Microsoft's research into the group. Hewlett-Packard Enterprise (HPE) also said in January that it had suffered a corporate email breach attributed to Midnight Blizzard.

**National Public Data**

The background check company National Public Data suffered a breach in December 2023, and data from the incident started showing up for sale on cybercriminal forums in April 2024. Different configurations of the data cropped up again and again over the summer, culminating in public confirmation of the breach by the company in August. The stolen data included names, Social Security numbers, phone numbers, addresses, and dates of birth. Since National Public Data didn't confirm the breach until August, speculation about the situation grew for months and included theories that the data included tens or even hundreds of millions of Social Security numbers. Though the breach was significant, the true number of impacted individuals seems to be, mercifully, much lower. The company reported in a filing to officials in Maine that the breach affected 1.3 million people. In October, National Public Data's parent company, Jerico Pictures, filed for Chapter 11 bankruptcy reorganization in the Southern District of Florida, citing state and federal investigations into the breach as well as a number of lawsuits that the company is facing over the incident.

**Honorable Mention: North Korean Cryptocurrency Theft**

A lot of people steal a lot of cryptocurrency every year, including North Korean cybercriminals who have a mandate to help fund the hermit kingdom. A report from the cryptocurrency tracing firm Chainalysis released this month, though, underscores just how aggressive Pyongyang-backed hackers have become. The researchers found that in 2023, hackers affiliated with North Korea stole more than $660 million across 20 attacks. This year, they stole roughly $1.34 billion across 47 incidents. The 2024 figures represent 20 percent of total incidents Chainalysis tracked for the year and a whopping 61 percent of the total funds stolen by all actors.

The sheer domination is impressive, but the researchers emphasize the seriousness of the crimes. “US and international officials have assessed that Pyongyang uses the crypto it steals to finance its weapons of mass destruction and ballistic missiles programs, endangering international security,” Chainalysis wrote.

The Worst Hacks of 2024

Stay protected from SEO poisoning, a cyber threat exploiting search engine rankings to spread malware and phishing scams.…

Stay protected from SEO poisoning, a cyber threat exploiting search engine rankings to spread malware and phishing scams. Learn risks, real-world examples, and preventive measures for safer browsing.

Did you know that over 80% (PDF) of cyberattacks exploit online platforms, including search engines? These indispensable tools guide billions of users to the content they seek, but their trustworthiness can be weaponized.

Cybercriminals are exploiting search engine optimization (SEO) techniques to distribute malware, launch phishing attacks, and spread harmful content. This practice, known as SEO poisoning, manipulates search results to lure unsuspecting users into clicking on malicious links.

Recent reports indicate a significant rise in SEO poisoning attacks. Between August 2023 and January 2024, there was a 60% increase in malware detections stemming from malicious search results. Such trends highlight the growing sophistication of these tactics and the critical need for vigilance among businesses and individuals alike.

****What is SEO Poisoning?****

SEO poisoning is a malicious strategy where cybercriminals manipulate search engine algorithms to rank harmful websites prominently in search results. These websites often contain malware, phishing schemes, or scams designed to steal sensitive information.

Attackers capitalize on high-demand keywords tied to trending topics or urgent events, such as natural disasters, major product launches, or public health crises. By employing techniques like keyword stuffing, spammy backlinks, and deceptive content, they make their sites appear legitimate and lure unsuspecting users.

****Key Risks of SEO Poisoning:****

*   **Malware Distribution:** Clicking on infected links can install ransomware, spyware, or other malware.
*   **Phishing Scams:** Users are tricked into providing sensitive data like passwords or credit card information.
*   **Reputation Damage:** Legitimate businesses can lose credibility if associated with malicious links.

One example is the surge of Gootloader malware in early 2023. Attackers targeted niche search terms, such as _“implied employment agreement,”_ to redirect users to infected websites. These attacks emphasize how even low-competition search terms can become cybercriminals’ playgrounds.

****Real-World Examples of SEO Manipulation****

SEO manipulation has been used in several high-profile attacks, exploiting the trust users place in search results:

*   **Fake Antivirus Software:** Users searching for free antivirus tools were directed to malicious sites posing as trusted providers. These fake programs encrypted files and demanded ransom payments, exploiting users’ trust in well-known antivirus brands like Avast, Bitdefender and Malwarebytes. Fake antivirus websites have been known to impersonate popular security providers to deceive users.

*   Holiday Shopping Scams: During peak shopping seasons, cybercriminals created fake e-commerce sites targeting popular products. These fraudulent sites were designed to rank high in search results, allowing attackers to trick users into entering their payment information, which the criminals then stole.

*   **Software Search Exploitation:** In 2023, searches for popular tools like Blender 3D led users to fraudulent sites offering infected downloads. Such campaigns highlight the dangers of SEO poisoning when targeting trusted software.

These examples show how attackers exploit trust in search results and highlight the importance of vigilance, particularly during periods of heightened online activity.

****Protecting Against SEO-Based Threats****

Although SEO poisoning is a persistent threat, proactive measures can help both businesses and individual users reduce the risks.

****For Businesses****

Businesses must safeguard their websites and digital presence from exploitation. Trusted SEO providers can optimize websites while identifying and mitigating vulnerabilities, such as fake backlinks or unauthorized content changes, often exploited in SEO poisoning campaigns.

According to Stellar SEO, a custom SEO services provider, exploiting SEO-related vulnerabilities has even been adopted by top-tier groups such as the Chinese DragonRank, which was recently discovered manipulating search engines to redirect users to malicious websites.

****For Users****

Users can protect themselves by adopting proactive online habits:

*   **Verify the Source:** Always inspect URLs carefully before clicking, especially when searching for trending or high-demand topics.
*   **Use Trusted Security Tools:** Antivirus software and browser extensions can help identify and block harmful sites. For example, providers like _Kaspersky_ have shown how cybercriminals exploit marketing strategies to launch attacks.
*   **Stay Informed:** Awareness of the latest cybersecurity trends is crucial for recognizing and avoiding malicious tactics.

By combining secure SEO strategies with vigilance, businesses and users can significantly reduce their exposure to SEO poisoning threats.

****How Search Engines Are Combating SEO Poisoning****

Search engines like Google and Bing constantly update their algorithms to detect and penalize malicious websites. These updates target behaviors such as keyword stuffing, suspicious backlinking patterns, and misleading content.

****Key Defensive Measures Include:****

*   **Machine Learning Algorithms:** These tools analyze billions of web pages for signs of malicious intent.
*   **Safe Browsing Technology:** Platforms like Google warn users about harmful websites before they can be accessed.
*   **Domain Reputation Systems:** Search engines evaluate the trustworthiness of domains to demote those linked to malicious activity.

Despite these efforts, cybercriminals continue to evolve their techniques, creating sophisticated tactics to bypass detection. For instance, in November 2024, attackers exploited niche search queries like _“Are Bengal cats legal in Australia“_ to lure users to malicious websites. Such incidents underscore the importance of proactive measures by users and businesses to complement automated systems. Recognizing and avoiding malicious links remains a shared responsibility.

****Conclusion****

SEO poisoning is a growing threat at the intersection of cybersecurity and digital marketing. By exploiting legitimate SEO techniques, cybercriminals deceive users, distribute malware, and undermine trust in search engines.

For businesses, partnering with trusted providers of custom SEO services ensures websites are optimized securely, preventing vulnerabilities that attackers might exploit. For users, adopting habits like verifying sources, using reliable security tools, and staying informed about emerging threats is essential for staying safe online.

Every time you search online, consider the risks that lurk behind seemingly trustworthy links. By remaining vigilant and proactive, we can protect our digital spaces and maintain trust in the tools that shape our online world. 

1.  **Google Algorithm Updates vs SEO Strategies**
2.  **Best SEO Experts to Follow on Twitter (X) in 2025**
3.  **How to Improve SEO with Enhanced Web Security**
4.  **Link Farming: SEO Boost or Cybersecurity Threat?**
5.  **Fake GlobalProtect VPN Downloads Spread WikiLoader Malware**

SEO Poisoning: How Cybercriminals Are Turning Search Engines into Traps

KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of…

****KEY SUMMARY POINTS****

*   **Focus Shift to Nuclear Industry**: The Lazarus Group, linked to North Korea, has shifted its targets to the nuclear industry, marking a potential escalation from its earlier focus on defense, aerospace, and cryptocurrency.

*   **Fake Job Posting Tactics**: Their attacks, observed in January 2024, employ fake job postings (Operation DreamJob) to deliver malicious files disguised as job assessments, gaining access to victims’ systems.

*   **Advanced Malware Techniques**: The group uses sophisticated tools like Ranid Downloader and a novel plugin-based malware, “CookiePlus,” which operates in memory, making it harder for security systems to detect.

*   **Exploitation of Vulnerabilities**: Lazarus continues refining its tactics, exploiting vulnerabilities like Google Chrome zero-day and leveraging innovative malware like “RustyAttr” on macOS.

*   **Call for Caution**: The increasing sophistication and activity of the Lazarus Group underscore the need for heightened cybersecurity measures, particularly in sensitive industries.

Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of the notorious Lazarus hacking group, which, as we know it, has links to the North Korean government.

According to Securelist’s research, the Lazarus Group has shifted its focus to targeting individuals within the nuclear industry lately. This indicates an upcoming escalation in their operations, as they previously concentrated on sectors like defense, aerospace, and cryptocurrency. 

“We observed a similar attack in which the Lazarus group delivered archive files containing malicious files to at least two employees associated with the same nuclear-related organization over the course of one month,” the report read.   

Malicious files created on the victims’ hosts (Via Secure List)

The attacks observed by Kaspersky occurred in January 2024 and followed the pattern of using fake job postings, a tactic known as the DeathNote campaign or “Operation DreamJob.”

This involves creating fake job postings and enticing potential victims with tempting career opportunities. During the “interview” process, malicious files are subtly introduced, often disguised as legitimate assessment tests.

The attack starts with an initial file disguised as job assessments for prominent companies, which contains a ZIP archive with malicious executables or trojanized legitimate tools like VNC viewers.

Once executed, the trojan prompts the victim to enter an IP address provided by the attackers via separate communication channels like messenger apps. This grants the attackers unauthorized access to the compromised machine, enabling them to move laterally within the network and potentially steal sensitive data or disrupt critical operations.  

An XOR key is generated based on the IP address to decrypt the internal resources of the VNC executable and unzip the data. The unzipped data is then downloaded by Ranid Downloader, which fetches further malicious payloads like MISTPEN, RollMid, LPEClient, Charamel Loader, ServiceChanger, and CookiePlus. The payload type (DLL or shellcode) is determined by a flag within the data structure. The execution results of these plugins are encrypted and sent back to the C2 server.

A key innovation in these recent attacks is the introduction of “CookiePlus,” a novel plugin-based malware. This downloader operates primarily in memory, loading malicious payloads dynamically. This evasive technique makes it harder for traditional security solutions to detect and mitigate the threat.

The development of CookiePlus demonstrates the Lazarus Group’s continuous efforts to refine its tools and evade detection. By introducing new modular malware and adapting their tactics, they aim to maintain a persistent presence within targeted networks and achieve their objectives.

The group has been particularly active lately. In November Group-IB discovered the Lazarus group’s new trojan, “RustyAttr,” which hides malicious code in extended attributes on macOS systems and in October the group exploited a Google Chrome zero-day vulnerability to target cryptocurrency investors with a deceptive NFT game. This calls for continuous vigilance to safeguard your digital assets.

1.  Lazarus Exploits Chrome 0-Day with Fake NFT Game
2.  North Korean Hackers Team Up with Play Ransomware
3.  Lazarus’ Magecart attack steal card data from EU, US sites
4.  Lazarus Hits Blockchain Pros with Fake Video Conferencing
5.  Lazarus hackers suspected of targeting Indian space agency

Lazarus Group Targets Nuclear Industry with CookiePlus Malware

Explore how Ethereum revolutionizes industries with smart contracts, DeFi, NFTs, gaming, DAOs, and sustainability, shaping the future of…

Explore how Ethereum revolutionizes industries with smart contracts, DeFi, NFTs, gaming, DAOs, and sustainability, shaping the future of business innovation and blockchain technology.

