News Items

A new study by researchers at Neustar International Security Council (NISC) surveyed 304 senior professionals across six EMEA and US markets. The researchers found that three in five (60%) of organizations would consider paying an extortion demand in the event of a ransomware attack. The research also revealed that one in five businesses would be prepared to spend 20% or more of their annual revenue to restore their systems in these situations. Many participants (80%) emphasized defending against ransomware attacks in light of current events, and more than two-thirds (69%) saw ransomware as a growing threat to their organization, making it the top concern across more than a dozen attack vectors. The participants were also asked for their views on the effectiveness of currently available security technologies in protecting against ransomware. Close to three-quarters (74%) stated they were either 'very' or 'somewhat' sufficient, while 26% viewed the technologies as 'somewhat' or 'very' insufficient.

Infosecurity reports: "60% of Businesses Would Consider Paying a Ransomware Demand"

Security experts from Nozomi Networks have warned of a critical IoT supply chain vulnerability that may affect millions of connected cameras globally, allowing attackers to hijack video streams. Nozomi Networks revealed the flaw in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, baby and pet monitoring cameras, and robotic and battery devices. CISA released its own security alert for the ThroughTek P2P SDK yesterday, giving it a critical CVSS score of 9.1. According to the advisory, it affects: versions 3.1.5 and older; SDK versions with nossl tag; and device firmware that does not use AuthKey for IOTC connection, uses the AVAPI module without enabling DTLS, or uses the P2PTunnel or RDT module. In this case, P2P refers to functionality that allows a client on a mobile or desktop app to access audio/video streams from a camera or device through the internet. Nozomi Networks claimed that the protocol used for transmission of those data streams lacks a secure key exchange, and it relies instead on an obfuscation scheme based on a fixed key. This means that unauthorized attackers could access it to reconstruct the audio/video stream, effectively enabling them to snoop on users remotely. The bug could also lead to unauthorized eavesdropping on camera video and audio, device spoofing, and device certificate hijacking. ThroughTek placed the blame firmly on developers who have incorrectly implemented its SDK or failed to update the offering. ThroughTex stated that version 3.3 was introduced in mid-2020 to fix this vulnerability and urged any customers to update the SDK version used in their products.

Infosecurity reports: "IoT Supply Chain Bug Hits Millions of Cameras"

The Cancer Centers of Southwest Oklahoma recently announced that it was involved in a data breach that may have leaked sensitive patient information. The data security incident occurred on April 28 through Elekta, a Swedish software company and business associate of the centers. The breach may have impacted over 40 other healthcare organizations. A forensic investigation confirmed the exposure of Social Security numbers, dates of birth, and medical treatment details. However, financial information was not involved in the breach. Elekta began working with leading cyber experts and law enforcement upon learning of the incident to conduct an investigation in order to understand how the breach happened, mitigate possible harm, and offer customers a solution that ensures cancer patients still receive proper radiotherapy treatments. The software company is also offering free access to identity monitoring, fraud consultation, and identity theft restoration services. This article continues to discuss the Elekta data breach, the response to the incident, other healthcare organizations that the breach has impacted, and other recent large-scale cyberattacks against organizations in the healthcare sector.

HealthITSecurity reports "Elekta Data Breach Leaks Patient Info at Oklahoma Cancer Center"

A significant advancement towards a user-friendly computing environment, in which the guarantee of security is as strong as a mathematical proof, has been made by a team of researchers at Carnegie Mellon University's CyLab. They revealed a new provably secure computing environment that can protect users' communication with devices like the keyboard, mouse, or display, even if malicious hackers compromise operating systems and other applications. This secure environment will make malicious activities such as sniffing users' keystrokes, capturing screen output, and stealing or modifying data stored on user-pluggable devices, impossible. The researchers presented an I/O separation model that explains what it means to protect the communications of isolated applications running on commonly compromised operating systems, including Windows, Linux, and macOS. According to the team, their I/O separation model is the first mathematically proven model to achieve communication separation for all kinds of I/O hardware and I/O kernels, which are the programs aiding interactions between software and hardware components. This type of secure environment has become more important than ever, as workers increasingly utilize Virtual Desktop Infrastructures (VDIs) to operate remote desktops. CyLab's Virgil Gligor, a professor of electrical and computer engineering (ECE) and a co-author of the work, says that business, government, and industry can benefit from this platform and its VDI application because of the shift to remote work and the need to protect sensitive applications from attacks. This article continues to discuss the capabilities, potential benefits, and applications of the new provably secure computing platform presented by CyLab researchers.

CyLab reports "A Big Step Towards Cybersecurity's Holy Grail"

NATO has warned it is prepared to treat cyberattacks in the same way as an armed attack against any of its allies and issue a military response against the perpetrators. In a communique issued by governments attending the meeting of the North Atlantic Council in Brussels yesterday, the military alliance revealed it had endorsed a Comprehensive Cyber Defence Policy, in which a decision will be taken to invoke Article 5 "on a case-by-case basis" following a cyberattack. Under Article 5 of the NATO treaty, first signed in 1949, when any NATO ally is the victim of an armed attack, it will be considered an attack on all alliance members, who will theoretically take any actions necessary to defend that ally. The announcement by NATO has come amid rising cyber threats to the alliance. NATO highlighted recent ransomware and other types of cyberattacks targeting their critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm. NATO has stated that they consider cyber as a legitimate military domain on several occasions in recent years, and the new policy clarifies this stance.

Infosecurity reports: "NATO Warns it Will Consider a Military Response to Cyber-Attacks"

Utilities' vulnerability to application exploits goes from bad to worse in just weeks. The amount of time that utility networks spend exposed to a known application exploit has spiked over the past two months. A new report from WhiteHat Security measured the amount of time a sector remained vulnerable to a known application exploit out in the wild, a metric they call an industry's window of exposure (WoE). The researchers found the WoE for the utility sector climbed from 55 percent two months ago to 67 percent last month. The researchers stated that application specific attacks are equally prevalent, if not more likely, than ransomware. Application weakness is an easy backdoor for the installation of ransomware, especially given the high-impact nature of the ransomware in utilities. The spike in WoE for the utility sector is attributable to several factors. According to researchers, the first is a shift of clunky legacy systems into internet-facing applications. In essence, the legacy systems were never meant to be internet-facing, and now they are, the researchers stated.

Threatpost reports: "Utilities 'Concerningly' at Risk from Active Exploits"

Taking a look behind the Science of Security (Podcast)

Our very own Adam Tagert recently featured as a guest on the Cyberwire podcast's Research Saturday show where he discussed the Science of Security. Read more below and check out the podcast (linked here).

According to a new report by Fujitsu, more than half (54%) of senior executives have struggled to adapt security policies to changes in the threat landscape and working practices. Fujitsu conducted a survey in September 2020. The findings from the survey provide further evidence that many organizations are at higher risk of cyberattacks due to the shift to remote working during COVID-19, with cybercriminals taking advantage of the rising number of connections and devices to target corporate systems. The findings also indicated that current cybersecurity training techniques are not suited to the current situation. Close to two-thirds (61%) of employees surveyed said they believe their security training is ineffective, while around three-quarters (74%) of non-technical staff do not find it engaging enough. Additionally, 32% of participants thought their company's training courses were too long, and 35% said it was too boring or technical. The researchers stated that these feelings might be partly explained by many organizations having a standardized approach to cybersecurity training. More than half (60%) of senior executives surveyed for the study admitted that all employees in their business receive the same type of training irrespective of the type of function they perform. Senior executives also recognized a degree of apathy among their employees when it comes to cybersecurity, with 45% stating that most people in their organization believe this has nothing to do with them.

Infosecurity reports: "54% of Senior Executives Struggling to Keep up with Threat Landscape"

McDonald's was impacted by a data breach that affected customers and employees in South Korea and Taiwan and company operations in the United States. The breach, which was first reported Friday, was the result of a cyberattack. Hackers who broke into the computer system of McDonald's Corp. accessed only a small number of files before their intrusion was detected. During their period of unauthorized access, cybercriminals stole personal information belonging to delivery customers in Taiwan and South Korea. Information accessed and pilfered included customer emails, phone numbers, and addresses. Employee information stolen by the hackers included the names and contact information of McDonald's workers in Taiwan. No customer payment details were accessed or stolen in the attack. In the United States, hackers were able to access some business contact details for employees and franchisees. They also compromised restaurant data that included seating capacities and the size of play areas measured in square feet. McDonald's said no data belonging to US customers were affected and that the exposed employee information did not include any personal or sensitive data. McDonald's did not disclose exactly how many files were exposed or the number of people who were affected by the data breach. The data breach was detected by external consultants hired by McDonald's to investigate an incidence of unauthorized activity on an internal security system.

Infosecurity reports: "McDonald's Suffers Data Breach"

A new study by Symantec analyzed hundreds of thousands of Android and iOS apps released to Google Play and Apple's App Store between 2017 and 2021. The study's goal was to identify apps breaking the green padlock, which indicates a secure communication channel between the user's browser and the server, and apps that disable features such as App Transport Security (ATS) for iOS developed to improve privacy and data integrity. Findings from the study reveal that many mobile application developers are intentionally disabling secure HTTPS protections when sending data from a user's browser to the server, thus leaving sensitive data vulnerable to being intercepted and compromised by attackers. One reason for this seems to be to facilitate the delivery of advertisements through the apps. The study showed that 7 percent of iOS apps and 3.4 percent of Android apps deliberately break the green padlock. Symantec found that these apps are actively sending data to insecure network servers and disabling SSL validation. According to Symantec, the volume of iOS apps with these behaviors has not declined as more iOS apps (45,158 out of 593,208) were found exhibiting dangerous behavior in 2020 than in previous years. On the other hand, the volume of Android apps breaking the padlock has been decreasing, with a drop from 5 percent in 2017 to 2.4 percent currently. A total of 12,243 out of 249,640 Android apps were found to be vulnerable in 2017. There are currently 2,376 out of 99,170 Android apps that break the padlock. Apps breaking HTTPS protections spanned multiple categories, such as gaming and finances. This article continues to discuss key findings from Symantec's analysis of iOS and Android apps.

Dark Reading reports "Many Mobile Apps Intentionally Using Insecure Connections for Sending Data"

The U.S. division of the global meat company JBS made the decision to pay $11 million to the operators behind the ransomware attack launched against its facilities in order to prevent any potential risk for its customers. The company also revealed that the payment was made after the impacted meat processing plants were operational again. The cybersecurity firm Sophos reported that the average ransom amount paid by ransomware victims in 2020 was $170,404. The highest ransom paid in 2020 among the organizations surveyed by Sophos was $3.2 million, which was less than a third of what JBS paid. However, $11 million is not the highest ransom paid in 2021 so far, as CNA Financial, one of the largest insurance companies in the U.S., reportedly paid hackers $40 million after it was hit with a ransomware attack that blocked access to the company's network and stole its data. Many attackers know that they could gain much more by targeting large companies. The average ransom demand grew between $50 million and $70 million over the first half of 2021, with most victims having paid a fraction of the demanded ransom after negotiating the amount down. Victims have relied on their cyber insurance policy to pay for some, if not all, of the rest of the ransom. Successful payments still motivate attackers to demand large ransoms. This article further discusses why attackers are demanding more, why ransomware victims are paying, and how organizations can defend against more costly ransomware.

Security Intelligence reports "What's Behind Rising Ransomware Costs?"

Gaming giant Electronic Arts (EA) have discovered that hackers have stolen a wealth of data, including game source code and tools for several popular games. The hackers behind the attack have advertised a total of 780GB of data for sale on a dark web forum. Among the data stolen was the source code for the popular football game FIFA 21 and code for its matchmaking server, and source code and tools for the Frostbite engine, which powers several EA games, including Battlefield. Additionally, the attackers took proprietary EA frameworks and software development kits. EA stated that it appears that the hackers stole no personal data of customers in the breach and does not expect the attack to impact their games or their business. They also stated that players should not be at an increased risk of cyberattacks, phishing, or identity theft due to the attack. A principal security consultant at F-Secure explained that the most significant impact of the data theft could be that it offers valuable information for EA's competitors to exploit. The security consultant stated that the EA source code and tools have a surprisingly high value to any company that operates in the shadows and wants to get a leg up in competing with the bigger game development companies.

Infosecurity reports:"Gaming Giant EA Suffers Major Data Breach"

Researchers with NordLocker have discovered a 1.2-terabyte batch of data containing 26 million sets of login credentials, 1.1 million unique email addresses, over 2 billion browser cookies, and 6.6 million files. The massive trove of sensitive data also included more than 1 million images and over 650,000 Word and PDF files. This data was extracted by malware, which the researchers have not yet identified. According to the researchers, the malware took a screenshot after it infected a computer and took a picture using the computer's webcam. The data was also stolen from messaging, email, gaming, and file-sharing apps. They found that the data was collected from over 3 million PCs between 2018 and 2020. This collection of data could be used to perform ransomware attacks, conduct espionage, and more. This article continues to discuss the sensitive information contained by the 1.2-terabyte database, the extraction of the data using malware, and the malicious activities that attackers could perform with this data.

Ars Technica reports "Mystery Malware Steals 26M Passwords from Millions of PCs"

One of the challenges associated with smart home systems is that they are always on and listening. This raises privacy concerns because such systems could be streaming all of a user's audio back to some servers that could be used for anything, including malicious activities. A team of U-M researchers wanted to develop ways to use the functionality of smart speakers without private conversations being recorded. They have developed a device called PrivacyMic that can be used to inform a smart home or listen for the signal that would activate a smart speaker without eavesdropping on audible sound. Ultrasonic sound at frequencies higher than the range of human hearing is the key element of PrivacyMic. Computer monitors, running dishwashers, and finger snaps generate ultrasonic sounds with a frequency of 20 kilohertz or higher. Humans cannot hear them, but PrivacyMic, along with dogs and cats, can. The PrivacyMic system combines the ultrasonic information surrounding us to identify when its services are needed as well as sense what is happening around it. According to the researchers, PrivacyMic can identify household and office activities at an accuracy rate higher than 95 percent. There are many situations in which users want their home automation system or smart speaker to understand what is happening in their home but do not want their conversations to be recorded. The researchers found that it is possible to have a system that can understand what is happening while ensuring that it will not record audible information. PrivacyMic can filter out audible information on the device, making it more secure than encryption or other security measures that take actions to protect audio data after it has been recorded or limit who has access to it. These measures could leave sensitive information vulnerable to hackers, but PrivacyMic ensures that the information does not exist. This article continues to discuss how PrivacyMic offers another layer of privacy for users.

The University of Michigan reports "'PrivacyMic': For a Smart Speaker That Doesn't Eavesdrop"

The ransomware attack against Colonial Pipeline, which led to a rise in gas prices, panic buying, and localized fuel shortages, brought further attention to how dangerous the disruption of the petrochemical pipeline industry could be. It appears that another pipeline-focused business suffered a ransomware attack around the same time when the Colonial Pipeline cyberattack occurred. A group called Xing Team posted 70 GB of files stolen from LineStar Integrity Services, a company based in Houston that sells auditing, compliance, maintenance, and technology services to pipeline customers. The data includes 73,500 emails, accounting files, contracts, nearly 19 GB of software code, 10 GB of human resources files that consist of employee driver's licenses, Social Security cards, and more. While this breach did not disrupt infrastructure like the Colonial Pipeline incident, security researchers warn that the exposure of this data could give hackers a roadmap to target more pipelines. There is concern that the data could include information about the software architecture or physical equipment used by LineStar's pipeline customers. Xing Team has used the rebranded version of Mount Locker ransomware to encrypt victims' files. The group has also used the tactic of threatening to leak unencrypted data to pressure victims into paying. This article continues to discuss the ransomware attack on LineStar, the company's response to the incident, and how this attack could enable follow-on targeting of other pipelines.

Wired reports "Ransomware Struck Another Pipeline Firm--and 70 GB of Data Leaked"

The email security company Agari has shared the results from a study on the anatomy of compromised email accounts. The threat intelligence brief titled "Anatomy of a Compromised Account" delves into the use of credential phishing sites by threat actors to gather passwords as well as what the actors do with them post-compromise. The Agari Cyber Intelligence Division (ACID) conducted a six-month investigation, seeding over 8,000 phishing sites that imitate Microsoft Account, Microsoft Office 365, and Adobe Document Cloud login screens. In order to gain a better insight into the lifecycle of a compromised account, the team linked individual phishing attacks to specific actors and their post-compromise actions following the successful submission of credentials. The investigation found that threat actors manually accessed 91 percent of all accounts within the first week. Half of the compromised accounts were accessed by threat actors within the first 12 hours. Automated account validation techniques were applied by 23 percent of phishing sites. Threat actors were found to be located in 44 countries, with 47 percent being in Nigeria. When the attackers successfully gained access to the compromised accounts, their goal of identifying those who have access to a company's financial information or payment system so that they could effectively send vendor email compromise scams, became clear. The attackers also used the compromised accounts to send malicious emails and register for additional software that can help run their scams. This article continues to discuss Agari's key findings surrounding how cybercriminals access and use compromised accounts.

