wonderfully unique software solutions

Malwarebytes follows up Google Ads malware warning with worrying tech-user survey

Endpoint protection, detection and response company Malwarebytes has sounded the alarm on user behaviour, following up its reports of BatLoader and DanaBot threats on legimate-seeming Google Ads for Cisco Webex.

Marcin Kleczynski, chief executive and co-founder of Malwarebytes, said: “Privacy and security are inextricably linked yet the general public has resigned itself to risk because of the overwhelming nature of threats.”

Kleczynski’s comments were based on Malwarebytes research, available in a new report dubbed “Everyone’s Afraid of the Internet (and No One’s Sure What to do About it)”. The vendor surveyed 1000 internet users aged from 13 to 77 on their attitudes and behaviours regarding online risk.

Key findings included that people readily give up a host of personal information online, and only half feel confident in their ability to keep themselves safe. Malwarebytes concluded further that many users may not be acting on cybersecurity.

“Financial and data breaches are people’s top concerns,” Kleczynski said, with the report confirming also a “serious disconnect” between fears, online behaviours and use of cybersecurity protection tools.

Threats continue to emerge and spread

On 16 September, Malwarebytes reported malicious spoofed Cisco Webex promotions on Google Ads were spreading on the internet – a so-called “malvertising” campaign by threat actors apparently based in Mexico.

Bill Toulas, writing for BleepingComputer, said the fake campaign used a technical loophole in Google Ads tracking templates to create the content, which redirected erstwhile videoconferencing prospects to websites distributing BatLoader malware and DanaBot ransomware.

“It uses the real Webex logo and displays the legitimate URL webex.com as the click destination,” Toulas wrote.

“Specifically, Google says advertisers may use tracking templates with URL parameters that define a ‘final URL’ construction process based on gathered user information regarding their device, location, and other metrics related to ad interactions.”

Ad display URLs must match the final URL, but “nothing is stopping the tracking template from redirecting users” to some other website, he said.

“In this case, the threat actors used a Firebase URL (trixwe.page.link) as their tracking template, with a final URL of https://www.webex.com,” added Toulas.

“If the ad is clicked, the visitor is redirected to the trixwe.page[.]link, which filters out visits that appear to originate from researchers and automated crawlers.”

Dan Virgillito, writing for Infosec Institute, said the fake Webex ads “appear authentic”, using Webex branding and ranking high in Google search results.

“When clicked, users are funneled through a series of redirects that end at a malware-dropping site. The malicious software installed is DanaBot, a trojan capable of stealing passwords and launching further attacks,” Vergillito explained in a roundup of current threats.

The malware campaign was active in Google Search for a week, according to Malwarebytes.

( Photo by Myriam Jessier on Unsplash )

Recent Articles

Hornetsecurity expands M365 cloud security offer with Vade deal

Cloud email security provider Hornetsecurity has added a partnership with Vade, increasing focus on answering data sovereignty requirements with best-in-class cloud, compliance...

Cross-browser testing provider BrowserStack named Microsoft ‘partner of choice’

Software testing platform provider BrowserStack has announced a strategic partnership with Microsoft to support Visual Studio App Center users transitioning to BrowserStack...

JetBrains rolls out full-line code completion for its IDEs

Developer tools company JetBrains has added to its AI-enablement tools with full-line code completion for its integrated development environments (IDEs), separate to...

OpenText renews X12 supply-chain data standards partnership

Enterprise information management (EIM) software vendor OpenText is renewing its partner licensing agreement with the X12 electronic data interchange (EDI) standards organisation.

LiveAction NPM performance extended for Cisco unified server users

Network intelligence from vendor LiveAction has been certified to work with high performance Cisco servers, increasing availability of its packet data and...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Weirdware monthly - Get the latest news in your inbox