Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@SecurityWriter" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>SecurityWriter</span></a></span> <a href="https://infosec.space/tags/Malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malvertising</span></a> is a real problem and <a href="https://infosec.space/tags/AdBlocjing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AdBlocjing</span></a> is an act of <a href="https://infosec.space/tags/SelfDefense" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SelfDefense</span></a> and <a href="https://infosec.space/tags/MutualDefense" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MutualDefense</span></a> against <a href="https://infosec.space/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a>!</p>
Recent searches
No recent searches
Search options
Only available when logged in.
pawb.fun is one of the many independent Mastodon servers you can use to participate in the fediverse.
This instance aimed at any and all within the furry fandom, though anyone is welcome! We're friendly towards members of the LGBTQ+ community and aiming to offer a safe space for our users.
Administered by:
Server stats:
307active users
pawb.fun: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.6+glitch
#malvertising
0 posts · 0 participants · 0 posts today
The New Oil<p>Fake <a href="https://mastodon.thenewoil.org/tags/Semrush" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Semrush</span></a> ads used to steal <a href="https://mastodon.thenewoil.org/tags/SEO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SEO</span></a> professionals’ <a href="https://mastodon.thenewoil.org/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Google</span></a> accounts</p><p><a href="https://www.bleepingcomputer.com/news/security/fake-semrush-ads-used-to-steal-seo-professionals-google-accounts/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/fake-semrush-ads-used-to-steal-seo-professionals-google-accounts/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://mastodon.thenewoil.org/tags/advertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>advertising</span></a></p>
The New Oil<p>Dragon Hacks: Slay Browser Ads</p><p><a href="https://firewallsdontstopdragons.com/dragon-hacks-slay-browser-ads/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">firewallsdontstopdragons.com/d</span><span class="invisible">ragon-hacks-slay-browser-ads/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/advertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>advertising</span></a> <a href="https://mastodon.thenewoil.org/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>privacy</span></a> <a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://mastodon.thenewoil.org/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://mastodon.thenewoil.org/tags/AdBlocking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AdBlocking</span></a> <a href="https://mastodon.thenewoil.org/tags/AdBlocker" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AdBlocker</span></a></p>
The New Oil<p><a href="https://mastodon.thenewoil.org/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> says <a href="https://mastodon.thenewoil.org/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> campaign impacted 1 million PCs</p><p><a href="https://www.bleepingcomputer.com/news/security/microsoft-says-malvertising-campaign-impacted-1-million-pcs/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/microsoft-says-malvertising-campaign-impacted-1-million-pcs/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a></p>
Quad9DNS<p>Our latest Cyber Insights for H2 2024 is live! </p><p><a href="https://www.quad9.net/news/blog/trends-h2-2024-cyber-insights" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">quad9.net/news/blog/trends-h2-</span><span class="invisible">2024-cyber-insights</span></a></p><p><a href="https://mastodon.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://mastodon.social/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://mastodon.social/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://mastodon.social/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ransomware</span></a> <a href="https://mastodon.social/tags/supplychain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>supplychain</span></a></p>
Infoblox Threat Intel<p>Have you ever wondered what happens if you say yes to every request to receive push notifications from sketchy websites? <br>For the past few months we have done exactly that, exposing an old phone to an endless barrage of scareware and malicious ads. <br>Find out more here: <a href="https://blogs.infoblox.com/threat-intelligence/pushed-down-the-rabbit-hole/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/pushed-down-the-rabbit-hole/</span></a><br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/adtech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>adtech</span></a> <a href="https://infosec.exchange/tags/adware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>adware</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tds</span></a></p>
