[{"data":1,"prerenderedAt":2453},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/analysing-a-sophisticated-google-malvertising-attack":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":832,"faqItemsCollection":833,"faqTitle":62,"featured":6,"hashTags":62,"meta":835,"metaTitle":836,"ogImage":62,"publishedDate":837,"relatedBlogPostsCollection":838,"slug":2429,"stem":2430,"subtitle":62,"summary":2431,"synopsis":2442,"sys":2443,"tagsCollection":2446,"__hash__":2452},"blog/blog/analysing-a-sophisticated-google-malvertising-attack.json","Analysing a sophisticated Google malvertising attack impersonating TradingView",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":699},{"data":239,"content":240,"nodeType":698},{},[241,250,257,264,271,280,284,294,301,307,314,320,326,333,339,346,352,359,365,368,376,398,407,427,447,453,461,481,487,493,500,503,511,530,536,543,546,554,574,581,616,619,627,646,653,686,692],{"data":242,"content":243,"nodeType":249},{},[244],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"We recently detected and blocked a particularly well-crafted malvertising attack targeting one of our customers. ","text","paragraph",{"data":251,"content":252,"nodeType":249},{},[253],{"data":254,"marks":255,"value":256,"nodeType":248},{},[],"The employee had searched for “tradingview” on Google and been served a malicious ad impersonating the real site, which they had clicked. ",{"data":258,"content":259,"nodeType":249},{},[260],{"data":261,"marks":262,"value":263,"nodeType":248},{},[],"As well as being a highly convincing clone of the real site, this attack demonstrated a number of creative detection evasion techniques designed to prevent security tools, analysts, and web scraping bots from flagging it as malicious. ",{"data":265,"content":266,"nodeType":249},{},[267],{"data":268,"marks":269,"value":270,"nodeType":248},{},[],"You can see a narrated clickthrough of the end-to-end attack in the video below. ",{"data":272,"content":278,"nodeType":279},{"target":273},{"sys":274},{"id":275,"type":276,"linkType":277},"V8NYoNBZBSZXSNBo2AfUZ","Link","Entry",[],"embedded-entry-block",{"data":281,"content":282,"nodeType":283},{},[],"hr",{"data":285,"content":286,"nodeType":293},{},[287],{"data":288,"marks":289,"value":292,"nodeType":248},{},[290],{"type":291},"bold","Attack breakdown","heading-1",{"data":295,"content":296,"nodeType":249},{},[297],{"data":298,"marks":299,"value":300,"nodeType":248},{},[],"When the victim clicked the malicious ad, they were initially directed to tradingview-charts-compare.primevoro[.]com, but then immediately redirected to a second site. In effect, the victim would never see this initial page — it is simply used as a benign site that only forwards the victim on if certain parameters are supplied from the initial Google ad link. ",{"data":302,"content":306,"nodeType":279},{"target":303},{"sys":304},{"id":305,"type":276,"linkType":277},"1v5dADDY2y9EAwCZ7ZnWVi",[],{"data":308,"content":309,"nodeType":249},{},[310],{"data":311,"marks":312,"value":313,"nodeType":248},{},[],"The first site that the victim would see is visually identical to the real TradingView site, at tradingplatforms[.]app. ",{"data":315,"content":319,"nodeType":279},{"target":316},{"sys":317},{"id":318,"type":276,"linkType":277},"iHIbILX30HMnqM4NXx86G",[],{"data":321,"content":325,"nodeType":279},{"target":322},{"sys":323},{"id":324,"type":276,"linkType":277},"2nK9Y4ZFejHtbWT2GcVNM1",[],{"data":327,"content":328,"nodeType":249},{},[329],{"data":330,"marks":331,"value":332,"nodeType":248},{},[],"Upon clicking the login button, they are taken to another convincingly designed page, where the victim is prompted to sign in with Google. ",{"data":334,"content":338,"nodeType":279},{"target":335},{"sys":336},{"id":337,"type":276,"linkType":277},"6il7lhKUz5VIgQW9shl9oc",[],{"data":340,"content":341,"nodeType":249},{},[342],{"data":343,"marks":344,"value":345,"nodeType":248},{},[],"Upon clicking the sign in with Google button, the victim is finally taken to the reverse proxy Attacker-in-the-Middle phishing page targeting Google. If the victim logs in, their credentials and live session is stolen by the attacker. ",{"data":347,"content":351,"nodeType":279},{"target":348},{"sys":349},{"id":350,"type":276,"linkType":277},"3LSrYN6X2qnBiMBoPi1Qse",[],{"data":353,"content":354,"nodeType":249},{},[355],{"data":356,"marks":357,"value":358,"nodeType":248},{},[],"You can see the timeline of URLs accessed in the chain captured in Push’s timeline feature, below. When we investigated, the phishing page had no user reports on urlscan. ",{"data":360,"content":364,"nodeType":279},{"target":361},{"sys":362},{"id":363,"type":276,"linkType":277},"5spFXtWBhTtB4LO3cYHv8Z",[],{"data":366,"content":367,"nodeType":283},{},[],{"data":369,"content":370,"nodeType":293},{},[371],{"data":372,"marks":373,"value":375,"nodeType":248},{},[374],{"type":291},"How did this attack evade standard detections?",{"data":377,"content":378,"nodeType":249},{},[379,383,394],{"data":380,"marks":381,"value":382,"nodeType":248},{},[],"It’s increasingly common for malicious sites to fly under the radar because of the effective use of ",{"data":384,"content":386,"nodeType":393},{"uri":385},"https://phishing-techniques.pushsecurity.com/",[387],{"data":388,"marks":389,"value":392,"nodeType":248},{},[390],{"type":391},"underline","detection evasion techniques","hyperlink",{"data":395,"marks":396,"value":397,"nodeType":248},{},[],", designed to defeat traditional security tools and web-scraping security bots. ",{"data":399,"content":400,"nodeType":406},{},[401],{"data":402,"marks":403,"value":405,"nodeType":248},{},[404],{"type":291},"Malvertising completely bypasses email-based controls","heading-2",{"data":408,"content":409,"nodeType":249},{},[410,414,423],{"data":411,"marks":412,"value":413,"nodeType":248},{},[],"By delivering the lure via ",{"data":415,"content":417,"nodeType":393},{"uri":416},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[418],{"data":419,"marks":420,"value":422,"nodeType":248},{},[421],{"type":391},"malvertising",{"data":424,"marks":425,"value":426,"nodeType":248},{},[],", the attacker was able to completely bypass the most common phishing detection surface — email. ",{"data":428,"content":429,"nodeType":249},{},[430,434,443],{"data":431,"marks":432,"value":433,"nodeType":248},{},[],"Malvertising via channels like Google Search is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",{"data":435,"content":437,"nodeType":393},{"uri":436},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[438],{"data":439,"marks":440,"value":442,"nodeType":248},{},[441],{"type":391},"Scattered Lapsus$ Hunters",{"data":444,"marks":445,"value":446,"nodeType":248},{},[],"” criminal collective, all of which began with identity-based initial access). For this reason, credentials and account access are an increasingly profitable commodity for cyber criminals. ",{"data":448,"content":452,"nodeType":279},{"target":449},{"sys":450},{"id":451,"type":276,"linkType":277},"7cq2IbGHIFH2UhkjIrwxGd",[],{"data":454,"content":455,"nodeType":406},{},[456],{"data":457,"marks":458,"value":460,"nodeType":248},{},[459],{"type":291},"Conditional loading parameters prevented the site being flagged as known-bad",{"data":462,"content":463,"nodeType":249},{},[464,468,477],{"data":465,"marks":466,"value":467,"nodeType":248},{},[],"The attacker used clever ",{"data":469,"content":471,"nodeType":393},{"uri":470},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[472],{"data":473,"marks":474,"value":476,"nodeType":248},{},[475],{"type":391},"conditional loading",{"data":478,"marks":479,"value":480,"nodeType":248},{},[]," techniques to prevent the page being accessed unless the correct steps were followed. This means that security analysts attempting to load one of the pages in isolation would either be served with a benign page, or be blocked from accessing the page in order to analyse it for malicious content.  ",{"data":482,"content":486,"nodeType":279},{"target":483},{"sys":484},{"id":485,"type":276,"linkType":277},"2vjZTsrjuILnt5UjNx9Nce",[],{"data":488,"content":492,"nodeType":279},{"target":489},{"sys":490},{"id":491,"type":276,"linkType":277},"3pOLIA4beNZ9tU87YLlhT0",[],{"data":494,"content":495,"nodeType":249},{},[496],{"data":497,"marks":498,"value":499,"nodeType":248},{},[],"Further, the attacker tightly scoped the initial malvertising lure to prevent unwanted visitors. Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. ",{"data":501,"content":502,"nodeType":283},{},[],{"data":504,"content":505,"nodeType":293},{},[506],{"data":507,"marks":508,"value":510,"nodeType":248},{},[509],{"type":291},"Further observations",{"data":512,"content":513,"nodeType":249},{},[514,517,526],{"data":515,"marks":516,"value":29,"nodeType":248},{},[],{"data":518,"content":520,"nodeType":393},{"uri":519},"https://www.bleepingcomputer.com/news/security/google-ads-for-fake-homebrew-logmein-sites-push-infostealers/",[521],{"data":522,"marks":523,"value":525,"nodeType":248},{},[524],{"type":391},"According to security researchers",{"data":527,"marks":528,"value":529,"nodeType":248},{},[],", attackers have been recently observed running ClickFix malvertising campaigns over Google Search that also impersonated TradingView. These attacks attempted to deliver malware to Mac users, harvesting sensitive information stored in the browser, cryptocurrency credentials, and exfiltrating to the command and control server.",{"data":531,"content":535,"nodeType":279},{"target":532},{"sys":533},{"id":534,"type":276,"linkType":277},"VeLfUptGY8ygKHroPxTby",[],{"data":537,"content":538,"nodeType":249},{},[539],{"data":540,"marks":541,"value":542,"nodeType":248},{},[],"Attackers have been known to target investment and cryptocurrency accounts, particularly those aligned with North Korean state-sponsored operations. This is both targeting individual users as well as business accounts used in operating exchanges themselves, such as in the massive Bybit hack earlier this year. ",{"data":544,"content":545,"nodeType":283},{},[],{"data":547,"content":548,"nodeType":293},{},[549],{"data":550,"marks":551,"value":553,"nodeType":248},{},[552],{"type":291},"IoCs",{"data":555,"content":556,"nodeType":249},{},[557,561,570],{"data":558,"marks":559,"value":560,"nodeType":248},{},[],"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",{"data":562,"content":564,"nodeType":393},{"uri":563},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[565],{"data":566,"marks":567,"value":569,"nodeType":248},{},[568],{"type":391},"quickly spin up and rotate the sites used",{"data":571,"marks":572,"value":573,"nodeType":248},{},[]," in the attack chain, often dynamically serving different URLs to site visitors. ",{"data":575,"content":576,"nodeType":249},{},[577],{"data":578,"marks":579,"value":580,"nodeType":248},{},[],"That said, the domains observed in this chain were:",{"data":582,"content":583,"nodeType":615},{},[584,595,605],{"data":585,"content":586,"nodeType":594},{},[587],{"data":588,"content":589,"nodeType":249},{},[590],{"data":591,"marks":592,"value":593,"nodeType":248},{},[],"hxxps://tradingview-charts-compare.primevoro.com","list-item",{"data":596,"content":597,"nodeType":594},{},[598],{"data":599,"content":600,"nodeType":249},{},[601],{"data":602,"marks":603,"value":604,"nodeType":248},{},[],"hxxps://tradingplatforms.app",{"data":606,"content":607,"nodeType":594},{},[608],{"data":609,"content":610,"nodeType":249},{},[611],{"data":612,"marks":613,"value":614,"nodeType":248},{},[],"hxxps://accounts.aeonnailspa.com","unordered-list",{"data":617,"content":618,"nodeType":283},{},[],{"data":620,"content":621,"nodeType":293},{},[622],{"data":623,"marks":624,"value":626,"nodeType":248},{},[625],{"type":291},"How Push stopped the attack",{"data":628,"content":629,"nodeType":249},{},[630,634,642],{"data":631,"marks":632,"value":633,"nodeType":248},{},[],"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",{"data":635,"content":636,"nodeType":393},{"uri":385},[637],{"data":638,"marks":639,"value":641,"nodeType":248},{},[640],{"type":391},"delivery channel or camouflage methods are used",{"data":643,"marks":644,"value":645,"nodeType":248},{},[],", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",{"data":647,"content":648,"nodeType":249},{},[649],{"data":650,"marks":651,"value":652,"nodeType":248},{},[],"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":654,"content":655,"nodeType":249},{},[656,660,669,673,682],{"data":657,"marks":658,"value":659,"nodeType":248},{},[],"To learn more about Push, ",{"data":661,"content":663,"nodeType":393},{"uri":662},"https://pushsecurity.com/resources/product-brochure",[664],{"data":665,"marks":666,"value":668,"nodeType":248},{},[667],{"type":391},"check out our latest product overview",{"data":670,"marks":671,"value":672,"nodeType":248},{},[]," or ",{"data":674,"content":676,"nodeType":393},{"uri":675},"https://pushsecurity.com/demo",[677],{"data":678,"marks":679,"value":681,"nodeType":248},{},[680],{"type":391},"book some time with one of our team for a live demo",{"data":683,"marks":684,"value":685,"nodeType":248},{},[],".",{"data":687,"content":691,"nodeType":279},{"target":688},{"sys":689},{"id":690,"type":276,"linkType":277},"6QzB0BlVC5mstXwXHvy2c3",[],{"data":693,"content":694,"nodeType":249},{},[695],{"data":696,"marks":697,"value":29,"nodeType":248},{},[],"document",{"entries":700},{"hyperlink":701,"inline":702,"block":703},[],[],[704,710,718,723,729,734,739,746,807,811,817,824],{"sys":705,"__typename":706,"title":707,"arcadeDemoUrl":708,"playText":709},{"id":275},"ArcadeDemo","TradingView Malvertising Attack Walkthrough","https://demo.arcade.software/EIVP2emVADsDxut9CZjO?embed","2 mins",{"sys":711,"__typename":712,"title":713,"caption":713,"layoutMode":62,"file":714},{"id":305},"Image","Initial landing page used as a redirect. This looks similar to many vibe coded sites used by attackers as part of their malvertising and phishing link chains. ",{"url":715,"width":716,"height":717},"https://images.ctfassets.net/y1cdw1ablpvd/2hBe7jYE9VEuAeICiV0yfU/642f74f4212c238e06090c256c9408bf/image5.png",1999,1204,{"sys":719,"__typename":712,"title":720,"caption":720,"layoutMode":62,"file":721},{"id":318},"Cloned TradingView site.",{"url":722,"width":716,"height":717},"https://images.ctfassets.net/y1cdw1ablpvd/71PIYOQpNCGqP35OOeOg44/0823d6231bc3ab492da47436e985025e/image7.png",{"sys":724,"__typename":712,"title":725,"caption":725,"layoutMode":62,"file":726},{"id":324},"The cloned TradingView