Archive for Malwarebytes

Hackers Impersonate CNN, BBC Sites to Promote Investment Scams

Posted in Commentary with tags , on July 16, 2025 by itnerd

Researchers from Malwarebytes have uncovered a large campaign impersonating news websites, such as those from CNN, BBC, CNBC, News24, and ABC News to promote investment scam:

Here’s how the scam works:

  1. The scammers buy ads on Google and Facebook, which follow a similar pattern along the lines of “Shocking: [Local Celebrity] backs new passive income stream for citizens!”
  2. If you click the link, you’ll be taken to a website that look like one of the major news outlets, and which will tell you about a breakthrough investment strategy.
  3. The article will encourage you to sign up for a program that will earn you money without having to lift a finger. You sign up by providing your name, email address, and phone number.
  4. A friendly advisor (scammer) calls you about the opportunity, referencing the article and explaining how it all works.
  5. You’ll be told that to start off you’ll have to make a small deposit (around $240) and then you will see your investment grow (on the fake trading platform).
  6. Your friendly advisor urges you to invest more to increase your return. And it keeps on growing, until you want to cash in when you’ll find there’s extra fees to pay, problems with account verifications, and all sorts of delays.
  7. When it dawns on you that you’ve been had, your entire investment and all the fees you paid are gone. Also gone is your friendly advisor who has sold your details to another scammer, to squeeze the last dollars out of the ordeal.

Erich Kron, Security Awareness Advocate at KnowBe4, commented:

“Trust is a big factor when deciding where to invest your hard-earned money, so bad actors work hard to find ways to trick us into believing what they offer is legitimate. The use of well-known and trusted national or global brands to promote their schemes is certainly a part of this, but they are also able to mimic local celebrities and then, using the targeted power of advertising on places like social media or Google, can really change the game.

“The advancement of tools such as AI for doing automated research into trusted people in local communities, then creating deepfakes using their likeness has really made this a serious threat. They will commonly fake investment sites that show huge returns on investments that you have made through them but are in reality just designed to get you to keep pumping money into these fictitious investments. A person may test the waters with $100, see that they’ve made $1000 from that, and be convinced into putting thousands more into the investment, only realizing it’s gone south when they try to get their money.

“It’s important for people to do research on any investments they are considering, and to carefully check the URLs of any websites they may consider investing with, and doing some research related to the investments they are pushing. Education is critical for people to avoid falling victim to these very crafty attackers.”

I tell people who ask me about how to avoid scams to treat everything and everyone with suspicion. That’s because scams have become so dangerous, you need a certain amount of paranoia to stay safe. And as Andy Grove wrote, just because you’re paranoid doesn’t mean that they’re not chasing you.

Leave a comment »

Scammers Hijack Bank of America, Netflix with Fake Support Numbers to Steal Personal Info

Posted in Commentary with tags on June 20, 2025 by itnerd

Researchers at Malwarebytes have uncovered a new scam whereby fake customer phone numbers are inserted directly onto the legitimate help pages of major companies like Netflix, PayPal, Apple, Microsoft, Facebook, Bank of America, and HP. Once the number is called, the scammers will pose as the brand with the aim of getting their victim to hand over personal data or card details, or even allow remote access to their computer 

Details here: https://www.malwarebytes.com/blog/news/2025/06/scammers-hijack-websites-of-bank-of-america-netflix-microsoft-and-more-to-insert-fake-phone-number

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“Fraudulent paid search engine ads taking users to fake websites have been a problem for decades. But this is definitely a new twist on the problem by being able to take users to legitimate vendor websites that then somehow display fraudulent phone numbers, which when answered, will be answered by a fake tech support message or person. It’s pretty devious. It’s especially devious because there isn’t a legitimate top 100 vendor who will easily display the legitimate vendor tech phone number for the victim to see and call instead, if the vendor even has a phone number a customer can call. If the vendor does have a phone number a customer can call it’s almost always buried under a ton of other pages or you have to find it by conducting an Internet search, which leads to the same problem. The fraudster pushes their scam number to the victim while the legitimate site hides theirs. So, it’s very easy to see how a customer can become a victim. It’s not my call and I don’t pay the bills, but it would be great if all vendors made their legitimate tech support phone numbers easier to find and/or more prominently displayed so they were easier for customers to find. It would be great if the legitimate vendors made finding their phone numbers as easy as the scammers make it.”

This is very concerning as when I do talks to churches, community groups, etc. on how to avoid scams, I counsel people to go to the websites of the companies in question to find out what their support options are and not to rely on Google to get those numbers. This pretty much invalidates that advice. And that illustrates how much scammers have truly evolved. Which is scary for someone like me.

Leave a comment »

Malwarebytes Discovers That The Bing AI Chatbot Delivers Ads With Malicious Links

Posted in Commentary with tags , on September 29, 2023 by itnerd

Malwarebytes has research on Bing and its AI Chatbot being leveraged by threat actors to deliver ads with malicious links. In short, it’s a malvertizing campaign in which attackers take over the ad accounts of legitimate businesses to create targeted malicious ads:

Ads can be inserted into a Bing Chat conversation in various ways. One of those is when a user hovers over a link and an ad is displayed first before the organic result. In the example below, we asked where we could download a program called Advanced IP Scanner used by network administrators. When we place our cursor over the first sentence, a dialog appears showing an ad and the official website for this program right below it:

Users have the choice of visiting either link, although the first one may be more likely to be clicked on because of its position. Even though there is a small ‘Ad’ label next to this link, it would be easy to miss and view the link as a regular search result.

Upon clicking the first link, users are taken to a website (mynetfoldersip[.]cfd) whose purpose is to filter traffic and separate real victims from bots, sandboxes, or security researchers. It does that by checking your IP address, time zone, and various other system settings such as web rendering that identifies virtual machines.

Real humans are redirected to a fake site (advenced-ip-scanner[.]com) that mimics the official one while others are sent to a decoy page. The next step is for victims to download the supposed installer and run it.

The MSI installer contains three different files but only one is malicious and is a heavily obfuscated script:

Upon execution, the script reaches out to an external IP address (65.21.119[.]59) presumably to announce itself and receive an additional payload.

Lovely.

Emily Phelps, Director, Cyware had this comment:

   “With advancing technologies and a rapidly evolving digital landscape, threat actors are able to exploit human trust in established entities at scale. Addressing these risks requires more than awareness training and traditional security controls. End users must understand the risks and proceed with caution, but platforms must also bolster their security posture to adapt to these threats. It’s critical to employ continuous and rigorous testing to ensure they remain a step ahead of potential online adversaries.”

Add this to the attack surface that you have to defend yourself against as I didn’t have “malware delivered by ads on an AI chatbot” on my cybersecurity BINGO card. But I should have expected it as threat actors are getting very crafty these days.

Leave a comment »

Magecart Skimmers getting better at Stealing Credit Card Details

Posted in Commentary with tags on May 1, 2023 by itnerd

According to a new report by Malwarebytes, MageCart skimmers are upping their game when hijacking legitimate online stores’ payment pages, and displaying a high quality customized web element known as a modal to act as the checkout page to steal customers’ credit card information. Some of the fake forms are better than the authentic pages.

The hackers’ payment modal forms are well designed and offer relevant details of the retailer. They are often more realistic than the original site, and better yet, it’s not a third-party check-out which consumers are more distrusting of. 

From the user’s perspective, once their details are entered on the modal, it displays a bogus loader, then a fake error which redirects the buyer to the real payment URL. At this point the data is compromised and, lastly, to avoid exposing the operation, the skimmer drops a cookie to prevent reloading of the malicious modal. Over the past couple months Malwarebytes observed that the trend of using these stealthy, custom modal forms is on the rise.

Roy Akerman, Co-Founder & CEO, Rezonate had this comment:

   “This technique is more than a decade old. Poor security controls and overall hygiene of websites have been a constant challenge. Protocols such as 3D-Secure 2.0 and Mastercard Securecode are 2 examples for ways to avoid any tampering during the purchase stage, regardless of whether the website was breached, or any MITM (man-in-the-middle) attempts from a compromised endpoints able to hijack a session and steal information. 

   “Assuming the look and feel is flawless, and you had a reason to go into that site, and did not receive a phishing email/smishing SMS as a trigger point, you could also try first to fake your credit info as a first step and see if you hit an alert/or are able to passthrough.“

This is making it very, very difficult to know if a site has been compromised by a threat actor. Mr. Akerman’s advice is good, but I have to wonder how long before threat actors take that into consideration and make it impossible to spot a compromised site.

UPDATE: Baber Amin, COO, Veridium added this comment:

   “Magecart or online skimming is the compromise of online shopping carts and checkout process. Bad actors can inject malware into ill maintained ecommerce sites. 

   “Additionally, all the security offered by EMV and contactless cards is nullified, when the user voluntarily enters the CC information at checkout. Not only that, but they also enter information that can be used for Identity Theft, e.g. email address, shipping address, possibly a username and a password, etc.

  • It is important for website administrators to stay up-to-date with their content management system’s patches and plugins. 
  • Buying from reputable online vendors is the best option for end users
    • If possible, use virtual cards online
    • Use unique usernames and passwords on each site if you must create an account
    • If they offer PayPal during checkout, use it, as it creates an indirect level of payment
    • A better solution is to use services like Apple Pay and Google Pay, which replace sensitive information with arbitrary tokens (Tokenization). These services provide a more secure and convenient experience, as they use tokenization to protect sensitive information.  Since these tokens disappear after each authorization, they cannot be reused if stolen.  The other advantage of these services is that they work both in person and for online shopping.  EMV or chip cards are reduced to the security of the older non chip card when paying online, as there is no chip reader available”

Leave a comment »