Endpoint protection, detection and response company Malwarebytes has sounded the alarm on user behaviour, following up its reports of BatLoader and DanaBot threats on legimate-seeming Google Ads for Cisco Webex.
Marcin Kleczynski, chief executive and co-founder of Malwarebytes, said: “Privacy and security are inextricably linked yet the general public has resigned itself to risk because of the overwhelming nature of threats.”
Kleczynski’s comments were based on Malwarebytes research, available in a new report dubbed “Everyone’s Afraid of the Internet (and No One’s Sure What to do About it)”. The vendor surveyed 1000 internet users aged from 13 to 77 on their attitudes and behaviours regarding online risk.
Key findings included that people readily give up a host of personal information online, and only half feel confident in their ability to keep themselves safe. Malwarebytes concluded further that many users may not be acting on cybersecurity.
“Financial and data breaches are people’s top concerns,” Kleczynski said, with the report confirming also a “serious disconnect” between fears, online behaviours and use of cybersecurity protection tools.
Threats continue to emerge and spread
On 16 September, Malwarebytes reported malicious spoofed Cisco Webex promotions on Google Ads were spreading on the internet – a so-called “malvertising” campaign by threat actors apparently based in Mexico.
Bill Toulas, writing for BleepingComputer, said the fake campaign used a technical loophole in Google Ads tracking templates to create the content, which redirected erstwhile videoconferencing prospects to websites distributing BatLoader malware and DanaBot ransomware.
“It uses the real Webex logo and displays the legitimate URL webex.com as the click destination,” Toulas wrote.
“Specifically, Google says advertisers may use tracking templates with URL parameters that define a ‘final URL’ construction process based on gathered user information regarding their device, location, and other metrics related to ad interactions.”
Ad display URLs must match the final URL, but “nothing is stopping the tracking template from redirecting users” to some other website, he said.
“In this case, the threat actors used a Firebase URL (trixwe.page.link) as their tracking template, with a final URL of https://www.webex.com,” added Toulas.
“If the ad is clicked, the visitor is redirected to the trixwe.page[.]link, which filters out visits that appear to originate from researchers and automated crawlers.”
Dan Virgillito, writing for Infosec Institute, said the fake Webex ads “appear authentic”, using Webex branding and ranking high in Google search results.
“When clicked, users are funneled through a series of redirects that end at a malware-dropping site. The malicious software installed is DanaBot, a trojan capable of stealing passwords and launching further attacks,” Vergillito explained in a roundup of current threats.
The malware campaign was active in Google Search for a week, according to Malwarebytes.