site is almost identical to the real site.",{"url":727,"width":716,"height":728},"https://images.ctfassets.net/y1cdw1ablpvd/5MLctABFj0A38eIBtaZCAg/b420ac0c7e9b04f55f1b76a80627b373/image8.png",613,{"sys":730,"__typename":712,"title":731,"caption":731,"layoutMode":62,"file":732},{"id":337},"Convincing page prompting the victim to sign in with Google. ",{"url":733,"width":716,"height":717},"https://images.ctfassets.net/y1cdw1ablpvd/1hBfWMM1qhV7rKbwuieCB8/5ce3047801ac23b777fd6ae5ff03d7f4/image4.png",{"sys":735,"__typename":712,"title":736,"caption":736,"layoutMode":62,"file":737},{"id":350},"Attacker-in-the-Middle phishing page targeting Google. ",{"url":738,"width":716,"height":717},"https://images.ctfassets.net/y1cdw1ablpvd/192mknDIa1Cr7uVyjW0msk/ba0c0f272cac424e50ff0ad5a3eeb84e/image3.png",{"sys":740,"__typename":712,"title":741,"caption":741,"layoutMode":62,"file":742},{"id":363},"Push’s timeline of URLs and user actions throughout the phishing attack chain.",{"url":743,"width":744,"height":745},"https://images.ctfassets.net/y1cdw1ablpvd/1JoNJ3qxJgcpXZ4gBI5NeS/f52878e53e7b647e8258f6991b8bfb1d/image6.png",1820,1130,{"sys":747,"__typename":748,"content":749,"name":806,"title":62},{"id":451},"InsightTextBlockComponent",{"json":750},{"data":751,"content":752,"nodeType":698},{},[753,786],{"data":754,"content":755,"nodeType":249},{},[756,760,769,773,782],{"data":757,"marks":758,"value":759,"nodeType":248},{},[],"We’ve noticed a significant ",{"data":761,"content":763,"nodeType":393},{"uri":762},"https://pushsecurity.com/blog/analysing-a-malvertising-attack-targeting-business-google-accounts/",[764],{"data":765,"marks":766,"value":768,"nodeType":248},{},[767],{"type":391},"increase in malvertising attacks",{"data":770,"marks":771,"value":772,"nodeType":248},{},[]," for the delivery of phishing links, malware downloads, and ClickFix-style attacks (",{"data":774,"content":776,"nodeType":393},{"uri":775},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[777],{"data":778,"marks":779,"value":781,"nodeType":248},{},[780],{"type":391},"4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search",{"data":783,"marks":784,"value":785,"nodeType":248},{},[],").",{"data":787,"content":788,"nodeType":249},{},[789,793,802],{"data":790,"marks":791,"value":792,"nodeType":248},{},[],"At the same time, ",{"data":794,"content":796,"nodeType":393},{"uri":795},"https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign/",[797],{"data":798,"marks":799,"value":801,"nodeType":248},{},[800],{"type":391},"attacks targeting ad management accounts",{"data":803,"marks":804,"value":805,"nodeType":248},{},[]," used to propagate malicious ads are also on the rise, indicating that this is an area of focus for attackers.","Google malvertising blog insight box 1",{"sys":808,"__typename":712,"title":809,"caption":809,"layoutMode":62,"file":810},{"id":485},"Loading the initial URL directly serves up a benign website rather than redirecting to the next stage in the phishing chain.",{"url":715,"width":716,"height":717},{"sys":812,"__typename":712,"title":813,"caption":813,"layoutMode":62,"file":814},{"id":491},"Attempting to manually load the second site in the phishing chain results in access being denied, where conditional loading parameters are missing.",{"url":815,"width":716,"height":816},"https://images.ctfassets.net/y1cdw1ablpvd/16FOwZxxctoxktnsj9y0Rk/35de320ebb1163758bfa899020766b88/image2.png",1095,{"sys":818,"__typename":712,"title":819,"caption":819,"layoutMode":62,"file":820},{"id":534},"TradingView ClickFix lure reported by Bleeping