Renée Burton<p>Cricket and Matt asked me to join them for the Ask Mr DNS podcast last week. It's a great show that i've listened to for years. </p><p>We talked about securing networks by blocking bad things in DNS and how our research group <span class="h-card" translate="no"><a href="https://infosec.exchange/@InfobloxThreatIntel" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>InfobloxThreatIntel</span></a></span> does that work. I talk a bit about malicious adtech like <a href="https://infosec.exchange/tags/VexTrio" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VexTrio</span></a> .... </p><p>This whole show is completely unrehearsed and i had no real idea what we were going to cover lol... so fingers crossed it makes sense to folks. </p><p>There are some great episodes about the Dyn attacks in 2015 that you should listen to if you have an interest in DDOS attacks. </p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> </p><p><a href="https://ask-mrdns.com/2025/01/episode-64/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ask-mrdns.com/2025/01/episode-</span><span class="invisible">64/</span></a></p>
The New Oil<p>Fake <a href="https://mastodon.thenewoil.org/tags/Homebrew" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Homebrew</span></a> <a href="https://mastodon.thenewoil.org/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Google</span></a> ads target <a href="https://mastodon.thenewoil.org/tags/Mac" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mac</span></a> users with <a href="https://mastodon.thenewoil.org/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a></p><p><a href="https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-target-mac-users-with-malware/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/fake-homebrew-google-ads-target-mac-users-with-malware/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://mastodon.thenewoil.org/tags/advertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>advertising</span></a> <a href="https://mastodon.thenewoil.org/tags/Apple" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Apple</span></a> <a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a></p>
Infoblox Threat Intel<p>VexTrio User Experience 4/N </p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@knitcode" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>knitcode</span></a></span> decided it was time to get crypto-scammed by VexTrio.....here's the story... </p><p>Unfortunately, when i got to the final scam to steal my funds i landed at a page that unavailable.. so my money wasn't stolen. I did capture 16 minutes of screen recording while they mined my device and tried to interact with their fake online users, so that was fun. Imgur won't let me load that long of a video so I've got screenshots to the highlights. </p><p>Here's how the scam works: <br>* Somehow you end up visiting a VexTrio crypto scam domain. Since we track their movements, I just collected one from our detectors. <br>* You get a "welcome back" with some amazing bitcoin balance.. mine was $113k! and a continue button... if you click that... <br>* You get a threatening "your account will be deleted in one day" for inactivity, but you have the option to log in now! excellent. click.<br>* but what about the password? No problem. the site has remembered your password for you. ;) <br>* When you login, you are asked if you want to withdraw your funds. Of course! <br>* It's been 364 days since you were here, so the site needs to "verify" each of your mining transactions. It takes about 10 minutes to do this while it seemingly mines your device. ;) <br>* users are "chatting" away talking about ethics and mining strategies. you can add comments but they won't answer you. <br>* Finally you get the chance to withdraw your funds... first you have to get approval from your account manager and fill out a withdrawal form. .. she doesn't have a record of you, but that's ok. you are approved to withdraw $113k. <br>* You need to give a credit card or paypal account in order to pay their "official" partner Binance to do the conversion. what is $64 fee for $113k? ! sign me up! <br>* Click the final button to pay Binance and receive your payout.... unfortunately, for me this is where I hit the oops can't display... after 16 minutes! peqemynite[.]top was not working. <br>* This domain was previously behind cloudflare caching but starting Nov 11th, it started resolving as Russian IP in Prospero (which interestingly shared IP with keitarotds[.]top) and then Unitel also Russia. So that's fun. <br>* To recap... VexTrio domain -> cryptoscam -> Binance fraud -> Russian IP. </p><p>Attached are screenshots. i have a few urlscan images of this too but the process takes so long that getting the full user experience is hard. </p><p>here's some more IOCs. There are bunch of domains on: 91.212.166[.]95. I started at globalminingbit[.]top (after the TDS) and ended at peqemynite[.]top. Here's some current domains: qegymiewo[.]top,ditosoydi[.]top,keziryevo[.]top,xujodyaza[.]top,vupahoawy[.]top,rycozaaqi[.]top,zupahayja[.]top,mafaweewa[.]top,pesaraafy[.]top. <br>globalminingbit[.]top is also out of the CF cover now and at Proton66 (also Russia) 193.143.1(.)195</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>crypto</span></a> <a href="https://infosec.exchange/tags/cryptoscam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptoscam</span></a></p>
@infosec_jcp 🐈🃏 done differently<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@SwiftOnSecurity" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>SwiftOnSecurity</span></a></span> </p><p>Even ic3.gov recommend this. Go for the eZ win! </p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/ublock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ublock</span></a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> ✋</p>
Randy<p>Fake Slack via <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a>. Google search was for "slack.coml" (user was on the right track, type the domain instead of searching, but they typoed it and then clicked on the malvertisement). There's a whole bunch of other bad stuff in the git repos.</p><pre><code>Google ad<br> -><br>tradkingview.onelink[.]me/3nFZ<br> -><br>slack.aerodrame[.]finance/<br> -><br>slack.workmeetingsapp[.]com/<br> -><br>github[.]com/fewefwfewfew/dwqfqwe/releases/download/fecfewwefewf3/Slack_Setup.exe<br><br>2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211 Slack_Setup.exe<br></code></pre>
AI6YR Ben<p>Axios: Russian hackers use fake luxury car ads to target diplomats <a href="https://www.axios.com/2024/08/02/russian-hackers-diplomats-fake-car-phishing?utm_medium=social&utm_source=mastodon&utm_campaign=editorial" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">axios.com/2024/08/02/russian-h</span><span class="invisible">ackers-diplomats-fake-car-phishing?utm_medium=social&utm_source=mastodon&utm_campaign=editorial</span></a></p><p><a href="https://m.ai6yr.org/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://m.ai6yr.org/tags/advertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>advertising</span></a> <a href="https://m.ai6yr.org/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://m.ai6yr.org/tags/luxurycars" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>luxurycars</span></a> <a href="https://m.ai6yr.org/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Russia</span></a></p>
Jérôme Segura<p>Fake Microsoft Teams for Mac delivers Atomic Stealer<br><a href="https://www.malwarebytes.com/blog/threat-intelligence/2024/07/fake-microsoft-teams-for-mac-delivers-atomic-stealer" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malwarebytes.com/blog/threat-i</span><span class="invisible">ntelligence/2024/07/fake-microsoft-teams-for-mac-delivers-atomic-stealer</span></a></p><p>Cloaking domain:<br>voipfaqs[.]com</p><p>Decoy site:<br>teamsbusiness[.]org</p><p>Download URL:<br>locallyhyped[.]com/kurkum/script_66902619887998[.]92077775[.]php</p><p>Atomic Stealer payload:<br>7120703c25575607c396391964814c0bd10811db47957750e11b97b9f3c36b5d</p><p>Atomic Stealer C2:<br>147.45.43[.]136</p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/macos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>macos</span></a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a></p>
Bill<p>Again with the "No you can't use adblockers, how else will we serve you malware?"</p><p><a href="https://arstechnica.com/?p=2034101" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arstechnica.com/?p=2034101</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>google</span></a></p>
Jérôme Segura<p>Malicious ad for Arc browser -> <a href="https://infosec.exchange/tags/AtomicStealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AtomicStealer</span></a> </p><p>arcthost[.]org<br>arc-download[.]com<br>zestyahhdog[.]com/Arc12645413[.]dmg</p><p>C2: 79.137.192[.]4/p2p</p><p><a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a></p>
Randy<p>Hopefully everybody here is blocking all remote support tools you don't specifically use. We had a user call a TSS who coached them to try several different ones. Our tools blocked each of them, but for different reasons. The first is a classic and is on our block list (but of course!), the second got caught in geo blocking, the third was new to me, but our user typoed the domain.</p><pre><code>www.anydesk[.]com<br>helpout[.]live<br>www.screenleap[.]com<br></code></pre><p>Oh, did I mention they got to the TSS via <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a>? Yup, malvertisement led to here.</p><pre><code>valuedpost[.]com<br></code></pre><p><a href="https://urlscan.io/result/6baa089c-9e64-408e-9440-fdef079a723a/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">urlscan.io/result/6baa089c-9e6</span><span class="invisible">4-408e-9440-fdef079a723a/</span></a></p><p>Which after clicking on any part of the fake "Want to remove ads" led to the TSS as shown here.</p><p><a href="https://urlscan.io/result/ba64fbf5-e7b9-4699-a59f-7746dd42e5e0/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">urlscan.io/result/ba64fbf5-e7b</span><span class="invisible">9-4699-a59f-7746dd42e5e0/</span></a></p>
Jérôme Segura<p>⚠️ Malicious Google ad for <br>inkscape leads to <a href="https://infosec.exchange/tags/FakeBat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeBat</span></a></p><p>➡️ Impostor site: inkckape[.]org<br>➡️ Payload:<br>hxxps[://]planbooknfly[.]com/data/Inkscape-x86[.]msix<br>dc471b087413ea64f7693b27e38ac568dea00ec1c7f699e48a6ef96b9cb4e30e<br>➡️ C2: utm-adschuk[.]com</p><p><a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a></p>
Jérôme Segura<p>Malicious ad for Advanced IP Scanner -> Nitrogen</p><p>saltysour[.]com<br>advanced-ip-scan[.]org<br>giaoanso[.]com/wp-includes/IP_Scanner_v.3.5.2.1.zip<br>91.92.249[.]89</p><p><a href="https://www.threatdown.com/blog/nitrogen/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">threatdown.com/blog/nitrogen/</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a></p>
Jérôme Segura<p>Malicious ad for Cisco Anyconnect -> NetSupport RAT</p><p>hxxps[://]anyconnect[.]digital/main[.]html?gad_source=1&gclid=EAIaIQobChMIqvTmkL3hhQMVPCWtBh0NiQqwEAAYAiAAEgLpVfD_BwE</p><p>hxxps[://]www[.]dropbox[.]com/scl/fi/rd9a0nuuo5y3ty8jtmfd9/ClientCiscoInstaller[.]exe?rlkey=9xt5unakd2cac2bzohrr7vk55&st=5rw7hpe6&dl=1</p><p><a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a></p>
Jérôme Segura<p>Malicious ad for Bitbucket -> FakeBat</p><p>hxxps[://]bitbucket[.]workforteams[.]net/<br>hxxps[://]kimworkfiles[.]com/Bitbucket[.]msix</p><p><a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload