What is it?

Malvertising : Malware delivered through  Advertising. These corrupted ads are designed to appear legitimate but they may serve malicious code, which can infect a user’s device simply through viewing or clicking on the ad. Malvertising exploits the expansive reach and complex supply chains of online advertising networks, enabling attackers to deliver malware to a broad audience without direct interaction.

This type of cyber attack can lead to data breaches, identity theft, and other significant security risks. Awareness and advanced security measures are crucial in protecting against malvertising threats.

Bitbucket malvertising

If you search in Google the word “Bitbucket”, you get a screen like the one below.

If you click on the first link, which is marked as “Sponsored”, you will be redirected to a website, which is 99.99% identical to the bitbucket.org.

 

What’s the catch?

 

The are a few things on the page that are wrong:

 

1.Malicious software

The kit that you download is malicious: https://www.virustotal.com/gui/file/9a2268162982113c12d163b1377dc4e72c93f91e26bd511d16c1b705262ca03c?nocache=1

At the moment when I reanalyzed it, only 3 AVs detected it: ESET, Sophos and Jiangmin.

 

2. Unknown advertiser (not Atlassian)

The ad is not from Atlassian, but from someone in Pakistan:

I reported it to Google as malware.

 

 

3. Foreign code inserted

If you look at the source of the fake page, you see code and comments in Russian. The translation shows some innocent log messages. It appears that the developers had some problems with the server response. 🙂

….

success: function(response) {
console.log(“Ответ сервера: “, response);
// alert(“Клик зарегистрирован!”);
},
error: function(xhr, status, error) {
// Обработка ошибок при отправке запроса
// console.error(“Ошибка: “, error);
alert(“Произошла ошибка при регистрации клика.”);
…

 

4. Very fresh domain

The domain was registered a few weeks ago.

 

 

 

Conclusion

1. Don’t just click: Never search for a domain by entering the name in the search engine. Just type the domain you see advertised. In our case, as can be seen in the screenshot, the domain would be bitbucket.org.
2. Use Ad Blockers: Installing reputable ad blocking software can help prevent malvertisements from loading. This is one of the simplest and most effective measures to reduce the risk of accidental clicks on malicious ads.
3. Use security solutions: Utilize endpoint security solutions that include features like real-time scanning, behavior analysis, and threat detection. These tools can identify and neutralize malicious activities originating from ads.
4. Use Secure Browsing Tools: Tools that offer secure browsing options, such as VPNs and security-focused browsers, can provide additional layers of protection by encrypting data and blocking malicious sites.

 

Update

Google rejected 3 requests to stop the ads with the following mail:

Dear Sorin, We’re writing to let you know that we reviewed your report (ID 8-9421000036524). Here's what we found We decided not to take this ad down. We found that the ad doesn’t go against Google’s policies, which prohibit certain content and practices that we believe to be harmful to users and the overall online ecosystem. (If you have additional information that might help us reverse this decision, you can let us know by reporting this ad again within six months, or you can learn about your other options to dispute this decision.)

 

However, minutes later after receiving the rejected, the ad has been removed and the domain suddenly disappeared!

Shame on you Google!

© Copyright 2024 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

---

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch