INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware
Published: 2023-01-18
Last Updated: 2023-01-18 07:31:54 UTC
by Brad Duncan (Version: 1)
Introduction
Google ads are a common vector for malware distribution. Do a Google search for any popular free software download. Review any search results marked "Ad" or "Sponsored," then check the link to see if anything is unusual.
I've already written two diaries and authored various tweets about this type of activity:
https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
https://twitter.com/Unit42_Intel/status/1615470858067222568
https://twitter.com/Unit42_Intel/status/1608567622856998912
Others have also reported his activity. Recent posts include:
https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/
https://heimdalsecurity.com/blog/google-ads-exploited-to-spread-malware/
https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
https://www.hackread.com/google-ads-malware-nft-crypto-wallet/
One example of free software routinely spoofed for Google ads is Notepad++. Almost without fail, I can find a fake webpage for Notepad++ every day through Google ads. For today's diary, I found a Google ad for a malicious site at notopod-plos-plus[.]com.
Read the complete entry:
https://isc.sans.edu/diary/Malicious+Google+Ad+Fake+Notepad+Page+Aurora+Stealer+malware/29448/
PSA: Why you must run an ad blocker when using Google
Published: 2023-01-16
Last Updated: 2023-01-16 13:50:18 UTC
by Johannes Ullrich (Version: 1)
Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time.
Ads have been important in supporting many good (and, of course, bad) content on the web. It has been a long standing "social contract" to allow ads to help support creators of valuable content. But sadly, ad networks have not provided any due diligence verification of the ad buys they accept. As a result, in particular, ads displayed as part of Google search results are often used to distribute malicious software impersonating popular products. Open-source and free products are particularly vulnerable. They usually cannot pay for competing for ads to reduce the effectiveness of malicious advertisements.
Read the complete entry:
https://isc.sans.edu/diary/PSA+Why+you+must+run+an+ad+blocker+when+using+Google/29438/
Elon Musk Themed Crypto Scams Flooding YouTube Today
Published: 2023-01-15
Last Updated: 2023-01-15 17:09:34 UTC
by Johannes Ullrich (Version: 1)
I noticed several videos posted to YouTube today attempting to direct users to crypto coin scam websites. The overall ruse is quite old: The scam promises that Elon Musk, or an organization associated with him, is giving away crypto coins. The catch: You first have to send crypto coins to the address to receive multiple of them back.
It all starts with a video promising a live stream of Elon Musk covering current developments around SpaceX. The channel being used for these videos, SpaceXMission, has over 2 Million subscribers right now and around 430 Million views. Interestingly, this is not a new channel, but it started on August 25th, 2008. Currently, around 4 thousand users are watching the "live streams".
During the video, a QR code is displayed alongside an image that claims to show a tweet by Elon Musk promising crypto coins.
Read the complete entry:
https://isc.sans.edu/diary/Elon+Musk+Themed+Crypto+Scams+Flooding+YouTube+Today/29434/