Vitalik Buterin developed Ethereum in 2014 after taking inspiration from Bitcoin. However, he envisioned an open-source blockchain through which users could access smart contracts and trade cryptocurrency by excluding third parties. The reasons were clear: traditional financial companies risk compromising users’ data and exposing them to cybersecurity threats, which are less likely to occur on the blockchain, where users can maintain anonymity. Decentralization ensures robust maintenance through a network of global nodes and validators.

Since the blockchain offered developers many perspectives and tools, cryptocurrency has also become popular, reaching second place after Bitcoin. Now, you can buy Ethereum with a debit card or credit through Google Pay or Apple Pay, making it highly accessible globally.  Hence, one can say Ethereum’s future is bright, especially since the blockchain might become an innovative solution to modern problems. Here’s how. 

****Ethereum will promote the DeFi market** **

Decentralized Finance (DeFi) is expected to be the future of the financial industry, as it will merge features of decentralization, transparency and immutability into financial service companies like banks. This will be possible as security protocols, software, and hardware advancements will replace our current outdated systems. The financial sector of the future will ensure high accessibility to all communities, low fees for interest rates and autonomy due to decentralization. 

DeFi will be helpful for: 

*   Liquidity pools;
*   Prediction markets;
*   Non-fungible tokens;
*   Decentralized exchanges;

Developing DeFi apps might seem time-consuming at the moment. Moreover, we’re currently navigating uncertainty in regulations for crypto and blockchain, as well as in security measures, so it might take some time until DeFi apps can be safely used worldwide. 

****Ethereum will ensure access to smart contracts** **

Smart contracts are what made Ethereum so demanded by companies. They automatically seal contracts when the parties involved accomplish the predetermined instructions. Therefore, smart contracts could save companies a lot of time and money by employing automation, so there’s no need for third parties to be involved. 

Smart contracts can be useful in DeFi, for example, as they can allow fast and easy landing and borrowing. They can also help the supply chain management sector by automating the process of verifying product origin and tracing their history. Due to their benefits of interoperability and scalability, smart contracts can be applied to real estate, healthcare, and every other type of business. 

****Ethereum will innovate gaming** **

The gaming industry is one of the most successful ones, being one of the few sectors that flourished during the pandemic and continued growing after. Some of the most recent innovations in gaming include cloud gaming, AI-based development, and Virtual Reality, so it’s constantly changing to meet customer demands and expectations. 

Luckily, the Ethereum blockchain has already hopped on the trends, which is why blockchain P2E (play-to-earn) games are now widespread. Axie Infinity, the Sandbox, and Decentraland have already amassed millions of plays worldwide, allowing gamers to earn crypto while playing fun games. Most of these games are already based on the Ethereum blockchain as the network offers developers plenty of tools and mediums, so we expect it to innovate the gaming industry further. 

****Ethereum will enhance governance through DAOs****

In centralized networks, governance is based on a single central entity that makes all the critical decisions and manages businesses. While this system can be efficient because it ensures security and compliance, it can make it difficult for networks to scale and expose organizations to resistance to change. 

That’s why many are excited about working through DAOs (decentralized autonomous organizations) on Ethereum. Decisions here are made by multiple individuals, so participants are empowered to contribute to the group’s well-being. At the same time, participants’ votes are visible on the public blockchain, encouraging users to work together in building a safe space for investors and developers. 

****Ethereum can navigate business sustainability** **

Business sustainability is the latest industry trend, as companies must keep up with customer demand for green and ethical products. However, there are various challenges along the way, especially when it comes to holding companies accountable for their impact on nature. 

That’s where the Ethereum blockchain could help bring more transparency into the business area by tracking how much energy a business consumes and the carbon emissions resulting from various manufacturing or waste management actions. Ethereum is already equipped with such technology that can help assess external information through blockchain oracles. This technology would allow smart contracts to receive and send information on energy reports from the weather, for example. 

****Ethereum will power up non-fungible tokens** **

NFTs have been trending for a while as they offer investors new opportunities to expand their portfolios in a fun way. At the same time, the underlying technology allows for tokenizing real-world assets, from parcels of land to vehicles. 

The Ethereum blockchain allowed NFTs to grow and flourish, as artists had all the tools necessary to create and share them with communities. But in the future, we expect the blockchain to make it convenient for anyone to mint and trade NFTs, as the number of users that use NFTs is expected to grow to 11.64m by 2025, according to Statista. 

****Ethereum can ensure self-sovereign identity** **

Centralized systems expose users to cybersecurity vulnerabilities, leading to identity theft and unauthorized access. Luckily, with Ethereum blockchains, users will be able to store data on the network and choose who they’re sharing it with. 

This is called self-sovereign identity (SSI), which uses blockchain technology to make data more private and offer users control over their personal information. However, this would require them to use multiple identity platforms and keep track of their data alone. 

****Is Ethereum the perfect tool for future business innovation?** **

The Ethereum blockchain is an advanced network through which developers can learn to create NFTs, dApps, DAOs, and much more. The infrastructure uses smart contracts to deploy anything on the blockchain. Therefore, we expect Ethereum to become the driving force of future decentralization and efficiency. Users on the blockchain can promote DeFi, benefit from DAO governance, and make businesses more sustainable, which will ensure empowerment and high accessibility at the same time. 

1.  Could Bitcoin Be The Future Of DeFi?
2.  Is the Blockchain Secure? Yes, and Here’s Why
3.  Accepting Ethereum (ETH) for Businesses, An Overview
4.  Exploring the Phenomenal Rise of Ethereum as a Digital Asset
5.  Ethereum’s Layer 2 Solutions Could Outrun the Main Blockchain

_Editor’s Note: The information provided in this article is for informational purposes only and should not be considered financial advice. Please conduct your own research and consult a professional advisor before making any financial decisions, including buying or investing in cryptocurrency._

Why Ethereum Will Be a Key Platform for Businesses in the Future

Plus: Google’s U-turn on creepy “fingerprint” tracking, the LockBit ransomware gang’s teased comeback, and a potential US ban on the most popular routers in America.

