Incidents

GoogleBlock

A few days ago the Inquirer published a interesting little article talking about how Google hadn’t returned the search results he wanted, but instead told him his computer might be infected with a malicious program. And today one of our clients got caught the same way – the ubiquitous search engine was displaying the same error message to lots of the company’s staff.

I’m interested in why this happened. It’s not very difficult to find a possible answer: a lot of spammers use Google to find the emails of potential victims and automate this task by using little scripts which may be run from infected machines. So Google can implement a temporary block which is lifted when the user correctly responds to Google’s captcha by entering the letters and numbers shown, proving that s/he is not a spambot.

We’ve managed to reproduce the suspicious behaviour that can get a human user getting locked out of Google. And once the user’s been locked out, his/ her IP address get’s denylisted. This can be a problem if the user is coming in via a proxy server – it will be the proxy that will be seen as the attacker, and the proxy that gets blocked. Which means that all the users coming in via the same proxy will also be subject to the same restrictions, until someone correctly solves the captcha. It would of course be helpful if the Google warning clearly stated that it could be the proxy, rather than the user’s computer, which is suspected of being a bot. We’ve suggested this to Google, and we’ll let you know their response.

Of course, it might not be a false alarm at all – there might be an infected computer on your network, and Google raising the red flag could be the first sign of infection. But even though Google’s search capability may be awesome, a dedicated antivirus program is still going to be the most reliable way of catching malicious programs.

GoogleBlock

Your email address will not be published.

 

Reports

The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox