Category: Security & Privacy

Advertising

Oh look, Google ads are again used to scam Google Search users

Posted on by Martin Brinkmann

Threat actors have launched another malvertising campaign on Google Search. While that is not really anything to write about anymore in this day and age, this time is special.

Not only did the threat actors manage to plant scam ads on Google, they did furthermore impersonate Google’s entire product line and used Google domains for the scams. If that is not something to write about.

The story comes from Malwarebytes. Security researchers at Malwarebytes discovered the campaign.

Here are the details:

  • The campaign was run on Google Search.
  • The threat actor used Google’s Looker Studio service to show the google.com domain as the address.
  • The ads targeted Google {product}, e.g., Google Translate or Google Flights.

Even after Malwarebytes reported the ads to Google, ads that impersonated official Google products continued to show up on Google Search.

Locker Studio is a service by Google that creates “interactive dashboards and beautiful reports” from data.

The scammers used the service to display a copy of the Google Search homepage. The homepage is just an image with a hidden link. When the victim clicks on the image, the link is triggered.

The user is then redirected to fake Microsoft or Apple alert pages. These go into full screen mode and play a recording according to Malwarebytes. The alerts suggest that something is not right.

They display a number to call for support and also a form to type the Microsoft account name and password.

Calls land in overseas call centers that try to scam the callers into purchasing gift cards or logging into their bank accounts to pay for the support.

The URL used in this case is on a Microsoft Azure domain, which is designed to instill further trust.

Closing Words

There is not much to like about ads nowadays. They slow down web browsing, use additional bandwidth, collect data about users, and may be distracting. If that is not enough, they may also push ads, as seen over and over again.

The only thing that is positive about ads is, in my opinion, that they allow certain services or publications to exist. There are not viable alternatives. While subscriptions are picking up, this won’t work for everyone as users seem to be fed up already with the ever increasing list of services that is asking for a monthly or yearly payments.

More safeguards need to be in place to prevent blatant abuses like the one discovered by Malwarebytes.

What is your take on this? Feel free to leave a comment down below.

Encryption

Windows 11: Device Encryption will be enabled automatically in these cases

Posted on by Martin Brinkmann

The next feature update for Windows 11 enables automatic device encryption for users of the operating system. This happens automatically in the background and for most users, but there are exceptions.

What is Device Encryption and how does it differ from BitLocker Drive Encryption?

Device Encryption is based on BitLocker, Microsoft’s encryption technology. It is an automatic system that will encrypt the Windows partition and other fixed drives.

In other words: most drives that are internal will be encrypted by Device Encryption.

Encryption protects data on the drives to prevent unauthorized access.

BitLocker Drive Encryption on the other hand is only available for Pro, Enterprise, and Education editions of Windows. It gives administrators control over the technology and needs to be enabled manually.

The change in Windows 11 24H2

Starting with the release of Windows 11, version 24H2, Windows 11 will encrypt drives automatically using Device Encryption in the following cases:

  • During first sign-in with a Microsoft account, or work or school account.
  • During first set up of the device, if a Microsoft account is used.

Windows 11 will start the encrypting of the drives immediately in the background.

Windows users who create a local account during set up won’t have their drives encrypted. Microsoft notes here that it is possible to do that manually though.

Note: Microsoft is making it harder and harder to set up Windows without a Microsoft account. It is still possible, but most users are probably unaware of this.

Enabling or disabling Device Encryption manually

Device Encryption setting in Windows 11
Device Encryption setting in Windows 11

You need to sign-in with an administrator account to manage Device Encryption. Also, it is possible that the feature is not supported on the device.

Here is how to find out and manage it:

  1. Select Start and then Settings to open the Settings app.
  2. Go to Privacy & security > Device Encryption.

If you do not see Device Encryption on the page, it is either unavailable on the device or you are signed-in with a standard user account.

Device Encryption offers a simple toggle to turn the feature on or off.

How to find out why Device Encryption is now available

Here is a step-by-step guide on finding out why Device Encryption is not supported.

  1. Open the Start menu.
  2. Type System Information.
  3. Select Run as adminstrator.
  4. Scroll down to Automatic Device Encryption Support or Device Encryption support.
  5. Hover over the entry to see the reason why it is not supported.

What is your take on Device Encryption? Do you use BitLocker encryption on your devices? Let us know in the comments below.

Malware

Three year old Malvertising Campaign is still going strong

Posted on by Martin Brinkmann

One of the most important skills of any Internet user is the ability to distinguish between advertising and organic links. A core reason for that is that advertising is regularly abused for malvertising campaigns.