It’s been a busy year in cybersecurity, but it’s not over yet. This week, we revealed how hackers figured out how to “jailbreak” digital license plates—which are legally issued in at least a couple of states and are valid across the US—allowing them to change the license plate number to basically anything. That means someone with this capability can avoid tolls and tickets, or even change their plate to be the same as their enemy.

While the company that makes the plates, Reviver, makes clear that doing this would be both illegal and a terms-of-service violation, we’re guessing that the people who want to hide their car’s credentials so they can speed all over town aren’t too concerned about that.

Staff at the Cybersecurity and Infrastructure Security Agency are preparing for an uncertain future. Several CISA employees told WIRED that they’re afraid the incoming Trump administration will scrap key programs that they say are keeping Americans safe from cyberattacks and other threats—or that the agency itself could be dismantled.

In recent years, financial scams that involve bilking people out of their cryptocurrency holdings have come to be known by an eye-catching, catch-all name: “pig butchering.” But it’s time for a rebrand, according to officials at Interpol. The term, which is a translation from Chinese and refers to the slow process of fattening up a pig before slaughtering it, was likely created by the scammers themselves. As such, its use could further degrade victims of these scams or shame them into not reporting a crime.

Doing crimes in public is, apparently, all the rage. We took a deep dive into the world of drug dealers who are advertising their goods on open web platforms like Instagram, X, and Snapchat. The practice isn’t new, but authorities in Europe say it’s growing more popular.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**FAA Bans Drones Over Parts of NJ and NY but “Has Not Identified Anything Anomalous”**

The US Federal Aviation Administration said on Thursday that it was temporarily banning drone flights over dozens of critical infrastructure and utility sites in New Jersey and New York “at the request of federal security partners.” The restrictions are set to last 30 days. The announcement comes as panic over reported mysterious drone sightings in the two states has surged in recent weeks. The FAA said in a joint statement with the US Department of Homeland Security, Department of Defense, and FBI on Wednesday that the US government has not found evidence of malicious or unexplained aircraft.

"Having closely examined the technical data and tips from concerned citizens, we assess that the sightings to date include a combination of lawful commercial drones, hobbyist drones, and law enforcement drones, as well as manned fixed-wing aircraft, helicopters, and stars mistakenly reported as drones,” the agencies wrote. "We have not identified anything anomalous and do not assess the activity to date to present a national security or public safety risk over the civilian airspace in New Jersey or other states in the northeast.”

The agencies said that the FBI has received more than 5,000 tips about reported drone sightings in recent weeks that have generated about 100 leads investigated by local, state, and federal officials. None have proved to be problematic or concerning. The mass hysteria is itself creating dangerous conditions, though. The FAA warned on Wednesday that there has been a significant uptick in people pointing lasers at aircraft, which is illegal because it can be dangerous and distracting for pilots.

**Google U-Turn Allows Creepy “Fingerprint” Tracking Next Year**

Back in 2019, Google made its position on the online tracking method called fingerprinting pretty clear. “Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected,” the company said in a blog post. “We think this subverts user choice and is wrong.”

That viewpoint appears to have changed. This week, Google announced that, starting in February 2025, advertisers would be allowed to use fingerprinting. The method is largely hidden and allows online activity to be tracked by building up a profile using characteristics from your device—for instance, your phone type, language settings, timezone, can be combined with other information unique to your setup and identify you.

Google indicated the change in new advertising policies, which will go into force next year. The current version of the policy says fingerprinting is not allowed, while that reference has been scrubbed from the new version. The change drew instant criticism, with the UK’s data regulator, the Information Commissioner’s Office (ICO), saying that “fingerprinting is not a fair means of tracking users online” and it called the U-turn “irresponsible.” The ICO said it is talking to Google about the shift.

**LockBit Teases Potential Comeback as Alleged Developer Faces US Extradition**

Early this year, the notorious Lockbit ransomware group was thoroughly dismantled by a law enforcement operation, called Operation Cronos. The group’s website was taken over, details of its members and their cyberattacks extracted, decryption tools released, and its alleged Russian mastermind identified.

Now, the US government is attempting to extradite Rostislav Panev, an Israeli citizen who it suggested worked as a LockBit developer between 2019 and 2024. According to Ynet news, Panev was arrested in August and it is alleged that he received more than $230,000 in Bitcoin and developed ransomware tools from the gang. According to a complaint unsealed by US officials, Panev said he was regularly paid $10,000 per month for software development. Panev’s lawyers deny the claims.

At the same time, the organizers of the LockBit ransomware claim that they have created a new “4.0” version of their tools and will be “launching” them in February. A post on LockBit’s reincarnated dark-web sites urged potential hackers to sign up. As with many cybercrime groups, LockBit has lied about its activities in the past, and following the humiliation of its disruption, many other cybercriminals may not trust its tattered brand.

**One of America’s Most Popular Router Manufacturers May Be Banned**

Chinese technology company and router maker TP-Link could be banned in the US, a report from The Wall Street Journal this week claimed. Officials at the Defense, Commerce, and Justice departments have launched investigations into the company over potential cybersecurity and national security concerns around its routers. The Commerce Department has reportedly subpoenaed TP-Link, which has more than 60 percent of the US retail market for routers. A ban could reportedly happen next year.

While TP-Link is a Chinese company, its products are sold in the US by a separate California-based business. In October, Microsoft said that TP-Link routers “make up most” of a network of compromised devices that it has detected being used in Chinese hacking campaigns. The news of the potential ban follows the previous bans of Huawei and ZTE equipment and comes as TikTok will challenge its ban before the US Supreme Court in early January.

Mystery Drone Sightings Lead to FAA Ban Despite No Detected Threats

Criminals are luring victims looking to download software and tricking them into running a malicious command.

More and more, threat actors are leveraging the browser to deliver malware in ways that can evade detection from antivirus programs. Social engineering is a core part of these schemes and the tricks we see are sometimes very clever.

Case in point, there has been an increase in attacks that involve copying a malicious command into the clipboard, only to be later pasted and executed by the victims themselves. Who would have though that copy/paste could be so dangerous?

The new campaign we observed uses a a combination of malicious ads and decoy pages for software brands, followed by a fake Cloudflare notification that instructs users to manually run a few key combinations. Unbeknownst to them, they are actually executing PowerShell code that retrieves and installs malware.

**The discovery**

Our investigation into this campaign started from a suspicious ad for ‘notepad’ while performing a Google search. Such search queries have been a hot spot for criminals who want to lure victims that are looking to download programs onto their computer.

Based on previous evidence, criminals are tricking victims into visiting a lookalike site with the goal of downloading malware. In this case, the first part was true, but what unfolded next was new to us.

When we clicked the Download button, we were redirected to a new page that appeared to be Cloudflare asking us to “_verify you are human by completing the action below_“. This type of message is more and more common, as site owners try to prevent bots and other unwanted traffic.

But rather than having to solve a CAPTCHA, we saw another unexpected message: _“Your browser does not support correct offline display of this document. Please follow the instructions below using the “Fix it” button_“.

**Powerful technique**

This technique is actually not new in itself, and similar variants have been seen both via email spam and compromised websites before. It is sometimes referred to as ClearFake or ClickFix, and requires users to perform a manual action to execute a malicious PowerShell command.

Clicking on the ‘Fix It’ button copies that command into memory (the machine’s clipboard). Of course the user has no idea what it is, and may follow the instructions that ask to press the Windows and ‘R’ key to open the Run command dialog. CTRL+V pastes that command and Enter executes it.

Once the code runs, it will download a file from a remote domain (_topsportracing\[.\]com_) within the script. We tested that payload in a sandbox and observed immediate fingerprinting:

C:\\Users\\Admin\\AppData\\Local\\Temp\\10.exe  
    C:\\Windows\\SYSTEM32\\systeminfo.exe  
        C:\\Windows\\system32\\cmd.exe  
            C:\\Windows\\system32\\cmd.exe /c "wmic computersystem get manufacturer"

The information is then sent back to a command and control server (_peter-secrets-diana-yukon\[.\]trycloudflare\[.\]com_) abusing Cloudflare tunnels:

The use of Cloudflare tunnels by criminals was previously reported by Proofpoint to deliver RATs. We weren’t able to observe a final payload but it is likely of a similar kind, perhaps an infostealer.

**Campaign targets several brands**

This was not an isolated campaign for Notepad, as we soon found additional sites with a similar lure. There was a Microsoft Teams landing page which used exactly the same trick, followed by others such as FileZilla, UltraViewer, CutePDF and Advanced IP Scanner.

Oddly, we saw a lure for a cruise booking site. We have no idea how that came to be, unless the criminals agree that everyone needs a vacation sometimes.

**Overlap with other campaigns**

As mentioned previously, this type of social engineering attack is getting more and more popular. Researchers are tracking several different families under different names such as the original SocGholish.

Interestingly, the same domain (_topsportracing\[.\]com_) we saw in the malicious PowerShell command for Notepad++ was also used recently in another campaign known as #KongTuke:

As these schemes are being increasingly used by criminals, it is important to be aware of the processes involved. The Windows key and the letter ‘R’ pressed together open the Run dialog box. This is not something that most users will ever need to do, so always think carefully whenever you are instructed to perform this.

Malwarebytes customers are protected against this attack via our web protection engine for both the malicious sites and PowerShell command.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malicious domains

notepad-plus-plus.bonuscos\[.\]com  
microsoft.team-chaats\[.\]com  
cute-pdf\[.\]com  
ultra-viewer\[.\]com  
globalnetprotect\[.\]com  
sunsetsailcruises\[.\]com  
jam-softwere\[.\]com  
advanceipscaner\[.\]com  
filezila-project\[.\]com  
vape-wholesale-usa\[.\]com

Servers used before Cloudflare proxy

185.106.94\[.\]190  
89.31.143\[.\]90  
94.156.177\[.\]6  
141.8.192\[.\]93

Malware download URLs

hxxp\[://\]topsportracing\[.\]com/wpnot21  
hxxp\[://\]topsportracing\[.\]com/wp-s2  
hxxp\[://\]topsportracing\[.\]com/wp-s3  
hxxp\[://\]topsportracing\[.\]com/wp-25  
hxxp\[://\]chessive\[.\]com/10\[.\]exe  
hxxp\[://\]212\[.\]34\[.\]130\[.\]110/1\[.\]e

Malware C2

peter-secrets-diana-yukon\[.\]trycloudflare\[.\]com

 &#8216;Fix It&#8217; social-engineering scheme impersonates several brands 

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

Thursday, December 19, 2024 14:02

Welcome to the final Threat Source newsletter of 2024. 

Watching "Die Hard" during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn't everyone's cup of tea. Whether you like the movie or not, let me share a story about what didn't quite go as planned in my family last year.  

When  some celebrities had their social media accounts compromised, I saw it as the perfect opportunity to introduce my family to the world of multi-factor authentication (MFA) for their online accounts. Our home IT setup is diverse— With Linux, Macs, Windows; Androids, iOS, we needed something cross-platform. Also, we needed a user-friendly solution as we have both standard users and IT experts (never underestimate your users). From my professional standpoint, I decided to go “all in” with hardware tokens - they work cross platform and "survive" one or the other OS installs from scratch. Providing two for each person was mandatory in case one got lost, which had happened to me already. So it wasn't a cheap exercise. In my defense, this was before the side-channel attack EUCLEAK was discovered, which has since expanded to affect more products as noted in the first release. 

In the spirit of John McClane : “Now I know what a TV dinner feels like.” 

The kids found the gift "boring" and almost a year later, the adoption rate is still only 30%. Fortunately, my wife had the foresight to prepare real presents for the family, saving Christmas Eve from being a "bad guys win" scenario. (Only John Thor can drive somebody that crazy.) 

I share this anecdote not to discourage you, but to help you avoid making the same mistake and risking your celebrations. Unless everyone gathered around the Christmas tree is an infosec professional, it might not be the time to go "Yippee-ki-yay Mr Falcon" with tech gifts.  

However, spending time with loved ones is a great opportunity to discuss the trends and importance of cybersecurity. We've been highlighting compromised credentials for a long time, as seen in our previous posts \[here\], \[here\], \[here\] and \[here\]. For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, making it clear identity-based attacks are becoming more prevalent, and wont be gone anytime soon. 

 Advocate for the use of a password managers—there are paid versions with family plans on one end, and excellent open-source alternatives on the other. Avoid storing credentials in browsers, as they can be extracted by info-stealers. Consider using passkeys where possible. According to the fido alliance, more than 20% of the world's top 100 websites support passkeys already. If passkeys are not yet enabled for one of your services? Any MFA is better than none. Even using "just" TOTP in a software container is a significant improvement over just a password. 

But it's not just about enabling MFA. As Martin wrote last week, we need to close the gap by communicating and understanding the the threat landscape. When it comes to stolen credentials, share resources like https://haveibeenpwned.com/ or https://sec.hpi.de/ilc/?lang=en with your loved ones so they can check if their email has been part of a breach.   

If you decide not to bother your friends & famliy (though I strongly believe Mbappe, Sweeny and Odenkirk would have preferred a more secure account) with Account/Password Hygiene, there are some more work related recommendations in Hazel’s “How are attackers trying to bypass MFA” 

Whichever is your idea of Christmas, then, like Argyle said, "I gotta be here for New Year's!"  

We look forward to seeing you in 2025!   

**The one big thing**

At the time of writing, our Vulnerability Research Team Disclosed 207 Vulnerabilities, and had another 93 reported to the respective Vendor in 2024.  Di you know  Talos has a team which investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do? Every day, they try to find vulnerabilities that have not yet been discovered, and then work to provide a fix for those before a zero-day threat could ever be executed. 

**Why do I care? **

We see threat actors exploiting known vulnerabilities constantly. Sometimes those CVEs are Years old.  

**So now what? **

Maybe you want to check for some CVEs or conduct a network security assessments.   
You can our team’s reports,roundups,spotlights and deep dives on our blog. 

**Top security headlines of the week **

 Blackhat Europe 2024 took place Dec 9-12 in London, UK. Loaded with a lot of interesting Sessions, my favorites are “Vulnerabilities in the eSIM download protocol” and “Over the Air: Compromise of Modern Volkswagen Group Vehicles” both showing how far an attack surface can possibly extend.  

Germany's Federal Office for Information Security (BSI) says it blocked communication between appr. 30.000 Android IoT Devices which were sold with BadBox malware preinstalled, and their command and control (C2) infrastructure by sinkholing DNS queries (Bleeping Computer)  

Law enforcement agencies worldwide disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks. Booter and stresser websites were taken down, administrators were arrested and over 300 users were identified for planned operational activities. (Europool) 

The Willow chip is not capable of breaking modern cryptography,” Google’s director of quantum tells The Verge.

**Can’t get enough Talos? **

*   The evolution and abuse of proxy networks 
*   Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities 

**Upcoming events where you can find Talos **

  Cisco Live EMEA (February 9-14, 2025) 

Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d    
**VirusTotal:**  
https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8  

**SHA256:**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**VirusTotal:**  
https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**Typical Filename:** VID001.exe    
**Claimed Product:** n/a    
**Detection Name:** Win.Worm.Bitmin-9847045-0 

 **SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86    
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

 **SHA256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**Typical Filename:** VID001.exe   
**Claimed Product:** n/a    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos 

 **SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:**  
7bdbd180c081fa63ca94f9c22c457376    
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
**Typical Filename:** IMG001.exe    
**Claimed Product:** N/A     
**Detection Name:** Trojan/Win32.CoinMiner.R174018

Welcome to the party, pal!

Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.

Source: Poptika via Shutterstock

When industrial automation giant Schneider Electric revealed last month that ransomware gang Hellcat stole 40GB of sensitive data, the attackers acknowledged using exposed credentials to breach Schneider's Jira server. 

Once inside the company's project management system, attackers used the miniOrange REST API, a widely used authentication plug-in, to exfiltrate 400,000 rows of data, including 75,000 email addresses, employee names, and customer records. 

What this and dozens of other incidents have in common is that the attackers exploited vulnerabilities in non-human identities (NHIs). Unlike human identities used for authentication by individuals via identity and access management (IAM) credentials, NHIs, also known as machine identities or service accounts, are used by applications, services, and Internet of Things (IoT) installations for authenticating machine-to-machine communications. 

Predictably, investors are funding startups with products that govern and mitigate NHI risk, while more established companies are adding such capabilities, either internally or via acquisition. 

Astrix Security, a prominent startup that says it created the term NHI, earlier this month raised $45 million in Series B funding led by Menlo Ventures and artificial intelligence (AI) platform provider Anthropic, bringing its total funding to $85 million since its founding in 2021.

"A year ago, the term NHI did not exist, and now everyone is talking about them," says Astrix co-founder and CEO Alon Jackson.

Astrix describes its platform as a suite of identity security posture management (ISPM) tools, including non-human identity threat detection and response, NHI life cycle management, auto-remediation, and secrets scanning. 

**Where NHIs Are Vulnerable**

Typical NHIs include API keys, bots, OAuth tokens, database credentials, certificates, and secrets. As organizations have accelerated use of cloud-native applications, IoT infrastructure, and, most notably, AI-based automation during the past two years, NHIs have become a more alarming threat.

Unlike IAM and privilege access management (PAM), few organizations centrally manage NHIs, and there's greater likelihood that they have excessive permissions without expiration dates.

"There are numerous issues with NHIs, including unencrypted credentials, having a full inventory of NHI accounts, inactive accounts, and lack of account ownership," explained Omdia senior analyst Don Tait in a November report.  

Many CISOs are just learning the implications of NHIs. A recent Cloud Security Alliance (CSA) survey of over 800 security and IT professionals found that 24% plan to invest in NHI security during the next six months, and 36% will do so within a year.

More than half of those surveyed believe they may have experienced an incident related to NHIs. 

Astrix is not the only company with NHI discovery and remediation tools attracting investors. Among those that raised Series A funding in 2024 include Aembit ($25 million), Entro Security ($18 million), and Oasis Security ($35 million), which recently discovered the MFA bypass flaw Microsoft Azure. 

The most prominent bet on protecting NHIs was placed in May when CyberArk paid $1.54 billion to acquire machine identity management provider Venafi.

"As NHI continues to evolve, so are the notable vendors in this space," says Christopher Steffen, VP of research at Enterprise Management Associates (EMA). 

Meanwhile, AppSec providers are adding NHI protection capabilities to their offerings. GitGuardian, known for detecting and remediating leaked secrets in GitHub and other source code repositories, recently launched GitGuardian NHI Governance. GitGuardian officials describe it as an addition to its existing platform that will provide visibility and control of NHI life cycles and their associated secrets. 

GitGuardian's initial release will integrate with five key secrets management platforms: HashiCorp Vault, CyberArk Conjur, AWS Secrets Manager, Google Cloud Secrets Manager, and Azure Key Vault.

**Role of NHI Security **

Failure to adequately rotate credentials, overprivileged accounts or identities, and insufficient monitoring and logging are among the common causes of incidents involving compromised NHIs, the CSA report indicates.

"To claim their identity, machines authenticate via secrets like API keys, OAuth tokens, database credentials, usernames and passwords, and certificates," noted GitGuardian product manager Soudanya Ain in a blog post. "They've become the number one vector for a successful attack, frequently overlooked."

Besides the Schneider incident, the NHI Management Group counts over 40 breaches tied to compromised non-human identity credentials during the past two years, including:

*   Microsoft's Midnight Blizzard, which enabled the attackers to access and breach a legacy test OAuth application with elevated privileges.
    
*   The Snowflake breach, which compromised its various customers, including Santander Bank and Ticketmaster.
    
*   Last summer's GitHub extortion attacks by threat actors who used malicious OAuth apps to breach trusted third-party integrations.
    
*   A breach by an attacker who stole secrets, including authentication tokens from the popular Hugging Face open source repository of APIs and other resources for developers who build AI models. 
    

Next year, the risk from compromised NHIs is expected to grow, as is their proportion to human identities, as AI automates more business processes. Omdia's Tait noted industry estimates of the current ratio of NHIs to human identities is 50:1.

"That figure is only likely to increase going forward," he wrote. 

"We do expect NHI growth is going to accelerate further," added Maxine Holt, senior director of Omdia's cybersecurity practice, speaking during a December webinar presented by Dark Reading.

Holt warned that ungoverned NHIs will further raise the threat landscape.

"These identities do require management to ensure secure communication between different services and to prevent unauthorized access and facilitate accountability," she said. "Of course, we need the audit trail there as well. We believe that it's really important to recognize non-human identities as a vital link in the cyber threat chain."

According to the CSA survey, 69% said they are concerned about NHIs as a threat vector, while 38% reported that their organizations have low or no visibility to third parties connected by OAuth apps. Only 20% have a formal process for revoking API keys, and even fewer have procedures for rotating them. 

"There's definitely that trend toward understanding NHI security better and addressing them," said John Yeoh, CSA's global VP of research, at a public meeting in September. "We only expect the NHI field to explode and get out further."

**Blending NHIs and Human Identities **

The current crop of NHI platforms is designed for machine identities, not human credentials, managed by IAM and PAM systems from Microsoft, Okta, Ping Identity, JumpCloud, CyberArk, BeyondTrust, and OneLogin.

Astrix's Jackson says its new round of funding will, in part, go toward expanding integration with human identities.

"Our customers are asking for a 360-degree view of the human and the non-human identities," Jackson says. "But we will be keeping our edge on the NHI space. This is not just posture management and not just anomaly detection, but it's creating the connections in a secure manner."

GitGuardian, which deals with application security and platform engineering teams, has a similar ambition of providing links from its secrets vaults to IAM platforms.

"That's the plan," says Pierre Le Clézio, the company's lead product manager. "But not yet. We are starting with the secret managers and that ecosystem, and then we will have the IAM systems."

**Anticipate M&A Activity **

As NHI security continues to evolve, so will the notable providers, EMA's Steffen says.

"It seems very likely that larger technology players are going to jump into this space," he says. "Many already have complementary offerings, like Wiz and Palo Alto Networks, and are jumping into NHI — either through acquisition or developing their own solution."

Steffen also anticipates that identity providers like Ping and Okta will delve into NHI.

"They already have the infrastructure and the means to enhance NHI for most enterprises, as well as they already lead the market in identity solutions."

Omdia's Holt also anticipates M&A activity.

"The evolving threat landscape really does necessitate a shift toward comprehensive products and solutions that take on both human and non-human identities," she said. "But the market is still developing. A lot of the players are startups. We expect to see more of a move towards platform support and more acquisitions during 2025 for managing non-human identities."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Vendors Chase Potential of Non-Human Identity Management

Seemingly innocent "white pages," including an elaborate Star Wars-themed site, are bypassing Google's malvertising filters, showing up high in search results to lure users to second-stage phishing sites.

Source: Bits And Splits via Shtterstock

Threat actors appear to have found yet another innovative use case for artificial intelligence in malicious campaigns: to create decoy ads for fooling malvertising-detection engines on the Google Ads platform.

The scam involves attackers buying Google Search ads and using AI to create ad pages with unique content and absolutely nothing malicious about them. The goal is to use these decoy ads to then lure visitors to phishing sites for stealing credentials and other sensitive data.

With malvertising, threat actors create malicious ads that are rigged to surface high up in search engine results when people search for a particular product or service. The ads often spoof popular and trusted brands and involve webpages and content that are replicas of the originals but serve instead to redirect users to phishing pages or download an attacker's malware of choice on systems of users who interact with the malicious ads.

While many malvertisement campaigns are targeted at consumers, there have been several recently focused on corporate users as well. One example is a campaign that sought to distribute the Lobshot backdoor on corporate systems, and another that phished employees at Lowe's.

