New warning for Chrome, Safari, Edge and Firefox: do not use these websites

Updated November 7 with new guidance from the government’s cybersecurity agency on malware infecting legitimate online advertising campaigns.

Now that “tens of millions of dollars” have been stolen from “hundreds of thousands” of internet users, a serious warning has just been issued to the billions of users of the most popular web browsers. Google has removed well-known websites from search results, but that won’t remove links on social media and messaging platforms. It is crucial that all users know what to look for. Very simply put: you are not allowed to use these websites.

Satori of human security Researchers warn that threat actors have “directed traffic to fake online stores by infecting legitimate websites with a malicious payload. This payload creates fake product listings and adds metadata that places these fake listings at the top of search engine rankings for the items, making them an attractive offer to an unsuspecting consumer. When a consumer clicks on the article link, he or she is redirected to another website, operated by the threat actor.”

ForbesGoogle’s update error: Do not change this new Play Store settingBy means of Zak Duffman

The dangerous website itself would direct users to a legitimate payment processing platform to purchase their chosen product. Of course, that product would never arrive, but the money would certainly be taken. While many consumers may be protected from the ultimate financial costs through credit card chargebacks, this is never guaranteed until a claim is investigated.

In the latest campaign, malicious actors “infected more than 1,000 websites to create and promote fake product listings and built 121 fake online stores to deceive consumers… with losses estimated at tens of millions of dollars over the past five years, affecting hundreds of thousands of consumers who are the victims.”

So what can you pay attention to to prevent your money from disappearing into a black hole:

1. Product deals that seem too good to be true usually are, if a bargain is offered below market price, don’t proceed unless you can verify the site
2. Check consistency between website names and the names that appear in pop-ups, payment processing windows, and the URL. This particular campaign infected legitimate websites and then led elsewhere
3. Does the ordering process feel completely legitimate? For example, does it have address information for autocomplete, does it check the quality of the data you enter?
4. If this is a website you haven’t used before, check the reviews carefully. Be aware that they could be fake, and look for known website reviews of the site
5. Can you find the product on a well-known website even if it is more expensive?

This campaign, which the research team called “phish and ship,” included some sophisticated details: Metadata to get to the top of search results, although Google removed the data known to be fraudulent. Infecting legitimate websites would initially lull users into a false sense of security, but redirection to a fake online store is when alarm bells should start ringing.

A list of all known fake websites can be found heresome of which remain active despite the familiar treats according to this latest report.

“This operation underlines the relationship between the digital advertising ecosystem and fraud,” Satori said. “Without the fake organic and sponsored product listings staged by the threat actors, there would have been no traffic to the fake online stores and therefore no fraud. A key takeaway from Phish ‘n’ Ships is that digital advertising can be dangerous, and consumers should be careful when clicking through to the next step in a digital journey.”

Users of all major browsers fall victim to such attacks. The research team warns that “Phish ‘n’ Ships remains an active threat,” even though Google’s removal has “partially disrupted” this threat. “It is unlikely that the threat actors will pull the plug on their work without trying to find a new way to perpetuate their fraud.”

When it comes to unreliable search results causing dangerous phishing attacks, another nasty new twist has emerged. Malwarebytes warns that “a new wave of banking phishing is targeting consumers via Microsoft’s search engine. A Bing search for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result.”

Microsoft’s share of search results pales in comparison to Google’s, although as with the ongoing campaign to push Chrome users to Edge, it is now dipping its toes deep into its pockets to do the same with Bing. with a new $1 million giveaway.

“While Microsoft’s Bing only has about 4% of the search engine market share,” says Malwarebytes, “scammers are drawn to it as an alternative to Google. A particularly interesting detail is how a phishing website created less than two weeks ago is already being indexed and served before the official website.”

ForbesAndroid update alert: You need to act now if you missed the October 29 deadlineBy means of Zak Duffman

This dangerous new campaign has managed to blow up search signals for new, malicious sites, tricking users into clicking on high search results for common keywords. “The first result is a malicious link that pretends to be Keybank’s login page… Attackers are abusing Bing’s search algorithms.”

Users who click on links are redirected to malicious websites created for the campaign. This uses the official branding of the bait to further mislead users. The intention is simply to collect identities, login details and passwords. The attackers have even found ways in which they can collect MFA codes to facilitate logins.

Similar to the “Phish and Ships” attack, this socially designed manipulation of search results, combined with behind-the-scenes deception to shift traffic from legitimate sites to malicious sites, is clearly effective, allowing attackers to make millions.

The concern for users will be the expected rise in AI-based searches, which pose a threat not only to established search engines, but also to users who lack the long-term defenses and ‘spidey senses’ to see attacks coming. Ironically, we just saw it too a phishing attack claiming to come from OpenAI itselfthat emphasizes that brave new world point. Buyers beware.

Following this report from Human’s Satori researchers, another serious website fraud warning has been issued. The UK government’s cyber security agency has just warned that “digital advertising is fundamental to the digital economy and depends on the interactions between those who sell advertising space and those who buy it, often in real time. But this can be abused and result in malicious advertising or malvertising, including malware. This could lead to fraud and undermine confidence in the digital advertising industry.”

In a new advisory that “provides guidance for brands to help advertising partners combat malvertising,” NCSC warns legitimate businesses that digital advertising campaigns can expose their customers to fraud if the organizations running those campaigns intentionally or accidentally introduce fraudulent technologies into the mix introduce.

“The organizations that help run your campaigns must take action to prevent harm to users,” it says. “You also want to make sure that the ads that appear on the same sites and pages as yours are trustworthy and reliable. You can support the broader efforts in this area by requiring effective malvertising detection and removal services across an intermediary’s advertising assets and publisher’s landing pages. This is an ongoing process that must apply before and during an advertising campaign.”

Similar to ‘Phish and Ships’, which involves infecting legitimate merchant websites to lend some legitimacy to malicious campaigns, the risk with digital advertising is that trusted brands are used to mask threats and socially develop an attack chain that takes users to the first steps lures. which ultimately lead to fraud or theft of IDs.

NCSC says that “Advertisers, publishers and ad networks should work together to share threat intelligence. By pooling information about emerging threats, it is possible to respond more quickly to new attacks and proactively prevent an attack detected on one platform from appearing on others.”

ForbesSamsung’s update decision: bad news for millions of Galaxy S24 and S23 ownersBy means of Zak Duffman

This has everything to do with the real-time nature of the Internet, and like the manipulated Bing search results, attacks can be difficult to catch as they disappear here and then in the blink of an eye. It is the core operations of the system itself that are manipulated.

For all organizations designing campaigns and buying ads, the cybersecurity agency urges that advertising intermediaries can demonstrate the following five steps to make the job more difficult for threat actors:

1. how they handle malvertising detection and removal services
2. the supplier, if any, they use to detect and remove malvertising, and whether this includes ‘cloaking’, which conceals the harmful nature or purpose of an advertisement
3. the scope of their assets where scanning, detection and removal takes place
4. how they monitor any changes during the life cycle of an advertising campaign
5. how an attack, if it occurs, is escalated and investigated

“The organizations that help run your campaigns must take action to prevent harm to users,” the agency says. “You also want to make sure that the ads that appear on the same sites and pages as yours are trustworthy and reliable.”