Attackers Hijack Google Advertiser Accounts to Spread Malware

Attackers Hijack Google Advertiser Accounts to Spread Malware


In an especially brazen tactic, multiple threat actors are impersonating Google Ads login pages to trick advertisers into handing over their account credentials.

The attackers — from regions as geographically dispersed as South America, Asia, and Eastern Europe — are then using the hijacked accounts in real-time to buy and distribute malicious advertisements and malware via Google Ads.

‘Most Egregious’ Malvertising Campaign Ever

The scammers appear to be succeeding in many cases because their ads are allowed to show an ads.google.com URL. This makes them virtually indistinguishable from legitimate Google ads, according to researchers at Malwarebytes, who spotted the malicious activity recently.

“This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide,” Malwarebytes researcher Jerome Segura wrote in a blog post this week. “We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.”

Google Ads is an advertising platform that enables businesses and individuals to display targeted ads across Google’s search results, websites, mobile apps, and other online properties, based on user search behavior and interests. Often, the top search results are sponsored, meaning someone paid for that high visibility. For context, Google Search generated some $175 billion in ad revenue in 2023.

Related:CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

According to Segura, there has been a recent flood of fake sponsored ads for Google Ads directed at businesses and individuals looking to advertise on Google Search or wanting to sign in to their Google Ads accounts. The ads appear to be from Google and purport to either help people sign up for a Google Ads account or to sign in to an existing account. Users clicking on these ads are directed to a fake Google Ads home page from which they are directed to external sites designed specifically to steal usernames and passwords to the advertiser’s Google accounts.

The attackers are using Google’s free website creation platform, Google Sites, to host the lure pages. It is a tactic that Segura says allows them to trivially bypass a Google policy that allows advertisers to include a URL in their ads only if the URL matches the domain name of the advertiser. “Looking back at the ad and the Google Sites page, we see that [the] malicious [ads do] not strictly violate the rule since sites.google.com uses the same root domains as ads.google.com,” Segura said. “In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC.”

Related:OWASP’s New LLM Top 10 Shows Emerging AI Threats

Google Is Actively Investigating Cyberattacks

In an emailed comment, a Google spokesman said the company is currently “actively investigating” the issue and working on a quick fix for the problem. “We expressly prohibit ads that aim to deceive people in order to steal their information or scam them,” the spokesperson said.

As context, the spokesperson pointed to the growing sophistication and scale of malvertising campaigns and noted instances where threat actors have created thousands of malicious accounts simultaneously to distribute malicious ads on Google properties. Often these actors are using techniques such as text manipulation to get around automation detection mechanisms. In other instances, they use cloaking tactics to show Google reviewers and systems different ads from the ones that users end up seeing. “To provide a sense of the scale of our enforcement efforts in 2023, we removed over 3.4 billion ads, restricted over 5.7 billion ads, and suspended over 5.6 million advertiser accounts,” the spokesman said.

Impersonating Google Ads: Simple & Effective Social Engineering

Related:Apple Bug Allows Root Protections Bypass Without Physical Access

In comments to Dark Reading, Segura says the most notable part of the new malicious activity is the impersonation of the Google Ads brand by combining Google Sites URLs with the ads. “It’s a simple and yet effective trick that makes those ads incredibly hard to differentiate from the real ones,” Segura says. Complicating matters is the fact that bad actors are often using compromised Google Ads accounts to place even more fake ads in Google Search, making the activity challenging to stop.

Google should be making it harder for bad actors to pull off such impersonation schemes, he says. “The ‘how’ is more complicated, as it involves reviewing business practices and … existing security policies.”

Segura says Malwarebytes is tracking and reporting each malvertising incident it comes across via a live tracker that the Google Ads team can access. “This has been a helpful tool for us, not only to make the reporting process easier but also to keep a historical record,” he notes. Google’s response has consisted of taking action on ads that Malwarebytes report. “[But] the threat actors are able to get right back as if the campaign never stopped. We are talking about dozens of accounts that get burned but yet there are enough to keep this going indefinitely.”





Source link

CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

CISA: Second BeyondTrust Vulnerability Added to KEV Catalog


NEWS BRIEF

The Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, otherwise known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog.

The medium-severity security bug was found as a part of BeyondTrust’s Remote Support SaaS Service security investigation, which was launched after a major data breach at the US Treasury DepartmentSilk Typhoon, a Chinese hacking group, was reportedly responsible for the December 2024 cyberattack, in which threat actors were able to gain credentials to Treasury workstations through the third-party vendor and then steal data. On Dec. 18, BeyondTrust reported identifying BT24-11 within its self-hosted and cloud Remote Support and Privileged Remote Access products, after reporting BT24-10 just two days prior.

On Jan. 6, in its latest update, BeyondTrust reported that its forensic investigation is nearly complete and that all software-as-a-service instances of BeyondTrust Remote Support have been fully patched with no new identified victims.

“All cloud instances have been patched for this vulnerability,” BeyondTrust stated in the update. “We have also released a patch for self-hosted versions.”

CISA stated that the vulnerability “can be exploited by an attacker with existing administrative privileges to inject commands and run as a site user.” That would allow a remote attacker to execute underlying operating system commands.





Source link

CISA Launches Playbook to Boost AI Cybersecurity Collaboration

CISA Launches Playbook to Boost AI Cybersecurity Collaboration


A new initiative aimed at improving collaboration on artificial intelligence (AI) cybersecurity across critical infrastructure has been introduced by the Cybersecurity and Infrastructure Security Agency (CISA) in the US.

The JCDC AI Cybersecurity Collaboration Playbook provides detailed guidance for AI developers, providers and adopters on voluntarily sharing cybersecurity information with CISA and its Joint Cyber Defense Collaborative (JCDC) partners.

The playbook outlines strategies to foster cooperation among federal agencies, private industry and international stakeholders. It aims to raise awareness about AI cybersecurity risks and enhance the resilience of AI systems.

Key objectives include encouraging the voluntary sharing of cybersecurity incidents and vulnerabilities linked to AI systems while clearly defining protections and mechanisms for information exchange.

Information shared through JCDC can enhance coordination, provide government support and promote discussions on AI cybersecurity challenges. The playbook clarifies that participation is voluntary and does not impose regulatory requirements. It also excludes topics such as AI fairness, ethics and safety concerns involving risks to human life, health, property or the environment.

Developed from insights gained during two 2024 tabletop exercises involving over 150 participants, the playbook emphasizes collaboration and continuous improvement. Microsoft hosted the first exercise in Virginia, while the second, focusing on financial services cybersecurity, took place at Scale AI’s headquarters in California.

Recommendations for Information Sharing

CISA recommends that organizations adopt the playbook’s practices to strengthen information-sharing processes and fortify defenses against emerging threats. The document outlines specific mechanisms for secure data exchange, including the Traffic Light Protocol (TLP), which ensures controlled dissemination of sensitive information.

Key categories of information encouraged for sharing include:

  • Observed malicious activity targeting AI systems

  • Suspicious behavior and threat assessments

  • Incident reporting and vulnerability disclosures

Read more on proactive cybersecurity collaboration practices: CISA Launches Vulnrichment Program to Address NVD Challenges

While the playbook focuses on JCDC coordination, it also highlights broader avenues for voluntary information sharing, such as Information Sharing and Analysis Centers (ISACs) and the National Security Agency’s AI Security Center.

CISA plans to periodically update the playbook in response to evolving threats and stakeholder feedback. The agency invites organizations to engage actively with the playbook and contribute to strengthening the collective cybersecurity posture.



Source link

Extension Poisoning Campaign Highlights Gaps in Browser Security

Extension Poisoning Campaign Highlights Gaps in Browser Security


A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee’s Google Chrome Web Store account and publishing a malicious version of Cyberhaven’s Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue.

Further research into the incident suggests that this attack was likely part of two separate, but potentially related, campaigns to target multiple extension developers to distribute malicious extensions, experts say. The campaigns may have begun as early as April 2023.

“Currently we know about two different campaigns that have been targeting different objectives,” says Amit Assaraf, CEO of Extension Total, a third-party extension security platform provider. Extension Total researchers have uncovered several malicious extensions over the past several weeks and have been looking at how they relate to each other.

A Tale of Two Campaigns

One campaign created extensions that steal cookies, session tokens, and possibly passwords, and targeted Facebook and OpenAI accounts, Assaraf says. The campaign relied on phishing to target extension developers and a malicious OAUTH application to take over Google Chrome Web Store accounts. Cyberhaven was one of the victims of this campaign.

There is some disagreement among experts over when the first malicious extension associated with this campaign appeared. Assaraf points to the Chrome extension “GPT 4 Summary with OpenAI,” which was added to the Google Chrome Web Store in August. John Tuckner, founder of browser-extension management service Secure Annex, believes the “AI Assistant – ChatGPT and Gemini for Chrome” extension, which was uploaded to the Chrome Web Store in May, was the first extension used by this campaign.

“As far as I can tell, that is the first example of this type of code being used, but some of the related domain registrations go back to around Sept. 25, 2023, so this could have been planned for a while,” Tuckner says.

