MutantBedrog is a malvertiser that caught our attention early summer ’04 for their highly disruptive forced redirect campaigns and the unique JavaScript payload that they use to fingerprint devices and dispatch invasive redirections. While a comprehensive report on MutantBedrog’s TTPs…
Category: Confiant – Medium
ScamClub’s Deceptive Landing Pages
Recently, I was involved in publishing Confiant’s ScamClub: Threat Report Q1-Q2 2023. During our investigation into this malvertising threat, we found ScamClub utilizing RTB integration with ad exchanges to push bid responses upstream to forcefully redirect the victim’s browser from…
Exploring ScamClub Payloads via Deobfuscation Using Abstract Syntax Trees
Introduction ScamClub is a prolific threat actor in the programmatic ad space known to carry out large-scale attacks with the purpose of scamming and defrauding their victims. ScamClub utilizes real-time bidding (RTB) integration with ad exchanges to push malicious JavaScript…
BadTrip: A chain of fake travel sites abuses search ads to commit fraud and credential theft
Brand impersonation and “cloaked” call-centers scale the scam up to more than 50,000 people. Scammers raking in upwards of $800 per victim. Successful malvertising campaigns have two key components: cloaking and churn. Normal security efforts will look at a few websites…
Malvertiser “D-Shortiez” abuses WebKit back button hijack in forced-redirect campaign
Over the last few years, as AdTech and browser security has continued to mature, many malvertisers have moved on from forced redirect campaigns that target premium publishers and top-tier advertising platforms. The ones that are left, however, typically have little…
Malvertiser “D-Shortiez” abuses WebKit back button hijack in forced-redirect campaign
Over the last few years, as AdTech and browser security has continued to mature, many malvertisers have moved on from forced redirect campaigns that target premium publishers and top-tier advertising platforms. The ones that are left, however, typically have little…
Malvertiser Makes the Big Bucks on Black Friday
The DatalyMedia Cookie Dragon (source: MidJourney) Confiant’s broad coverage in ad tech gives us visibility on some of the darkest corners of the ecosystem. We are strong believers that to truly fight malvertisers, we have to understand their motives. Sometimes…
L’art de l’évasion: How Shlayer hides its configuration inside Apple proprietary DMG files
image generated using OpenAI DALL·E models Intro While conducting routine threat hunting for macOS malware on Ad networks, I stumbled upon an unusual Shlayer sample. Upon further analysis, it became clear that this variant was different from the known Shlayer variants…
CashRewindo: How to age domains for an investment scam like fine scotch
Years-old domains, compromised JS libraries and worldwide-localized content among tactics of this sophisticated attacker. In Internet parlance, “old” has a much younger meaning — domains, virtual servers, image assets — everything is now or never. So much so that many security vendors rely heavily…
CashRewindo: How to age domains for an investment scam like fine scotch
Years-old domains, compromised JS libraries and worldwide-localized content among tactics of this sophisticated attacker. Continue reading on Confiant » This article has been indexed from Confiant – Medium Read the original article: CashRewindo: How to age domains for an investment…
How One “Crypto Drainer” Template Facilitates Tens Of Millions Of Dollars In Theft
This article has been indexed from Confiant – Medium Photo by Michael Trimble on Unsplash Our previous blog provided an overview of Web3 phishing techniques and tactics, all of which continue to be relevant despite a recent economic downturn in the…
How SeaFlower 藏海花 installs backdoors in iOS/Android web3 wallets to steal your seed phrase
This article has been indexed from Confiant – Medium Photo by Sara Kurfeß on Unsplash During the course of our work at Confiant, we see malicious activity on a daily basis. What matters the most for us is the ability to: Protect…
A Whirlwind Tour Of Crypto Phishing
This article has been indexed from Confiant – Medium The post-pandemic world has seen cryptocurrencies and blockchain products in general catapult in valuation and adoption. “Web3”, “DeFi”, and “NFT” have become household terms and the sector is growing so fast…
How File Hashes Fail As A Malware Detection Heuristic
This article has been indexed from Confiant – Medium In this blog post we take a trip downstream from malvertising delivery mechanisms and take a close up look at a fake Flash update landing page that was used to deliver…
Profiling hackers using the Malvertising Attack Matrix by Confiant
This article has been indexed from Confiant – Medium Photo by Hacker Noon on Unsplash What is Malvertising? A relatively new threat vector, Malvertising is a cyber-attack relying on ad networks and digital ads exposing virtually any internet user surfing the…
Malvertising Threat Actor “Yosec” Exploits Browser Bugs To Push Malware (CVE-2021–1765…
This article has been indexed from Confiant – Medium Malvertising Threat Actor “Yosec” Exploits Browser Bugs To Push Malware (CVE-2021–1765, CVE-2021–30533) Most threat actors that operate via ad tech have embraced an operational shift over the last 2 years, leaning…
Looking At Chrome Extensions That Hijack Search — Spread Via Malvertising
This article has been indexed from Confiant – Medium Looking At Chrome Extensions That Hijack Search — Spread Via Malvertising stock photo via Unsplash In this blog post we discuss an ongoing malvertising campaign that pushes search hijacking browser extensions. We take a…
OSX/Hydromac: A new macOS malware leaked from a Flashcards app
This article has been indexed from Confiant – Medium Photo by Lorenzo Lamonica on Unsplash At @ConfiantIntel we had some “luck” finding a new malware targeting the new Apple flagship M1 computers. I put “luck” between quotes, as we know when…
Tag Barnakle One Year Later: 120+ More Revive Adserver Hacks
Read the original article: Tag Barnakle One Year Later: 120+ More Revive Adserver Hacks Photo via Unsplash.com A year ago, we published a comprehensive disclosure that introduced Tag Barnakle, a threat actor whose specialty is the mass compromise of Revive…
Tag Barnakle One Year Later: 120+ More Revive Adserver Hacks
Read the original article: Tag Barnakle One Year Later: 120+ More Revive Adserver Hacks Photo via Unsplash.com A year ago, we published a comprehensive disclosure that introduced Tag Barnakle, a threat actor whose specialty is the mass compromise of Revive…
Malvertiser “ScamClub” Bypasses Iframe Sandboxing With postMessage() Shenanigans [CVE-2021–1801]
Read the original article: Malvertiser “ScamClub” Bypasses Iframe Sandboxing With postMessage() Shenanigans [CVE-2021–1801] Stock Photo Via Unsplash.com This blog post is about the mechanics of a long tail iframe sandbox bypass found in a payload belonging to the persistent malvertising…
Malvertiser “ScamClub” Bypasses Iframe Sandboxing With postMessage() Shenanigans [CVE-2021–1801]
Read the original article: Malvertiser “ScamClub” Bypasses Iframe Sandboxing With postMessage() Shenanigans [CVE-2021–1801] Stock Photo Via Unsplash.com This blog post is about the mechanics of a long tail iframe sandbox bypass found in a payload belonging to the persistent malvertising…
Malvertising: Made in China
Read the original article: Malvertising: Made in China via Pixabay (creative commons) Two loosely related cybercrime groups operating scores of fake ad agencies from China are so deeply embedded in the ad tech industry that they can launch attacks that…
Malvertising: Made in China
Read the original article: Malvertising: Made in China via Pixabay (creative commons) Two loosely related cybercrime groups operating scores of fake ad agencies from China are so deeply embedded in the ad tech industry that they can launch attacks that…
Persistent malvertising attacker DCCBoost raged as the year faded
Read the original article: Persistent malvertising attacker DCCBoost raged as the year faded 500k malicious ads served the week leading up to new years eve, over 25MM since. As Twenty-twenty was coming to a close, the Security and Threat Intelligence team…
The Trend Of Client-Side Fingerprinting In Cloaked Landing Pages
Read the original article: The Trend Of Client-Side Fingerprinting In Cloaked Landing Pages Photo by Alekon pictures on Unsplash This blog post will examine the client-side aspect of cloaking in non auto-redirect based malvertising chains. We will analyze the anatomy of…
Browlock Malvertisers Abuse Unaddressed Denial-Of-Service Bugs That Sit Dormant For Years
Read the original article: Browlock Malvertisers Abuse Unaddressed Denial-Of-Service Bugs That Sit Dormant For Years stock photo via Unsplash.com This blog post will dissect a tech support scam that we caught on a major publisher running via native-style tile ads,…
Browlock Malvertisers Abuse Unaddressed Denial-Of-Service Bugs That Sit Dormant For Years
Read the original article: Browlock Malvertisers Abuse Unaddressed Denial-Of-Service Bugs That Sit Dormant For Years stock photo via Unsplash.com This blog post will dissect a tech support scam that we caught on a major publisher running via native-style tile ads,…
Internet Explorer CVE-2019–1367 Exploitation — part 3
Read the original article: Internet Explorer CVE-2019–1367 Exploitation — part 3 Internet Explorer CVE-2019–1367 Exploitation — part 3 Shellcode Analysis Extracting shellcode of Magnitude Exploit KIT After successful exploitation of CVE-2019–1367, malicious Magnitude Exploit Kit shellcode instructions are executed. First stubs are a simple shellcode loader…
Internet Explorer CVE-2019–1367 Exploitation — part 3
Read the original article: Internet Explorer CVE-2019–1367 Exploitation — part 3 Internet Explorer CVE-2019–1367 Exploitation — part 3 Shellcode Analysis Extracting shellcode of Magnitude Exploit KIT After successful exploitation of CVE-2019–1367, malicious Magnitude Exploit Kit shellcode instructions are executed. First stubs are a simple shellcode loader…
Internet Explorer CVE-2019–1367 In the wild Exploitation — prelude
Read the original article: Internet Explorer CVE-2019–1367 In the wild Exploitation — prelude Internet Explorer CVE-2019–1367 In the wild Exploitation — prelude Photo by Darius Bashar on Unsplash CVE-2019–1367 background and in-the-wild exploitations There are some important aspects to know about CVE-2019–1367 before diving into…
Internet Explorer CVE-2019–1367 Exploitation — part 1
Read the original article: Internet Explorer CVE-2019–1367 Exploitation — part 1 Internet Explorer CVE-2019–1367 Exploitation — part 1 Extracting the Exploit from the PCAP In this section we will go through the process of extracting the exploit from the pcaps generously provided by malware-traffic-analysis. Luckily for…
Internet Explorer CVE-2019–1367 Exploitation — part 2
Read the original article: Internet Explorer CVE-2019–1367 Exploitation — part 2 Internet Explorer CVE-2019–1367 Exploitation — part 2 In Part1 we explained CVE-2019–1367 vulnerability root cause. In this part we will discuss how this bug was exploited in the wild to achieve code execution. We…
Malvertising, Site Compromise, And A Status Report On Drive-by Downloads
Read the original article: Malvertising, Site Compromise, And A Status Report On Drive-by Downloads Photo by Tianyi Ma on Unsplash This blog post will explore the details behind a recent spree of website hacks and the malicious payloads that were embedded…
Malvertising, Site Compromise, And A Status Report On Drive-by Downloads
Read the original article: Malvertising, Site Compromise, And A Status Report On Drive-by Downloads Photo by Tianyi Ma on Unsplash This blog post will explore the details behind a recent spree of website hacks and the malicious payloads that were embedded…
Confiant & Protected Media Uncover Mobile Billing Malvertiser Dubbed ‘wapSiphone’
Read the original article: Confiant & Protected Media Uncover Mobile Billing Malvertiser Dubbed ‘wapSiphone’ Photo by Kelly Sikkema on Unsplash The following blog post is a collaborative disclosure between Confiant and Protected Media around a new malvertising threat actor that leverages…
Confiant & Protected Media Uncover Mobile Billing Malvertiser Dubbed ‘wapSiphone’
Read the original article: Confiant & Protected Media Uncover Mobile Billing Malvertiser Dubbed ‘wapSiphone’ Photo by Kelly Sikkema on Unsplash The following blog post is a collaborative disclosure between Confiant and Protected Media around a new malvertising threat actor that leverages…
Tag Barnakle: The Malvertiser That Hacks Revive Ad Servers, Redirects Victims To Malware
Read the original article: Tag Barnakle: The Malvertiser That Hacks Revive Ad Servers, Redirects Victims To Malware Stock photo via unsplash.com When we discuss sophisticated malvertisers, we usually talk of savvy cybercriminal media buyers who spawn fake agencies and run…
Tag Barnakle: The Malvertiser That Hacks Revive Ad Servers, Redirects Victims To Malware
Read the original article: Tag Barnakle: The Malvertiser That Hacks Revive Ad Servers, Redirects Victims To Malware Stock photo via unsplash.com When we discuss sophisticated malvertisers, we usually talk of savvy cybercriminal media buyers who spawn fake agencies and run…
Exploring The Impact Of Malvertising On Government, ISPs & The Fortune 100
Exploring The Impact Of Malvertising On Government, ISPs & The Fortune 100 Advertise on IT Security News. Read the complete article: Exploring The Impact Of Malvertising On Government, ISPs & The Fortune 100
Exploring The Impact Of Malvertising On Government, ISPs & The Fortune 100
Exploring The Impact Of Malvertising On Government, ISPs & The Fortune 100 Advertise on IT Security News. Read the complete article: Exploring The Impact Of Malvertising On Government, ISPs & The Fortune 100
Fake Celebrity-Endorsed Bitcoin Scam Abuses Ad Tech to Net $1M in 1 Day
Fake Celebrity-Endorsed Bitcoin Scam Abuses Ad Tech to Net $1M in 1 Day Advertise on IT Security News. Read the complete article: Fake Celebrity-Endorsed Bitcoin Scam Abuses Ad Tech to Net $1M in 1 Day
Fake Celebrity-Endorsed Bitcoin Scam Abuses Ad Tech to Net $1M in 1 Day
Fake Celebrity-Endorsed Bitcoin Scam Abuses Ad Tech to Net $1M in 1 Day Advertise on IT Security News. Read the complete article: Fake Celebrity-Endorsed Bitcoin Scam Abuses Ad Tech to Net $1M in 1 Day
Fake Celebrity-Endorsed Scam Abuses Ad Tech to Net $1M in One Day
Fake Celebrity-Endorsed Scam Abuses Ad Tech to Net $1M in One Day Advertise on IT Security News. Read the complete article: Fake Celebrity-Endorsed Scam Abuses Ad Tech to Net $1M in One Day
Trending Client-Side Innovations In Malvertising Payloads
Trending Client-Side Innovations In Malvertising Payloads Advertise on IT Security News. Read the complete article: Trending Client-Side Innovations In Malvertising Payloads
Trending Client-Side Innovations In Malvertising Payloads
Trending Client-Side Innovations In Malvertising Payloads Advertise on IT Security News. Read the complete article: Trending Client-Side Innovations In Malvertising Payloads