Wednesday, December 21, 2022

FBI: Use ad blockers to protect against brand impersonation

Today the FBI just announced, cyber criminals (which are easily recognizable according to the news and many websites for their predilection to wearing hoodies even in the summer) "are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information." Well, there are two parts for that:

Search engine advertising services

We are talking here about Search Engine Optimization (SEO), where you do magic tricks to move your website as close to the top search results since most people will not look more than 2 search page results for something. There are thousands of companies who make money helping businesses with this, including courses, Ez-Button products, and services ("give your url, what do you think you do, and we will take care of the rest for a price). What they are mentioning here is weaponization of that, which has been known as SEO poisoning since 2020. An example of that is when it was used to distribute BATLOADER malware.

Brand Impersonation

This is a traditional phishing tactic and relies on techniques such as (not exhaustive list):

  • typosquatting, which creates a fake website whose domain sounds close enough (within a typo or two) to that of a well known website. They pray on people like me, who mistypes a lot: if the browser returns a page that looks like the one victims expect instead of an error page, they may never noticed they are in the wrong site. This kind of attack is old enough -- yet still quite effective -- to be metioned in the 1999 Anticybersquatting Consumer Protection Act (ACPA)
  • URL Shortening, which converts long descriptive links into short sometimes cute ones that provide you no idea of where they really came from. Good ad blockers will check these links against lists of known spammers and block them, as shown in the picture below where UBlock origin does not allow a shortened url identified by the Perter Lowe's list of known domains serving ad content, tracking users, spyware servers, and occasionally malware and other nasty purposes. being blocked by UBlock origin
  • IDN homograph attack, an attack where tsome of the characters in the url of a website are replaced by similar (think 1 vs l) characters, or those from a different alphabet that look the same in a HTML-formatted email. As a result this can be seen as a more sophisticated version of typosquatting.
This leads the victim to the website containing the malware (think ransomware), some way to steal the victim's login crendentials, or a combination of both.

Is this a new form of attack?


Are ad blockers enough to stop this kind of attack?

There are no magic pills. They can only do so much. I recommend stopping and checking the url for a search engine result that smells suspicious. Some of the attacks mentioned above -- typosquatting and homograph -- can even be stopped by pasting the url in a proper text editor (think Notepad for windows or vim in Linux) that will not try to import fonts, and then just looking at them. With that said, I do use UBlock Origin myself; the picture on the top of this article is mine.

Should I panic and flail my arms while running in circles?

You could; if you do, make a video of it.

Do you have links for those apps/extensions you mentioned?