Malvertising refers to ads that in one way or another attack the user or the user’s device. A simple example is a download ad that pushes a malicious file onto the user’s system.

Security researchers at ReasonLabs have discovered a malvertising campaign that has been around for at least three years.

The details:

  • Polymorphic campaign that installs Chrome and Edge extensions on endpoints.
  • Uses multiple attacks, including search hijacking, stealing private data, or executing commands on the user’s device.
  • At least 300,000 users fell victim to the campaign until now.

How the attack works

The attackers use advertising to push malicious downloads. They use fake download sites for legitimate applications such as YouTube, VLC, or Roblox FPS Unblocker.

Users who fall for this, you guessed it, download a malicious payload to their systems. Here is what happens next:

  1. The executable creates a scheduled task, which is designed to run a PowerShell script.
  2. The PowerShell script downloads a payload from a remote server and runs it on the user’s machine.
  3. It then begins to make changes to the user’s system:
    • Adds policies to enforce the installation of Chrome and Edge installations from the Store (which are malicious).
    • Some versions of the script uninstall browser updates.
    • Tampers with browser .lnk file to load another extension for communication with a control server and stealing search queries.
    • Communicate with command center for status reports and the next stage of execution.

The script blocks uninstallation of the installed extensions, even when Developer Mode of the browser is set to on. Users will also see the “your browser is managed by your organization” message.

The blog post offers a deep dive, which interested or affected users may check out. There is also a section on removing the malware from infected hosts.

This involves:

  • Removing the scheduled tasks.
  • Removing the planted Registry keys.
  • Deleting the malicious files.

Closing Words

The security researchers note that many of the used domains, extensions, and scripts are not detected as malicious at the time of writing. Google and Microsoft were notified according to the blog post.

Which brings us right back to the beginning. Ads are not easily distinguishable from organic results in many cases. Google, for instance, displays a simple “sponsored” text above ads. They look exactly like organic results in any other way.

While experienced users may not have any problems differentiating between the two, less tech-savvy users fall for these.

So, if you want to improve security, you better take a good look at links before you click. If you want to be safer, do not click on ads 🙂

0.0.0.0 Day: decade-old vulnerability affects all browsers

Posted on by Martin Brinkmann

Security researchers have disclosed a vulnerability that affects all modern browsers. What makes it particularly worrisome is that it has been known for 18 years; that goes back to a time before Google even thought of creating Chrome.

The details:

  • The researchers call the issue 0.0.0.0 Day.
  • It allows malicious websites to interact with services that run on the local network.
  • This could lead to unauthorized access or remote code execution attacks on local services from outside the local network.

In other words: the security issue allows the circumvention of security protections by malicious websites. Chromium’s Private Network protection does not protect against this, neither does Firefox. Apple’s Safari browser was also vulnerable, but the company has released a patch that blocks access to 0.0.0.0.

The blog post provides a technical description of the vulnerability. It also explains why it took this long to react on it.

The researchers found a Mozilla bug listing that dates back 18 years. It shows that the developers were not sure whether the reported bug was a security issue, a bug, or no flaw at all.

How Google, Mozilla, and Apple plan to react

Researchers at Oligo disclosed the vulnerability to security teams of major browsers in April 2024.

  • Google: plans to block access starting in Chrome 128 and finalize the rollout by Chrome 133. Other Chromium-based browsers will get this as well.
  • Apple: has implemented a change that blocks destination host IP addresses, if the IP is all zeroes.
  • Mozilla: fix is in progress. Firefox is special, as it never restricted Private Network Access in first place. Will implement Private Network Access, but no ETA on this one.

The fixes are important, but so is standardization of the issue. HTTP requests to 0.0.0.0 should be added to security standards according to the security researchers.

Closing Words

The security researchers note that use of 0.0.0.0 on the Web is on the rise. They use counters provided by Chromium for this. According to those, it is used by 0.015% of all websites. While that may not sound like much, it equates to roughly 100,000 public websites that may communicate with 0.0.0.0.

Malicious actors may exploit the issue in their attacks. Oligo points out that ShadowRay, a recent attack that targets AI workloads, could be executed from browsers using 0.0.0.0 as the attack vector.

It is unclear if browser extensions such as Port Authority for Firefox provide protection against this kind of attack.

What is your take on this new vulnerability? Seems that there is always something new, or shall I say old, that is affecting the security of browsers. (via Born)

Chrome

Keep on blocking in a free world: how to switch from Chrome to Firefox

Posted on by Martin Brinkmann

Google Chrome users who have extensions installed may soon have some or even all of their installed extensions disabled by Google.

While all browser extensions may be impacted, it is ad blockers and privacy extensions that are impacted the most.

One example: uBlock Origin, arguably the most loved and powerful content blocker available for browsers, will not be offered anymore for Chrome and all other Chromium-based browsers.

This means that you cannot install the browser extension anymore in Chrome, Microsoft Edge, Vivaldi, Opera, and myriads others.

One exemption: Brave Software revealed recently that it plans to continue support for uBlock Origin. This would be the one exemption at the time of writing.

The developer of uBlock Origin has created a lite-version of the extension. Called uBlock Origin Lite, it remains available for Chrome. Its functionality is reduced, however.

Furthermore, users of Chrome who use uBlock Origin need to download and install uBlock Origin Lite manually. A click on the “find alternative” button in Chrome

How to find out if you are impacted by the change

Chrome Extensions Support
Google Chrome highlights extensions that will soon no longer be compatible with the browser

Do the following to find out if extensions that you have installed in Chrome are impacted:

  • Load chrome://extensions/ in the browser’s address bar. You may also open the page manually by going to Menu > Extensions > Manage Extensions.
  • If you see “These extensions may soon no longer be supported” at the top, you are affected by the change.

Tip: you can check out a detailed guide about this here.

Google lists all incompatible extensions. Each features a “find alternative” button, which opens a special page on the Chrome Web Store that highlights extensions that continue to remain compatible with Chrome in the future.

For uBlock Origin, Google suggests the following options:

  • uBlock Origin Lite
  • Adblock Plus
  • Stands Adblocker
  • Ghostery Tracker & Adblocker

While all block ads, none offers the functionality of uBlock Origin.

What you can do about it

You have just a few options at this point:

  1. Keep on using Chrome until Google disables the extensions. You may then extend support for about a year using Enterprise policies.
  2. Keep on using Chrome and use a different browser extension that works for you, hoping that Google does not introduce any other changes in the future that may impact it.
  3. Switch to Brave Browser. This is a valid option only if you want to keep on using uBlock Origin, AdGuard, uMatrix, or NoScript.
  4. Switch to Firefox or a Firefox-based browser. The extensions, including uBlock Origin, remain available and maintained for Firefox.

The first option is valid for all Chromium-based browsers, but it is temporary only. Google will remove the Enterprise policy next year, and that marks the end of support in Chrome.

As you see, you have a few options only. While you could keep on using a Chromium-based browser, Brave Browser, it is unclear for how long Brave will support the four special extensions.

Admittedly, it is also unclear for how long Mozilla will support the old extensions system. If it sees an uptick in users, as some Chrome users may migrate to Firefox because of the changes Google implements, it could very well be for a long time.

Are you affected by the change? Do you have any extensions that you rely on that would make you switch browsers, if your current favorite would not support them anymore? Feel free to leave a comment down below.

Windows 11: Microsoft bundling controls for recommendations and offers

Posted on by Martin Brinkmann

One of the main points of criticism in regards to the ever increasing number of recommendations and offers in Microsoft’s Windows 11 operating system is that they cannot be managed from a central location.

If you want to turn them all off elegantly, you either have to go through various sections, or use a third-party application like WinAero Tweaker, or O&O’s ShutUp10++, or one of the many other tools that help users do that.

Recommendations & offers in Windows 11 Settings

Windows 11 Recommendations & Offers Setting
New group of Settings to control ads and promotions in Windows 11. Image source: Phantom of Earth

Microsoft is working on introducing a central location for recommendations and offers. While it is doubtful that this will cover all promotions that Microsoft throws at users nowadays, it at least merges related settings from various locations into a single group in the Settings app.

Discovered by Phantom of Earth and published on X, Recommendations & offers provides the following options at the time of writing:

  • Personalized offers — Get personalized tips, ads, and recommendations based on Windows activity.
  • Allow websites to access my language list.
  • Improve Start and search results — By tracking which apps get opened.
  • Show notifications in Settings.
  • Recommendations and offers in Settings — Allow Windows to show product recommendations and offers in Settings.
  • Advertising ID.

The new group is found under Settings > Privacy & Security. You do need to run the latest Beta of Windows 11 and may need to enable it by running the command .\vivetool /enable /id:49666228,48433719 from an elevated PowerShell prompt.

Closing Words

Clearly, this new group of Settings is still inferior to what tweaking apps offer. It may still expose more of these settings to users who do not use the tweakers or configure their systems using Registry tweaks or policies.

What is your take on this new group of settings? Move in the right direction? Feel free to leave a comment down below.

7-Eleven

Adding the number 7 to your password might make it stronger

Posted on by Martin Brinkmann

Most computer users should know by now that unique and stronger passwords are better. But what exactly means stronger? Most say that adding a mix of characters, including upper- and lower-case letters, numbers, and special characters will do the trick. Combine that with a decent length, say 16 or more characters, and your password should be hard to crack.

ProxyScrape, a service for scraping websites using proxies, says that using the number 7 in your password makes it stronger than any other number that you may pick.

Here is why: while many pick 7 as their preferred one-digit number, most computer users pick other numbers when they set passwords.

This is not a problem for users who use password generators, but those who pick passwords manually tend to prefer 0, 1, and 2 over other numbers.

Password Generator of KeePass
Password generation in the KeePass password manager

It happens that 7 is the last choice when it comes to numbers, according to ProxyScrape CEP Thibeau Maerevoet (via Betanews).

So, if you pick 7, or if your password generator picks it for you, then you throw a wrench into the tires of the brute forcing machine.

This is especially true for dictionary attacks. These use preset words and sometimes words with characters added to them. It is, for instance, common, to test words, and then the same array of words but with the character 1 added to them.

Similarly, dictionary attacks may replace the character I with 1, or E with 3.

Tip: find out if yo should save passwords in browsers.

This does not really affect users who use very strong auto-generated passwords. It does not really matter if a 20 character password that is randomly generated has a 7 in it or not. But passwords that users pick, like dallascowboys1, may have a better chance at surviving the first wave of attacks when you replace that 1 with a 7. Even better, put the 7 somewhere in the middle, say dall7ascowboys.

What is your take on the observation? Will you start adding 7s to your passwords in the future?

Advertising

How to disable Firefox’s built-in ad-tracking feature

Posted on by Martin Brinkmann

With the release of Firefox 128 came the integration of a new experimental feature that Mozilla calls Privacy-Preserving Attribution.

The feature is turned on by default, which means that users of the browser need to become active, if they want to disable it.

Mozilla published a support webpage that explains that Privacy-Preserving Attribution is.

Here is the main quote:

Mozilla is prototyping this feature in order to inform an emerging Web standard designed to help sites understand how their ads perform without collecting data about individual people. By offering sites a non-invasive alternative to cross-site tracking, we hope to achieve a significant reduction in this harmful practice across the web.

In other words: sites and advertisers may use the built-in feature for tracking.

Like Google Chrome’s Ad Privacy feature, it is using the term privacy loosely, some would say disingenuously.

Both systems change how users are tracked and call it an improvement to privacy. In the end, it still means that users are tracked. The fundamental difference is that users are no longer tracked on an individual level.

Mozilla says that its new system can only be used by a small number of sites in Firefox 128. The organization does not mention these sites.

How to disable Ad-Tracking in Firefox

Firefox Website Advertising Preferences

For privacy, disabling these features is better than keeping them enabled or enabling them.

Here is how you do that in Firefox:

  1. Select the Firefox Menu and then Settings when the menu opens.
  2. Switch to Privacy & Security on the main Settings page.
  3. Scroll down until you come to Website Advertising Preferences.
  4. Uncheck the box “Allow websites to perform privacy-preserving ad measurement”.

That is all there is to it.

Pro tip: The user preference dom.private-attribution.submission.enabled determines whether this feature is turned on or off. Set it to false to disable it.

Closing Words

It is not without irony that Mozilla’s implementation in Firefox is in fact worse from a user’s point of view than Google’s. Google is prompting users, using euphemistic words, about the ad tracking feature. Mozilla has just enabled the feature without prompting users about it.

Mozilla has recently bought an ad-tech startup called Anonym, which it says is working on privacy-preserving ad technology.

Are you a Firefox user? What is your take on this? Feel free to leave a comment down below!

Security

Should you save passwords in a browser?

Posted on by Martin Brinkmann

All modern web browsers include password management functionality. It makes sense on first glance to integrate the functionality; most users sign-in to services on the Internet regularly.

One of the main advantages of password managers in browsers is convenience. The browser recognizes new logins and prompts users to save the information. Similarly, it proposes to sign-in using saved data whenever a website is found in the password manager’s database.

It is handy and that is the reason why it is widely used.

Disadvantages exist as well:

  • Functionality is limited to a specific browser – Synchronization support may extend the reach, but it is still a limiting factor.
  • Automatic login functionality is limited to a browser – It cannot be used to sign-in to apps and other services that are not opened in the browser.
  • Protective features are limited — Usually to the device password or Pin.

Limited functionality

When you save a password in a browser, it is stored by it in a database on the local device.

If synchronization is enabled, the database will be synced across all devices on which the browser is installed and synchronization is enabled.