**A Steady, Post-Macro Increase in Malvertising**

"We are seeing more and more cases of fake content produced for deception purposes," researchers at Malwarebytes said in a report on the campaign this week. These so called "white pages," as they are being referred to in the criminal underground, serve as legitimate-looking decoys, or front-end webpages that hide malicious content and activities behind them, according to Malwarebytes.

Related:Manufacturers Lose Azure Creds to HubSpot Phishing Attack

"The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check," Malwarebytes security researcher Jerome Segura wrote. White pages, incidentally, are in contrast to "black pages," which are the actual malicious landing pages containing harmful content or malware.

The use of AI to plant decoy content on Google Ads adds a new wrinkle to malvertising scams, which have seen a remarkable surge in volume recently. Malwarebytes has pinned the increase to Microsoft's decision in 2022 to block macros in Word, Excel, and PowerPoint files downloaded from the Internet — a top malware vector for threat actors. That decision forced attackers to look for other malware distribution vectors, one of which happens to be malvertising, according to Malwarebytes.

Though Google and operators of other major online ad distribution networks have been battling against the scourge — and have gotten better at quickly identifying and removing malvertising content — bad actors have consistently managed to remain a step ahead. A Malwarebytes study found Amazon to be the most spoofed brand in malvertising campaigns, followed by Rufus, Weebly, NotePad++, and TradingView.

Related:CISA Directs Federal Agencies to Secure Cloud Environments

**Spoofing Brands With AI-Generated Content**

In its report, Malwarebytes provided two examples of AI-generated decoy ads it spotted recently on Google Ads. One of the decoy ads targeted users searching the Internet for the Securitas OneID mobile app, and the other targeted users of the Parsec remote desktop app, which is popular among gamers.

The Securitas OneID scam involved an entirely AI-generated website, complete with AI-generated images of supposed executives of the company.

"When Google tries to validate the ad, they will see this cloaked page with pretty unique content and there is absolutely nothing malicious within it," Segura wrote.

With the Parsec ad, the threat actors used some creative license of their own to generate a heavily Star Wars\-influenced website, replete with references to the parsec astronomical measurement unit. The artwork for the website even included several AI-generated Star Wars-themed posters, which while impressive, would likely have suggested to users that the site had nothing to do with the legitimate Parsec app.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

"Ironically, it is quite straightforward for a real human to identify much of the cloaked content as just fake fluff. Sometimes, things just don’t add up and are simply comical," Segura wrote. Even so, as a cloaking mechanism for a malvertising campaign," he added, "the website would have passed Google's validation checks.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malvertisers Fool Google With AI-Generated Decoy Content

Protect yourself from sophisticated phishing attacks that leverage Google Calendar to steal your personal information.

**KEY SUMMARY POINTS**

*   **Google Calendar Targeted:** Hackers are exploiting Google Calendar’s features to send phishing emails disguised as legitimate invites.

*   **Sophisticated Tactics:** Attacks leverage tools like Google Forms and Google Drawings to bypass traditional email security and enhance credibility.

*   **Widespread Impact:** Over 4,000 phishing emails linked to this campaign were detected in a four-week period, affecting around 300 brands.

*   **Social Engineering:** Cybercriminals use urgency, fear, and impersonation to trick victims into clicking malicious links and entering sensitive information.

*   **Preventive Measures:** Advanced email security, monitoring third-party app usage, and behavior analytics are essential to mitigate these evolving threats.

According to the latest research from Check Point, shared with Hackread.com, a widely used scheduling tool called Google Calendar has become the newest target for cybercriminals.

For your information, Google Calendar is part of **Google Workspace** (formerly known as G Suite). It is a popular tool for organizing schedules and managing time used by over 500 million people in 41 languages.

According to CPR’s research, attackers are manipulating Google Calendar and its associated features, like Google Drawings, to launch phishing attacks by sending seemingly legitimate emails with links that bypass traditional email security measures. These links appear to connect to Google Forms or Google Drawings, further enhancing the attack’s credibility.

The malicious email and Google Calendar setup (Via CPR)

Initially, they exploited the user-friendly features inherent in Google Calendar, offering links connecting to Google Forms. However, after observing that security products could flag malicious Calendar invites, they evolved the attack to align with Google Drawings capabilities.

“Cyber criminals are modifying “sender” headers, making emails look as though they were sent via Google Calendar on behalf of a known and legitimate individual. Roughly 300 brands have been affected by this campaign thus far, with cyber researchers observing over 4,000 of these phishing emails in a four-week period,” revealed Check Point’s **blog post**.

The attackers leverage the trust and familiarity associated with Google Calendar to lure victims into clicking malicious links. They create a seemingly legitimate calendar invite, often from a known contact or a familiar organization. This initial invite may contain a link to a Google Form Google Drawing or ICS file attachment, which appears to be a simple request for information or a survey, often displaying a **CAPTCHA** or support button.

However, once the victim clicks on the link, they are redirected to a malicious website designed to steal personal information or corporate data through a fake authentication process, potentially leading to financial scams. This website might mimic a legitimate login page, a cryptocurrency exchange, or a tech support page.

The goal is to trick the victim into entering sensitive information like passwords, credit card details, or personal identification numbers. Stolen information can be used for credit card fraud or unauthorized transactions, posing significant risks to both parties.

It is worth noting that the attackers often use social engineering tactics to increase the credibility of the attack. They might create a sense of urgency, fear, or curiosity to entice victims to click on the malicious link. They may also impersonate trusted individuals or organizations to gain the victim’s trust.

To stay protected from phishing threats, organizations should implement advanced email security solutions, **monitor third-party Google App usage**, implement strong authentication mechanisms, and use behavior analytics tools to detect unusual login attempts or suspicious activities to ensure a secure and secure online environment for all users.

1.  **Google Workspace Vulnerable to Takeover**
2.  **Misconfigured Google Groups Settings Leak Sensitive Data**
3.  **Google Chrome mobile phishing scam can steal private data**
4.  **Scammers Weaponize Google Forms in New BazarCall Attack**
5.  **Threat actors using Google Docs exploit to spread phishing links**

Tag

#google