Campaigns
Clickbait Chaos: Hackers Exploit Google Ads in Sophisticated Malvertising Campaign

Clickbait Chaos: Hackers Exploit Google Ads in Sophisticated Malvertising Campaign

MalvertisingGoogle Ads ExploitationSophisticated Cyber ThreatsDeceptive Advertising
The "Clickbait Chaos" campaign uncovers a sophisticated malvertising scheme where hackers exploit Google Ads to distribute malicious software. By mimicking legitimate ads, cybercriminals deceive users into clicking links that lead to malware-laden sites.

Indicators of Compromise

freecadblog.com
frecad3d-solutions.com
planner5designs.org
frecad3dmodeling.org
freecad3dsolution.net
frecadmodeling.org
onshapedev.net
frecaddevelopment.net
frecad-3dsolutions.org
frecadmodeling.com
calibrebook.com
frecad-solutions.org
rhinoceros-3d.com
frecadsolutions.org
freecadblogs.net
planner5designs.com
calibrebook.net
onshape3d.com
frecadsolution.net
frecaddevelop.com
frecaddevelopment.org
frecad-3dsolutions.com
freecad3dsolutions.com
frecadsolutions.com
freecad-solutions.net
onshapedevelop.com
frecadsolutions.cc
freecadsolutionsllc.com
freecadblog.net
rhino3dsolutions.org
frecaddevelop.org
rhino3dsolutions.net
planner5ddevelop.net
onshape3d.org
rhino3dsolutions.io
freecadblog.io
planner5design.com
frecaddevelopment.com
recad3dsolutions.org
frecadmodeling.net
frecad3dsolutions.com
planner5ddevelop.com
planner5design.net
onshapedevelop.org
onshapedevelop.net
frecad3d-solutions.net
frecad-3dsolutions.net
frecad3dsolutions.org
frecad3dmodeling.net
freeecadmodeling.net

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATON


T1566 - Phishing


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

DS0022

File

File Creation

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Observed Countries250

AD (140)
AE (501)
AF (101)
AG (75)
AI (334)
AL (534)
AM (323)
AO (949)
AQ (922)
AR (815)
AS (54)
AT (364)
AU (181)
AW (3)
AX (716)
AZ (264)
BA (133)
BB (424)
BD (17)
BE (872)
BF (876)
BG (770)
BH (497)
BI (54)
BJ (93)
BL (614)
BM (915)
BN (162)
BO (497)
BQ (746)
BR (157)
BS (857)
BT (281)
BV (503)
BW (623)
BY (968)
BZ (300)
CA (42)
CC (605)
CD (473)
CF (684)
CG (550)
CH (32)
CI (802)
CK (41)
CL (421)
CM (205)
CN (220)
CO (582)
CR (255)
CU (211)
CV (631)
CW (892)
CX (814)
CY (420)
CZ (267)
DE (750)
DJ (114)
DK (603)
DM (489)
DO (270)
DZ (782)
EC (493)
EE (849)
EG (374)
EH (623)
ER (507)
ES (236)
ET (968)
FI (701)
FJ (745)
FK (558)
FM (165)
FO (530)
FR (734)
GA (402)
GB (109)
GD (680)
GE (811)
GF (224)
GG (61)
GH (648)
GI (123)
GL (967)
GM (716)
GN (93)
GP (364)
GQ (502)
GR (51)
GS (209)
GT (103)
GU (364)
GW (806)
GY (266)
HK (452)
HM (378)
HN (968)
HR (186)
HT (741)
HU (654)
ID (606)
IE (322)
IL (567)
IM (546)
IN (579)
IO (386)
IQ (461)
IR (325)
IS (925)
IT (947)
JE (405)
JM (592)
JO (796)
JP (567)
KE (463)
KG (390)
KH (558)
KI (321)
KM (773)
KN (79)
KP (93)
KR (469)
KW (451)
KY (345)
KZ (956)
LA (285)
LB (276)
LC (22)
LI (884)
LK (732)
LR (264)
LS (11)
LT (180)
LU (896)
LV (139)
LY (582)
MA (633)
MC (970)
MD (720)
ME (369)
MF (78)
MG (928)
MH (787)
MK (383)
ML (336)
MM (991)
MN (288)
MO (330)
MP (378)
MQ (737)
MR (677)
MS (325)
MT (683)
MU (863)
MV (296)
MW (475)
MX (463)
MY (354)
MZ (553)
NA (850)
NC (481)
NE (253)
NF (878)
NG (454)
NI (181)
NL (714)
NO (440)
NP (232)
NR (88)
NU (833)
NZ (929)
OM (425)
PA (677)
PE (25)
PF (896)
PG (795)
PH (318)
PK (440)
PL (777)
PM (403)
PN (126)
PR (236)
PS (363)
PT (484)
PW (712)
PY (239)
QA (605)
RE (394)
RO (339)
RS (940)
RU (156)
RW (410)
SA (868)
SB (14)
SC (320)
SD (379)
SE (703)
SG (541)
SH (865)
SI (216)
SJ (605)
SK (60)
SL (116)
SM (764)
SN (938)
SO (556)
SR (972)
SS (702)
ST (510)
SV (220)
SX (838)
SY (836)
SZ (636)
TC (387)
TD (30)
TF (517)
TG (785)
TH (415)
TJ (314)
TK (100)
TL (330)
TM (181)
TN (179)
TO (834)
TR (509)
TT (677)
TV (356)
TW (850)
TZ (453)
UA (757)
UG (288)
UM (889)
US (685)
UY (602)
UZ (511)
VA (399)
VC (660)
VE (834)
VG (253)
VI (37)
VN (701)
VU (815)
WF (625)
WS (212)
XK (203)
YE (204)
YT (301)
ZA (372)
ZM (911)
ZW (916)