GlobeNewswire reports "Scammers Access 50% of Compromised Accounts Within 12 Hours According to New Research"

A collaboration between Quantum Communications Hub researchers based at Heriot-Watt University and their German colleagues has brought the world a step closer towards ultimately secure conference calls. Their work has enabled a quantum-secured conversation to happen between four parties at the same time. This advancement is timely, given the rise in remote collaborative work, including conference calls, during the COVID-19 pandemic. This increase in remote collaborative work has come with a significant escalation of the launch of cyberattacks on popular teleconferencing platforms. The advancement in quantum-secured communications could enable unhackable security measures for conference calls, supported by quantum physics principles. The system demonstrated by the team employs entanglement, an essential property of quantum physics. Entanglement is a quantum physics property that provides correlations between two or more quantum systems, even when they are separated by large distances. By harnessing multi-party entanglement, the team was able to share cryptographic keys between four parties simultaneously, using a process called Quantum Conference Key Agreement. This allowed the team to overcome the limitations associated with traditional Quantum Key Distribution (QKD) that only allow the sharing of keys between two users. The defeat of these limitations enabled the first quantum conference call in which an image of a Cheshire cat was shared between four parties separated by up to 50 kilometers of optical fiber. This article continues to discuss the advancement that could lead to quantum-secured conference calls.

Heriot-Watt University reports "Quantum Holds the Key to Secure Conference Calls"

A new study conducted by researchers at University College London (UCL) in the UK explores the security risks associated with wearable devices and children's IoT connected toys. The study found that there is a lack of security for such devices, especially those designed to be used by children. Smart toys were found to be lacking the most basic cybersecurity precautions, leaving them open to abuse by hackers. Security researchers have discovered that the exploitation of flaws in some smart watches' apps could allow hackers to gain access to a child's historical route data, monitor their geolocation in real-time, as well as directly speak to the child via the watch without the communication being reported to the parent's app. Some connected toys have hidden cameras and microphones that could be hacked to secretly record a child's room. The researchers say that the safety of trackers and toys can be improved by standardizing minimum security requirements that manufacturers must meet. These standards should include the removal of factory default passwords on devices. Manufacturers should publish a vulnerability disclosure to help users better understand the security risks associated with the devices. Regular software updates should also be made in response to vulnerabilities uncovered by researchers. This article continues to discuss the potential exploitation and impact of security flaws in smart toys and trackers and how to improve the safety of such devices.

The Conversation reports "It's Far Too Easy for Abusers to Exploit Smart Toys and Trackers"

The world's largest meat processing company JBS was hit with a ransomware attack that affected some servers supporting its North American and Australian IT systems. JBS facilities in Australia, the U.S., and Canada experienced disruptions. In response to the attack, JBS USA took impacted systems offline, reported the incident to law enforcement, and started working with an external incident response team on remediation efforts. This incident has caused some meat plants to shut down, employees to be sent home, and livestock to be sent back to farmers. According to the White House principal deputy press secretary Karine Jean-Pierre, the ransomware attack was launched by a criminal organization likely linked to Russia. Katie Nickels, director of intelligence at the security firm Red Canary says that this ransomware attack against JBS serves as another reminder that ransomware is a serious threat that affects not only the cybersecurity community but also the average person. Following the cyberattack against the Colonial Pipeline that led to gas shortages and higher prices in the U.S., the JBS incident highlights the fragility of supply chains, whether they involve food, gasoline, or other essential products. Cybersecurity practitioners alone cannot combat ransomware. Policymakers must be involved in taking action against such attacks. This article continues to discuss the impact of and response to the JBS cyberattack, as well as the growing escalation of ransomware attacks and efforts to address this threat.

Wired reports "Ransomware Hits a Food Supply Giant--and Underscores a Dire Threat"

Researchers from Positive Technologies have identified ten vulnerabilities in CODESYS automation software for Industrial Control Systems (ICS), some of which have been rated high and critical in severity. According to Vladimir Nazarov, Head of ICS Security at Positive Technologies, the exploitation of these vulnerabilities can lead to remote command execution on a Programmable Logic Controller (PLC), which may, in turn, disrupt technological processes, cause industrial accidents, and create significant economic losses. Attackers do not need a username or password to exploit the vulnerabilities. Having access to the industrial would suffice. The researchers say that the main root of the vulnerabilities is insufficient input data verification, which could be the cause of failed compliance with secure development recommendations. Companies are advised to follow recommendations provided in CODESYS official notices to eliminate the vulnerabilities. This article continues to discuss the severity, potential exploitation, and elimination of the vulnerabilities found in CODESYS ICS automation software.

Help Net Security reports "Critical Vulnerabilities Identified in CODESYS ICS Automation Software"

The COVID-19 pandemic has changed how and where corporate resources are accessed, which heightens the need for organizations to update their identity and authentication systems. According to a 2021 Gartner CIO survey, more than 60 percent of employees at CIOs' organizations can now work from home, thus changing the shape of the landscape for authenticating users. It is important to remember that the transition to cloud-based services and the automation supporting digital workloads have resulted in significant increases in virtual machines, mobile devices, applications, containers, Internet of Things (IoT) devices, and other non-human entities, all of which are trying to have their own access to enterprise resources apart from the end user's identity. The management of machine identities has made it more important for organizations to engineer identity authentication and trust verification in all of their digital interactions. However, there is a debate regarding the paths of the security technologies: Public Key Infrastructure (PKI) and techniques, such as FIDO2 and Microsoft Windows Hello for Business. A report developed by CyberScoop delves into the importance and advantages of each technology. The report concludes that each of the technologies will likely play essential roles in the authentication of who and what can access an organization's resources. Experts, quoted in the report, suggest that these security approaches must work together as IT environments continue to evolve. This article continues to discuss the impact of the transition to remote work on the authentication landscape, the management of machine identities, PKI, FIDO2, and efforts to combine these technologies to provide broader enterprise-wide security.

CyberScoop reports "Why Combining FIDO2 and PKI Provides Broader Enterprise-Wide Security"

CNA, a US insurance giant, paid $40 million ransom to recover its systems in March. This was one of the largest payments so far. The attack was carried out using Phoenix CryptoLocker believed to have been used by Evil Corp a Russian cybercrime Network. Since the pandemic there has been a large increase in the number of ransomware attacks and ask payments by hackers. To defend against ransomware attacks, companies should secure all modes of initial access used to infiltrate networks, maintain regular data backups, and develop and use an appropriate recovery.

The Hacker News report "Insurance Firm CNA Financial Reportedly Paid Hackers $40 Million in Ransom"

Google recently released details regarding its discovery of a new Rowhammer vulnerability. The vulnerability dubbed "Half-Double" improves upon the attack style used against DRAM memory, first reported in 2014, suggesting that the Rowhammer problem will likely not go away anytime soon. The Rowhammer attack involves rapidly and repeatedly accessing data in one memory row on a RAM chip to trigger bit flips and create an electrical charge that changes data stored in other addresses in a nearby memory row on a chip. The attacking memory rows are called the aggressors, while the rows where bit flips occur are called victim rows. Since the discovery of the first Rowhammer attack, researchers have shown many ways in which the technique can be used to change data stored on RAM cards, including DDR3 and DDR4 generations. The Rowhammer attack was initially limited to scenarios where a threat actor had physical access to the target, but researchers have proven that the attack could be executed over the web remotely and used to gain control over Linux virtual machines in the cloud. Google Project Zero (GPZ) researchers explained that the attack works because DRAM cells are becoming increasingly smaller and close together, making it more difficult to prevent the cells from interacting electrically with each other. According to Google, the Half-Double attack technique takes advantage of the worsening physics of some of the newer DRAM chips to alter memory contents. This article continues to discuss the original Rowhammer attack and how the Half-Double technique expands it.

ZDNet reports "Google Reveals a New Rowhammer Attack"

Hackers used fake ads on Google to trick users into downloading a malicious AnyDesk application. The ad campaign ranked higher in downloads than even the real AnyDesk ads. Researchers estimated that over 40% of users who clicked on the fake ad, downloaded and installed the malware, showing that this was a very successful strategy for the fraudsters. While Google does some automated and human reviews to block malvertising, experts advise it needs to do more to develop better screening to block malware in ads.

Threatpost reports "Targeted AnyDesk Ads on Google Served Up Weaponized App"