A week in security (February 16 – February 22)

Last week on Malwarebytes Labs: Age verification vendor Persona left frontend exposed, researchers say Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets AI-generated passwords are a security risk Intimate products maker Tenga spilled customer data Meta patents ...

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are running paid Facebook ads that look like official Microsoft promotions, then directing users to near-perfect clones of the Windows 11 download page. Click Download Now and instead of a Windows update, you get a malicious installer—one that silently steals saved passwords, browser...

Fake Facebook Ads Push Brokewell Spyware to Android Users

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware…...

Hackers Use Facebook Ads to Spread JSCEAL Malware via Fake Cryptocurrency Trading Apps

Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript JSC malware called JSCEAL that can capture data such as credentials and wallets. The activity leverages thousands of malicious advertisements...

Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims

Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence AI-powered platform to synthesize images and...

Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads

Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a…...

New Investment Scams Use Facebook Ads, RDGA Domains, and IP Checks to Filter Victims

Cybersecurity researchers have lifted the lid on two threat actors that orchestrate investment scams through spoofed celebrity endorsements and conceal their activity through traffic distribution systems TDSes. The activity clusters have been codenamed Reckless Rabbit and Ruthless Rabbit by DNS...

Facebook and Instagram Ads Push Gun Silencers Disguised as Car Parts

A network of Facebook pages has been advertising “fuel filters” that are actually meant to be used as silencers, which are heavily regulated by US law. Even US military officials are concerned...

Python-Based NodeStealer Version Targets Facebook Ads Manager

In this blog entry, Trend Micro’s Managed XDR team discuss their investigation into how the latest variant of NodeStealer is delivered through spear-phishing attacks, potentially leading to malware execution, data theft, and the exfiltration of sensitive information via Telegram...

NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data

Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims' Facebook Ads Manager accounts and harvest credit card data stored in web browsers. "They collect budget details of Facebook Ads Manager accounts of the...

Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

By Deeba Ahmed The scammers creates fake investment platforms using popular companies like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds. This is a post from HackRead.com Read the original post: Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment S...

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

I know Im a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. I also know Im far from the only person to warn consumers...

Profile Stealers Spread via LLM-themed Facebook Ads

In this entry, we discuss how a threat actor abuses paid Facebook promotions featuring LLMs to spread malicious code, with the goal of installing a malicious browser add-on and stealing victims’ credentials...

Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities

A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques, enabling threat actors to capture sensitive information from compromised hosts. "BundleBot is abusing the dotnet bundle single-file, self-contained...

New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

A new malware strain has been found covertly targeting small office/home office SOHO routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such...

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors since November 2022. "The threat actors behind the campaign are targeting Facebook business accounts by using...

Adware found on Google Play — PDF Reader serving up full screen ads

A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use. More specifically, the reader is known as PDF reader - documents viewer, package name com.document.pdf.viewer. As a result, this aggressive behavior lands...

Google Boots Multiple Malware-laced Android Apps from Marketplace

Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads. French security researcher Maxime Ingrao of cybersecurity firm Evina discovered a malware that he dubbed...

Hackers phish 615,000 login credentials by using Facebook ads

By Sudais Asif Once again, Facebook ads have been misused by cybercriminals in a large-scale phishing scam to steal victims' login credentials. This is a post from HackRead.com Read the original post: Hackers phish 615,000 login credentials by using Facebook ads...

Ragnar Locker Ransomware Gang Takes Out Facebook Ads in Key New Tactic

The Ragnar Locker ransomware group has decided to ratchet up the pressure on its latest high-profile victim, Italian liquor conglomerate Campari, by taking out Facebook ads threatening to release the 2TB of sensitive data it stole in a Nov. 3 attack – unless a $15 million ransom is paid in Bitcoi...