Latest news with #DomainTools
Forbes
4 days ago
- General
- Forbes
Do Not Click On Any Of These Websites On Your PC
Do not click — ever. getty 'If it looks like a duck,' starts the so-called Duck Test, then it's probably a duck. And sometimes, cybersecurity threats are just as simple to detect. So it is with the ClickFix attacks now running riot across PCs worldwide. Forget the lure. If a popup window or website asks you to copy and paste text into a prompt, then don't. It's an attack. The latest warning comes from the investigators at DomainTools, with 'threat actors exploiting human trust' through 'Prove You Are Human' malware. This is ClickFix meets CAPTCHA, the fiddly little tests that ask you to pick out bikes or rearrange the pieces of a jigsaw puzzle. The copy and paste is presented as the human test. DomainTools warns it has unearthed a 'malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines.' Those scripts 'download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport remote access trojan (RAT)." With ClickFix, the dangerous script isn't copied and pasted by the victim, it's hosted elsewhere and retrieved by more innocuous text that is copied and pasted. This second stage, 'also functioned as downloaders, making 3 or more web requests to retrieve and execute a third stage of scripts from other domains, which then retrieve and run a fourth stage resulting in NetSupport RAT running on the victim host.' DomainTools being DomainTools, the team investigated and uncovered a broader malware ecosystem underpinning these attacks, with a raft of malicious domains registered for that purpose. This includes 'Docusign spoofed websites," crafted to trick users into thinking a form or install page is legitimate. New ClickFix ecosystem DomainTools One such example, was encoded with a cipher 'to avoid signature detections and obfuscation.' In this case, that's ROT13, 'in which a simple letter substitution replaces each letter with the 13th letter after it in the alphabet. Completing this operation twice effectively decodes the text.' The page presented back to the victim 'is designed to look like a Cloudflare 'Checking your browser' / CAPTCHA page, mixed with Docusign branding.' This leads to so-called Clipboard Poisoning, which secretly copies text to the clipboard without the user realizing. 'The user is instructed to (Win+R, Ctrl+V, Enter) or in other words, open their Window Run prompt, copy in the malicious script, and run it.' Fortunately, all these ClickFix attacks do require you to open a prompt, paste in text and then hit Enter. The obfuscation might disguise the lead-up to the attack, but if you know never to paste and execute and such command regardless of the lure, you will be protected from these attacks. DomainTools says this latest attack 'capitalizes on user trust and familiarity with common online interactions, such as document verification and code sharing platforms.' But if you can't be tricked into the final act, you're fine. In its latest report, Gen (the company behind Norton and Avast) warns 'the most dangerous attacks aren't always the ones that sneak in unnoticed — they are often the ones that make you open the door yourself. Scam-Yourself Attacks rely on well-crafted social engineering tactics, designed to trick users into infecting their own devices.' But again, while 'ClickFix and FakeCaptcha continue to evolve,' including 'interactive image-based CAPTCHAs mimicking the classical 'select all the traffic lights' puzzle.,' the net result is the same. 'After selecting the image, the user is once again redirected to the common set of malicious steps which result in infecting the user's device.' Here are a list of other websites to look out for: 0xpaste[.] aitradingview[.]app aitradingview[.]dev batalia-dansului[.]xyz battalia-dansului[.] betamodetradingview[.]dev betatradingview[.]app betatradingview[.]dev charts-beta[.] codepaste[.]io dans-lupta[.]xyz dev-beta[.]com devbetabeta[.] devchart[.]ai developer-ai[.]dev developerbeta[.]dev developer-beta[.] developer-mode[.]dev developer-package[.]dev developer-update[.]dev devmodebeta[.] devmode-beta[.]dev devtradingview[.]ai devtradingview[.]net dev-update[.] docusign[.]sa[.]com docusign[.]za[.]com docusimg[.]sa[.]com docusingl[.] docusingle[.]sa[.]com gitcodes[.]app gitcodes[.]io gitcodes[.] gitcodes[.]org gitpaste[.]com givcodes[.]com hubofnotion[.] jeffsorsonblog[.]dev loyalcompany[.]net mhousecreative[.]com modedev[.] modedeveloper[.]ai modedeveloper[.]com modedevs[.]ai nsocks[.] pasteco[.]com pastefy[.]com pastefy[.] pastefy[.]pro tradingviewai[.]dev tradingview-ai[.]dev tradingviewbeta[.] tradingview-beta[.]dev tradingviewdev[.]com tradingviewindicator[.]dev tradingviewtool[.] tradingviewtoolz[.]com tradingviewtradingview[.]dev updatebeta[.]app
Yahoo
28-05-2025
- General
- Yahoo
Don't Fall For It: Fake Bitdefender Site Will Infect Your PC With Malware
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing. A hacker is using interest in free antivirus software to spread a nasty malware infection to Windows PCs, according to security researchers. The malware is circulating through a fake Bitdefender website at bitdefender-download[.]co, which makes the domain appear legit. But in reality, the site will install three pieces of malware, warns the security provider DomainTools. The fake site seems to spoof all the elements found on the official site for Bitdefender's free antivirus program for Windows. However, the download link on the malicious site will deliver a ZIP archive that contains the malicious attack, which includes the so-called "VenomRAT," a remote access Trojan that can secretly harvest passwords and record keystrokes. In addition, the attack will install the StormKitty and SilentTrinity malware programs, which can also steal passwords, including details for cryptocurrency wallets, and maintain long-term access to the PC. 'The implications of long-term access may include repeat compromise or selling access,' DomainTools added. The security provider suspects the fake Bitdefender site was likely used in phishing attacks since the malicious domain overlapped with internet infrastructure hosting other fake sites impersonating banks and IT services. A security researcher on X/Twitter initially spotted the fake Bitdefender last week. In response, the antivirus company said: 'This website is not operated by Bitdefender or our partners, and we are working to have it taken offline. We do detect the file that it serves and also block access to the website.' Although the fake Bitdefender site remains up, Google's Chrome browser will flag the link to the free software as malicious, preventing users from downloading it.
Forbes
27-05-2025
- General
- Forbes
Microsoft Windows Warning—Do Not Install These Apps On Your PC
New warning as malware infects PCs A new warning has issued for Microsoft users, after a raft of websites were caught installing dangerous apps onto Windows PCs. The attackers used websites that mimicked popular brands to trick users into installing the apps that had been laced with malware designed to steal passwords and digital wallets. The warning comes courtesy of the security researchers at DomainTools, and there's a nasty sting in the tail with this one. Not only do victims put their passwords and wallets at risk, but the attackers have also been ' potentially selling access to their systems.' it all starts with a 'Download for Windows' button on a fake website. DomainTools says these apps actually pushed three different malware loads on victims: 'VenomRAT sneaks in, StormKitty grabs your passwords and digital wallet info, and SilentTrinity ensures the attacker can stay hidden and maintain control.' If You Get This Message On Your Phone It's An Attack Copied brands include Bitdefender, ironically, as well as various banks, including Royal Bank of Canada, and Microsoft's sign-in page. Another reason to follow the Windows-makers advice for its billion users, and ditch passwords for passkeys. Fake Bitdefender website with 'Download for Windows' button. Of the three installs, it's VenomRAT that does the real damage. The researchers say they 'tracked down the attackers' command centers, identified other malware they likely used, and uncovered their web of fake download sites and phishing traps spoofing as banks and online services,' to map the infrastructure behind these attacks. Microsoft Tells Nearly All Windows Users—You Must Reboot Your PC DomainTools says these attacks follow the recent trend for attackers to build malware from open-source components. 'This 'build-your-own-malware' approach makes these attacks more efficient, stealthy, and adaptable. While the open-source nature of these tools can help security experts spot them faster, the primary victims here are everyday internet users,' which means security hurdles are materially lower. Three key rules will help keep you safer: If you're on a website and see an app you want to download, go to your usual, official app store and download from there. If you need to use a company's website, access it through a normal search or app, not through any links in texts or emails.
Forbes
25-05-2025
- Forbes
Never Use These 100 Websites With Google Chrome
You have been warned — check Chrome now. Jaap Arriens/NurPhoto A serious new warning for Google Chrome users this week, with the release of a list of websites you must never use. There's a twist though. These websites hide behind major brands and trick you into installing dangerous malware. The tell is simple though — so while the list of websites is linked below, there's an easier way to stay safe. With Chrome users already facing a critical update warning, DomainTools found more than 100 websites [listed here on Github] 'masquerading as legitimate services, productivity tools, ad and media creation or analysis assistants, VPNs, Crypto, banking and more.' Each website includes a Get Chrome Extension or Add to Chrome button. DomainTools warns that while the extensions correspond to ones on Google's Chrome Web Store (CWS), these 'typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.' DomainTools has examples of fake DeepSeek, YouTube, Flight Radar, Calendly and VPN websites and extensions as lures. Extensions partially work, but are 'configured with excessive permissions to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor controlled domains.' Dangerous extensions DomainTools Unsurprisingly, the hosting infrastructure is common across the campaign. While mimicking DeepSeek and YouTube is simple brand hijacking, fake VPN extensions as a means to attack Chrome users ie beyond ironic. These VPN extensions connect to a malicious backend client [to] listen for commands." When instructed, the extension 'uses to retrieve all browser cookies.' it can even inject scripts into open Chrome tabs to run its own malicious code. Website lure and malicious extension DomainTools DomainTools says these attacks have been more than a year in the making. 'This malicious actor has deployed over 100 fake websites and malicious Chrome extensions with dual functionalities. Analysis revealed these extensions can execute arbitrary code from attacker-controlled servers on all visited websites, enabling credential theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Some extensions were also observed attempting to steal all browser cookies, which may lead to account compromises.' While the Chrome Web Store 'has removed multiple of the actor's malicious extensions after malware identification,' DomainTools warns 'the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements.' To stay safe, check carefully before installing extensions. While that means using official stores, it also means checking names and reviews carefully and ensuring developers behind those extensions have been verified. Such add-on software is a well-proven vulnerability with Chrome, and 'vigilance is key to avoiding these threats.' Most of the API domains identified by DomainTools as being part of this attack have a .TOP top level domain. Yet another warning to see .TOP as high risk at all times.
Forbes
16-05-2025
- Forbes
Hacking Disaster Warning—Delete All These Emails On Your PC
You have been warned — do not engage. The FBI warns cybercriminals will 'exploit mass casualty events and disasters' as lures 'to commit fraud,' primarily through soliciting donations for fake charities or other good causes, preying on people's natural instincts to help. Beyond financial theft, these lures include links to steal credentials and to install malware on people's devices. This hacking of disasters and mass casualty events is just the tip of an ugly iceberg. A new investigation by the research team at DomainTools found that when 'viral media events capture global attention… a different group also takes notice: malicious actors looking to capitalize on the public's interest and urgency.' I reported on this threat earlier this year, when Veriti warned 'as California grapples with devastating wildfires,' with entire communities affected, 'those disasters are serving as fertile ground for cybercriminals seeking to exploit chaos and uncertainty. Then as now, it's 'alarming trends in phishing scams linked to the ongoing disasters [that] With the Californian fires still raging, Veriti reported 'in just 72 hours, we identified multiple newly registered domains linked to the California fires.' This isn't rocket science — far from it. Those domains were as simple as can be, the likes of malibu-fire[.] Back then, Veriti said the fires 'underscore the dual tragedy of natural disasters and cyber exploitation. As hackers continue to refine their techniques, awareness and vigilance are critical in preventing against their attacks.' Malicious website will steal your donations Now, DomainTools says 'for almost all events, we identified websites explicitly seeking to profit by being part of a legitimate donation foundation supporting the cause (e.g., for the LA Fire, the Ukraine War, and other tragedies like the Myanmar earthquakes).' As cybercriminals hack disasters in this way, the FBI warns citizens to 'do your own research before you donate to anything [and] confirm the validity of any charitable opportunity.' This includes 'reviewing email headers and domain information to evaluate legitimacy. Emails from official organizations almost never will come from free email services. IP addresses can reveal if the information is originating from overseas.' Unsurprisingly, this is DomainTools's domain — no pun intended. 'The sheer volume of newly observed domains in 2024 was over 106 million,' it says. 'Approximately 289,000 daily creates a significant challenge for security teams.' The bureau warns users to 'be suspicious of online communications claiming to be from individuals affected by the events and seeking immediate financial assistance. Recognize that pressure to "act fast" might be a sign of a scam. [And] do not send payments to unknown individuals or organizations asking for financial assistance.' As LA fires dominated the news cycle, California's Attorney General Rob Bonta warned 'we have people with big hearts who want to help, they want to donate, they want to support the victims... We also see scammers who are taking advantage of that goodness and that generosity and scamming and defrauding those individuals.' This latest report from DomainTools — switching LA for Myanmar and elsewhere — just shows nothing has changed. If you have such emails on your PC, whatever your email platform, delete them as soon as they come in. It's exactly the same advice as with the plague of so-called smishing texts also sweeping from state to state.