Still, it is limited to that browser. If you use multiple browsers, then you won’t be able to use the functionality there as well, unless you use import features.

The saving of passwords and automatic logins are also limited to the browser. If you need to log in to an application on the device, then you need to do so manually by copying the username and password from the browser’s password manager.

Security is limited

Security and protective features are another. Depending on the password manager, passwords may not be saved with a password. Some browsers support setting a primary password to protect the password database, but in many cases, it is not enabled by default.

Anyone with access to the PC may get access to the stored passwords of browsers. While that requires the account password for the PC in question, it may open up a can of worms in some cases.

The browser may prompt for a password or a pin when the password manager is opened and entries are inspected there. However, there is no such protection when visiting saved websites. Browsers like Chrome will fill out the passwords on the sites and sign-in users automatically.

It is even possible to show passwords in plain text by manipulating the HTML code of the website. This is not a problem if the account password is strong and you never leave the PC unattended.

Synchronization is convenient, but it moves the password database into the cloud. It is encrypted, but it adds another attack vector that would not exist if the database would be stored locally only.

How dedicated password managers compare

Here are the main differences:

  • A password is required to create a new password database — This means that it is protected by the device password and also the password the user selects during creation.
  • Additional protective features are available — This may include two-factor authentication for extra protection, customizing security features, such as the number of iterations.
  • Password managers run system-wide — You can use them to sign into apps or other services on the device, independent of any browser or program.
  • Self-hosting may be supported — Instead of relying on a server by a company, you can self-host the cloud space.
  • Open source and audits — Many browsers are not open source. Good password managers are audited regularly.

Some of the features depend on the password manager. My recommendation goes to Bitwarden and KeePass. There are numerous others that you can try.

Granted, password managers are not perfect. They cannot help you if you need to sign-in to a service on your Smart TV, but neither can browser password managers.

Closing Words

Using a password manager is highly recommended. If you use a browser password manager, make sure you configure extra security features, if needed. This may include setting up a primary password, enabling operating system protections, or using a strong device password or pin.

Standalone password managers offer more functionality. Good ones offer better security right away, more customization options, and a lot more that browser password managers do not support.

To answer the question of this article: a dedicated password manager is better in many regards, but it is still better using a browser password manager than none at all.

What about you? Do you use a password manager? If so, what is the program that you use currently and why?

Nord Security launches File Checker online tool

Posted on by Martin Brinkmann

Nord Security, maker of the popular VPN service NordVPN, has published a new online tool. File Checker is a free online security tool to check files for malware.

Online virus scanners are useful to check a small number of files for viruses and other unwanted code. Google-owned Virustotal is probably the uncrowned king of these types of tools.

Here is what you need to know about the new File Checker tool:

  • It is free to use on the NordVPN website; an account is not required.
  • File Checker works on any platform.
  • Recommended file size is 50 megabytes or less, but it works with larger files. There is a limit though, as it would not scan a 160 megabytes file.

File Checker is also integrated into NordVPN’s Threat Protection feature. I did not give the feature a recommendation back then as it installed a certificate on the system that gave it a high level of control.

Threat Protection back then supported the scanning of files, but limited this to files of a size of up to 20 megabytes.

File Checker

The website provides little information on the File Checker technology. Most of the information is basic, explaining that you can get viruses through infected phishing emails or that PDF files can contain viruses.

In fact, the only information about File Checker is that it was created by NordVPN.

File Checker was developed by NordVPN, a global leader in cybersecurity with over 10 years of experience. Our experts curate a massive real-time database of threats and use advanced technologies, including artificial intelligence and machine learning, to continuously improve File Checker.

Nord Security maintains a list of threats and uses technology, including AI and machine learning, to improve it. This does not tell us anything about how good or bad the product is.

File Checker does have a few disadvantages when compared to Virustotal:

  • You can only scan individual files that are on the local device already and links. Virustotal supports this and it includes a Search for finding already scanned files.
  • Virustotal furthermore displays information about the scanned file, including details, behavioral information, and also community comments.
  • File Checker uses a single service, Nord Security’s own, to scan files for malware. Virustotal checks dozens of antivirus engines, which provides a clearer picture.

Should you use the standalone File Checker tool?

While it is commendable that File Checker is free, it is held back by the fact that it relies on a single threat database. Virustotal is the better option, as it provides results from dozens of antivirus services.

Furthermore, it is integrated in NordVPN, which means that all customers may enable this to get automatic file checking. Still, most antivirus applications support this as well.

What about you? Do you use online file scanning services to check downloaded files before you open them on your devices?