{"id":18858,"date":"2022-04-26T05:10:06","date_gmt":"2022-04-26T13:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/26\/news-12591\/"},"modified":"2022-04-26T05:10:06","modified_gmt":"2022-04-26T13:10:06","slug":"news-12591","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/26\/news-12591\/","title":{"rendered":"Rogue ads phishing for cryptocurrency: Are you secure?"},"content":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Tue, 26 Apr 2022 12:29:14 +0000<\/strong><\/p>\n<p>Bad ads are at it again. Rogue Google ads caused no end of misery for cryptocurrency enthusiasts, costing them roughly $4.31 million between the 12th and the 21st of April. This is an astonishing slice of cryptocurrency cash to lose for the sake of clicking on something in a search engine.<\/p>\n<p>The bogus links were at the top of results for Terra blockchain projects. Searches for projects like Astroport or Anchor resulted in the below search results:<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Our security team conducted an analysis of this incident and discovered that the bulk of this attack was from google phishing ads. Users would search well know projects on the Terra blockchain such as <a href=\"https:\/\/twitter.com\/anchor_protocol?ref_src=twsrc%5Etfw\">@anchor_protocol<\/a> or <a href=\"https:\/\/twitter.com\/astroport_fi?ref_src=twsrc%5Etfw\">@astroport_fi<\/a> only to click on the first link by google. <a href=\"https:\/\/t.co\/aucIcnsCd7\">pic.twitter.com\/aucIcnsCd7<\/a><\/p>\n<p>&mdash; SlowMist (@SlowMist_Team) <a href=\"https:\/\/twitter.com\/SlowMist_Team\/status\/1516962155211407360?ref_src=twsrc%5Etfw\">April 21, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>The design of the phish page is quite similar to many that we\u2019ve seen. They&#8217;re quite basic, and include little beyond a set of \u201cconnect your wallet\u201d buttons. However, as you can see in the below tweet, they\u2019re after people\u2019s seed phrase:<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">These may look like normal ads and some even show the same domain names, but once you click on the link, the domain name actually changes. When clicked, it&#39;ll prompt you to connect your wallet, however instead of connecting, users are asked to input their seed phrase. <a href=\"https:\/\/t.co\/OZjifaJ17m\">pic.twitter.com\/OZjifaJ17m<\/a><\/p>\n<p>&mdash; SlowMist (@SlowMist_Team) <a href=\"https:\/\/twitter.com\/SlowMist_Team\/status\/1516962344055808001?ref_src=twsrc%5Etfw\">April 21, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>We\u2019ve talked about seed\/recovery phishing several times. Seed phrases are your <a href=\"https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/04\/dont-enter-your-recovery-phrase-phishers-target-ledger-crypto-wallet-users\/\">keys to the kingdom<\/a>, and giving them to a phisher could have serious consequences. It\u2019s no wonder these phishers made off with so much money.<\/p>\n<h2>The problem with bad ads<\/h2>\n<p>Rogue adverts have been around pretty much for as long as paid adverts have existed. They\u2019ve been the stomping ground of exploit kits, ransomware, fake tech support scams, and much more for years.<\/p>\n<p>One of the main ways to hurt yourself in a search engine used to be SEO poisoning. That didn\u2019t involve ads, but rather involved the search results themselves being bad. If a site got compromised and the content altered, innocent looking results could end up whisking you away to spam or malware. Alongside SEO poisoning, which search engines really tried to clamp down on, bogus ads started making major inroads.<\/p>\n<h2>Big numbers, big rewards<\/h2>\n<p>Ad fraud costs billions each year. Any network could potentially allow a bad actor onboard, and that\u2019s before you consider that there are rogue ad networks who simply don\u2019t care what\u2019s being pushed to end-users. Slow, cumbersome static ads were replaced by <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2015\/04\/real-time-bidding-and-malvertising-a-case-study\/\">real time bidding<\/a>, and techniques to push bad content became ever more inventive.<\/p>\n<p>On top of that, you have the usual tricks like fingerprinting and browser search string agents to ensure your bad content reaches specific people. For example, only allowing certain mobile users to land on your mobile-centric scam page. Or how about stopping users at a gateway to see if they run exploitable types of software before letting them progress to the exploit page?<\/p>\n<p>The SEO poisoning tactics all look a bit antiquated next to the \u201cpaid-for ad might lose you a fortune\u201d merry-go-round.<\/p>\n<h2>Blink and you&#8217;ll miss it?<\/h2>\n<p>The big problem with paid ads in search engines is one of assumed legitimacy. The fact that they usually appear at the top of the page originally led to complaints that they were being mixed up with \u201cproper\u201d results. This brought about many changes to make it clearer that paid ads were just that.<\/p>\n<p>Sadly, people still struggle with figuring out paid ads vs organic. Close to 60% in one survey <a href=\"https:\/\/varn.co.uk\/01\/31\/58-1-of-people-dont-which-links-on-google-are-ads-is-google-making-ads-less-clear\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">didn\u2019t know the difference<\/a>. This is despite changes from search engine providers for both desktop and mobile platforms.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Last year, our search results on mobile gained a new look. That\u2019s now rolling out to desktop results this week, presenting site domain names and brand icons prominently, along with a bolded \u201cAd\u201d label for ads. Here\u2019s a mockup: <a href=\"https:\/\/t.co\/aM9UAbSKtv\">pic.twitter.com\/aM9UAbSKtv<\/a><\/p>\n<p>&mdash; Google SearchLiaison (@searchliaison) <a href=\"https:\/\/twitter.com\/searchliaison\/status\/1216782591463813126?ref_src=twsrc%5Etfw\">January 13, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>Does the word \u201cAd\u201d next to the result in Google really leap out enough to be noticeable? Or when \u201cAd\u201d appears in Yahoo! or the additional \u201cAds related to\u2026\u201d under the main ads? How about Bing\u2019s very tiny \u201cAd\u201d next to the results?<\/p>\n<p>I vaguely recall a search engine placing paid results in a prominent box a few years back, but I suppose I could just be mixing it up with a screenshot of someone <em>highlighting<\/em> a rogue advert instead.<\/p>\n<h2>Avoiding bad ads<\/h2>\n<p>There\u2019s multiple ways to avoid bad ads, but some of them come at a cost to either yourself or the sites serving the ads. It\u2019s one of those very personal choices for which there\u2019s no single fit. I\u2019m not going to suggest you do any of these; I\u2019m merely going to give you examples of what people do and leave the decision in your hands.<\/p>\n<ol>\n<li>Some folks have simply had enough of adverts. They\u2019ll install ad-blockers, hit the \u201cdisallow all\u201d button, and that\u2019s that. However, one drawback is that sites you like may not work. You\u2019ve definitely seen a \u201cplease unblock our ads to continue\u201d message at this point. Some sites take a hard line on this, and it\u2019s a case of unblock or go elsewhere. Others will allow you to choose whether to view the site with the ads still blocked, or add them to your \u201csafe site\u201d list. Sometimes this goodwill gesture is enough to have the visitor unblock the ads. If it doesn\u2019t and someone becomes a repeat visitor anyway (with ads still blocked), then the site loses ad revenue. <\/li>\n<li>Others may go down the script blocker route. This may allow ads, but will potentially contribute to preventing forms of redirect and\/or malicious script loading. Script blocking tools are a lot better than they used to be, with more customisation available than ever before. In the bad old days, it was mostly a case of \u201cenable this and break hundreds of websites\u201d. The trade-off here is that you may end up enabling something that renders the site usable, but also allows for bad things to happen.<\/li>\n<li>Security tools. This is one of the more hands-on ways to shut bad things down. Browser extensions, <a href=\"https:\/\/www.malwarebytes.com\/mwb-download\">security tools with real-time protection<\/a>, regular security scans, and keeping your system (and programs) up to date will all help keep exploits, phishing pages, and malware far away, even with all adverts enabled. Nothing is guaranteed, of course, and that\u2019s why several layers of defence tailored to your specific requirements will do significant heavy lifting on your behalf.<\/li>\n<\/ol>\n<p>Rogue ad attacks are sadly a fact of internet life, and targeting cryptocurrency enthusiasts means potentially massive payouts in comparison to some other forms of phishing. With no way to get your stolen coins back in most cases, it\u2019s not something you can afford to ignore. Start shoring up those defences now, and have a long think about the level of advert exposure you\u2019re comfortable with.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/scams\/2022\/04\/rogue-ads-phishing-for-cryptocurrency-are-you-secure\/\">Rogue ads phishing for cryptocurrency: Are you secure?<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/scams\/2022\/04\/rogue-ads-phishing-for-cryptocurrency-are-you-secure\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Tue, 26 Apr 2022 12:29:14 +0000<\/strong><\/p>\n<p>Phishers racked up an enormous haul of stolen cryptocurrency via rogue Google ads. Time to check if you&#8217;re free from bad ad worry.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/scams\/2022\/04\/rogue-ads-phishing-for-cryptocurrency-are-you-secure\/\">Rogue ads phishing for cryptocurrency: Are you secure?<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11533,20270,13776,11052,1670,25817,25818,10511,3924,10574,25819,14646,11410],"class_list":["post-18858","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-ads","tag-advert","tag-bing","tag-cryptocurrency","tag-google","tag-organic","tag-paid","tag-phish","tag-phishing","tag-scams","tag-seed","tag-wallet","tag-yahoo"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18858","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18858"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18858\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18858"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}