Both extensions are no longer on the Chrome Web Store.

Regardless of when this campaign began, the impact has been widespread. Researchers have found 22 extensions related to it so far, affecting 1.46 million users, Assaraf says. Some of these have been removed completely from the Chrome Web Store, and others have been updated to a “safe” version.

The second campaign is aimed at tracking user activity, telemetry, and sites visited, “probably with intention to sell this data,” Assaraf says. Its earliest appearance was in April 2023, and researchers have identified 15 extensions thus far as belonging to this campaign.

A Google spokesperson says the company has shut down malicious Chrome Web Store accounts identified as part of this investigation and continues to investigate reports from Extension Total regarding extensions still available in the store.

It’s unclear at this time whether one attacker is behind both campaigns, though there is evidence — shared JavaScript payloads injected into unauthorized updates between August 2024 and December 2024 — suggesting “a synchronized campaign,” says Bugcrowd founder Casey John Ellis.

“This also suggests centralized control over the hijacked developer accounts and a common threat actor,” he says.

At this point, both campaigns appear to be contained; no additional extensions have been discovered, according to Assaraf.

Extensions as Low-Hanging Fruit for Attackers

Cyberhaven’s internal security team was able to respond to the breach quickly, which helped expose the breadth of the extension poisoning. Many of the affected extensions are hobbyist projects, which means they likely do not have the tools or security support to be regularly monitoring for malware.

Therein lies the dilemma for detecting malicious Chrome extensions in the wild, experts say. It also explains why ensuring that extensions used within a corporate browser are safe is such a tricky scenario for organizations to navigate. While some are managed by companies with dedicated teams to ensure the extensions remain clean, many are maintained by private individuals and, thus, don’t have this kind of oversight.

That complicates security within a corporate environment because browsers, like Chrome, grant extensions broad permissions, including access to sensitive user data, cookies, and even the ability to capture credentials and sessions, according to Matt Johansen, security researcher at Vulnerable U.

“Extensions still operate with a significant degree of trust, and once compromised, they can access everything a user can,” Johansen says. “They also have less scrutiny to install than traditional desktop software, even in enterprises.”

Because of their ability to compromise so many users and have access to so much information by poisoning a browser extension, it’s a no-brainer for attackers.

“Controlling an extension gives an adversary a powerful vantage point for all browser activities,” concurs Lionel Litty, chief security architect at Menlo Security.

Indeed, poisoning a Chrome extension is “actually a very convenient way for attackers to spread malicious code,” Assaraf adds. “You only need to fool one person, one developer, and you get access to hundreds of thousands of machines,” he says.

People often forget they’ve installed browser extensions, yet they continue to run in the background and update automatically, giving attackers wide access to sensitive data, he adds.

Closing the Browser Security Gap

Given their reach, why, then, are browsers and their extensions given such little thought when it comes to an organization’s security posture? It could merely be that their security teams are so overwhelmed with responsibilities that browsers are the least of their worries — though that could now change, notes Secure Annex’s Tuckner.

Organizations can take specific steps now to shore up the security of extensions running in corporate browsers, he says. Teams should start with collecting a real-time inventory of the browsers in the organization and which extensions are installed on them. This step should be followed by enrolling browsers in some kind of centralized management to set up an allowlist of known extensions, keeping only those that “drive core business value” and adding future ones on a case-by-case basis, Tuckner adds. The inventory will help security teams understand the scope of an incident when something happens.

“Few teams choose to or are able to prioritize browser security on top of everything else that they have to deal with,” he says. “Many see browser security as a lower-risk item, but I believe that is quickly changing with incidents like this.”





Source link

North Korea's Lazarus Evolves Developer-Recruitment Attacks

North Korea's Lazarus Evolves Developer-Recruitment Attacks


North Korea’s Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

“Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants,” according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus’ goals to fund the regime of North Korean leader Kim Jong Un.

“By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to,” according to the report.

North Korea’s History of Targeting Developers

The campaign builds on previous tactics by the group to target developers with various malware, including 2021’s Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus’ long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea’s widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

“In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns,” says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, “enabling them to effectively deceive victims,” he adds.

“By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers,” Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike ‘Job Interviews’ Become Latest Hacker Tactic

Job Seekers, Exercise Caution

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it’s becoming “easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns,” Sherstobitoff says.

For this reason, mitigation strategies “should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees,” he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and “should be approached with skepticism,” Sherstobitoff says.

“Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software,” especially over platforms like LinkedIn or email, he says. “These channels can be easily manipulated by attackers posing as legitimate entities.”





Source link