literature.cafe

517 readers
13 users here now

(and anyone else, really)

This is a general special interest lemmy instance focusing on lovers of all things pertaining to reading and writing and all of the people that enjoy it as well as fandoms and niches that exist within reading circles. We federate with other instances, with our local communities being focused primarily on the above.

If you want to federate a new community, go to lemmyverse.net and copy a link to a community and paste it into the search bar. Be patient!

Also, consider installing instance assistant to better navigate lemmy and find communities better! Find links to download them here: firefox, chrome, edge

Instance Rules

Keep it cozy. (No -isms, bigotry, gatekeeping, or general disrespect. Just be nice!)
Please, no visual porn. (Smut and discussion of smut is OK as long as it is tagged as NSFW.)
No spam.
Be mindful of other instance rules.
Keep self-promo to a minimum.
Tag AI generated content as such.
Please avoid piracy.

Server Info

Registration is open with human approval, just to make sure there's no bots afoot. Approval should take less than a day (and are sometimes near instant)

Please check your spam folder for an email from noreply@literature.cafe if you are having difficulty finding email confirmation.

Community creation is enabled. When creating new communities please be mindful of the instance focus.

If you have any issues or concerns, please message an admin

For those visiting from other instances, we have a community directory to make finding communities easier: !411@literature.cafe

We also have alternative lemmy UIs to use for those who want them.

A familiar UI - old.literature.cafe

Photon - ph.literature.cafe

Tesseract (photon fork with more multimedia focused features) - t.literature.cafe

Donations are greatly appreciated and go entirely to server costs but are not required.

founded 1 year ago

ADMINS

gabe

Arthur

admin

Google-hosted malvertising leads to fake Keepass site that looks genuine (arstechnica.com)

submitted 1 year ago by reddthat@reddthat.com to c/techsploits@reddthat.com

4 comments fedilink

Another win for us adblock users

Google-hosted malvertising leads to fake Keepass site that looks genuine (arstechnica.com)

submitted 1 year ago by Renneder@sh.itjust.works to c/becomeme@sh.itjust.works

2 comments fedilink

Google-hosted malvertising leads to fake Keepass site that looks genuine (arstechnica.com)

submitted 1 year ago by bot@lemmy.smeargle.fans to c/hackernews@lemmy.smeargle.fans

0 comments fedilink

HN Discussion

Google-hosted malvertising leads to fake Keepass site that looks genuine (arstechnica.com)

submitted 1 year ago by haxor@derp.foo to c/hackernews@derp.foo

3 comments fedilink

There is a discussion on Hacker News, but feel free to comment here as well.

177

Google-hosted malvertising leads to fake Keepass site that looks genuine (arstechnica.com)

submitted 1 year ago by ram@bookwormstory.social to c/technology@lemmy.ml

15 comments fedilink

archive

Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.

Looking at the ad, which masquerades as a pitch for the open-source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to ķeepass[.]info, which when viewed in an address bar appears to be the genuine Keepass site.

A closer link at the link, however, shows that the site is not the genuine one. In fact, ķeepass[.]info —at least when it appears in the address bar—is just an encoded way of denoting xn--eepass-vbb[.]info, which it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near perfect storm of deception.

“Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post Wednesday that revealed the scam.

Information available through Google’s Ad Transparency Center shows that the ads have been running since Saturday and last appeared on Wednesday. The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.

Google representatives didn’t immediately respond to an email, which was sent after hours. In the past, the company has said it promptly removes fraudulent ads as soon as possible after they’re reported.

The sleight of hand that allowed the imposter site xn--eepass-vbb[.]info to appear as ķeepass[.]info is an encoding scheme known as punycode. It allows unicode characters to be represented in standard ASCII text. Looking carefully, it’s easy to spot the small comma-like figure immediately below the k. When it appears in an address bar, the figure is equally easy to miss, especially when the URL is backed by a valid TLS certificate, as is the case here.

The use of punycode-enhanced malware scams has a long history. Two years ago, scammers used Google ads to drive people to a site that looked almost identical to brave.com, but was, in fact, another malicious website pushing a fake, malicious version of the browser. The punycode technique first came to widespread attention in 2017, when a Web application developer created a proof-of-concept site that masqueraded as apple.com.

There’s no sure-fire way to detect either malicious Google ads or punycode encoded URLs. Posting ķeepass[.]info into all five major browsers leads to the imposter site. When in doubt, people can open a new browser tab and manually type the URL, but that’s not always feasible when they’re long. Another option is to inspect the TLS certificate to make sure it belongs to the site displayed in the address bar.