Computer.",{"url":821,"width":822,"height":823},"https://images.ctfassets.net/y1cdw1ablpvd/5aQwcuSaJTqHma3pOPoijI/14515ddb907526c8d2867275f3f4e164/image1.png",688,525,{"sys":825,"__typename":826,"type":827,"ctaText":828,"buttonLabel":829,"buttonColour":830,"buttonUrl":831},{"id":690},"CtaWidget","Custom","Learn how phishing evolved in 2025, showcasing the most sophisticated attacks and key trends uncovered by Push researchers","Register Now","sunny orange","https://pushsecurity.com/webinar/phishing-2025-review","json",{"items":834},[],{},"Analysing a sophisticated Google malvertising attack","2025-12-08T00:00:00.000Z",{"items":839},[840,1235,1834],{"__typename":841,"sys":842,"content":844,"title":1217,"synopsis":1218,"hashTags":62,"publishedDate":1219,"slug":1220,"tagsCollection":1221,"authorsCollection":1231},"BlogPosts",{"id":843},"72lLmy0CXnOp3LWOdcUguX",{"json":845},{"data":846,"content":847,"nodeType":698},{},[848,855,862,868,875,908,915,921,928,934,940,946,952,958,961,969,976,983,990,998,1004,1023,1030,1047,1052,1055,1062,1069,1142,1149,1152,1159,1166,1173,1180,1206,1211],{"data":849,"content":850,"nodeType":293},{},[851],{"data":852,"marks":853,"value":292,"nodeType":248},{},[854],{"type":291},{"data":856,"content":857,"nodeType":249},{},[858],{"data":859,"marks":860,"value":861,"nodeType":248},{},[],"We recently detected and blocked a malvertising attack impacting one of our customer’s employees. The employee had searched for “Google ads” in Google Search to log into their Google Ads Manager account.  ",{"data":863,"content":867,"nodeType":279},{"target":864},{"sys":865},{"id":866,"type":276,"linkType":277},"40RyyKZC0R07wLU1OZBmH",[],{"data":869,"content":870,"nodeType":249},{},[871],{"data":872,"marks":873,"value":874,"nodeType":248},{},[],"The user:",{"data":876,"content":877,"nodeType":615},{},[878,888,898],{"data":879,"content":880,"nodeType":594},{},[881],{"data":882,"content":883,"nodeType":249},{},[884],{"data":885,"marks":886,"value":887,"nodeType":248},{},[],"Searched for “Google ads” in Google Search",{"data":889,"content":890,"nodeType":594},{},[891],{"data":892,"content":893,"nodeType":249},{},[894],{"data":895,"marks":896,"value":897,"nodeType":248},{},[],"Click the ad for hxxps://ads-adsword1.odoo.com/…",{"data":899,"content":900,"nodeType":594},{},[901],{"data":902,"content":903,"nodeType":249},{},[904],{"data":905,"marks":906,"value":907,"nodeType":248},{},[],"Was redirected to hxxps://sing-operador2.click/accounts/v3/login/ where the phishing form was blocked. ",{"data":909,"content":910,"nodeType":249},{},[911],{"data":912,"marks":913,"value":914,"nodeType":248},{},[],"When we came to investigate this detection further, we found that the site had already been taken down.  ",{"data":916,"content":920,"nodeType":279},{"target":917},{"sys":918},{"id":919,"type":276,"linkType":277},"6eAIVxgaEDQ9krKZvu8zyI",[],{"data":922,"content":923,"nodeType":249},{},[924],{"data":925,"marks":926,"value":927,"nodeType":248},{},[],"However, we were able to replicate the user’s activity to find other examples that show clear signs of being linked to the same campaign — both hosted on Odoo, with one also using Kartra as a redirect.",{"data":929,"content":933,"nodeType":279},{"target":930},{"sys":931},{"id":932,"type":276,"linkType":277},"1wGu0slZcKBNIUhuNk5SZN",[],{"data":935,"content":939,"nodeType":279},{"target":936},{"sys":937},{"id":938,"type":276,"linkType":277},"5SqaaD4vDzvdkzVX8ypxvB",[],{"data":941,"content":945,"nodeType":279},{"target":942},{"sys":943},{"id":944,"type":276,"linkType":277},"7IT185wut2jTtQy1lC9F5t",[],{"data":947,"content":951,"nodeType":279},{"target":948},{"sys":949},{"id":950,"type":276,"linkType":277},"78WkGo9ZTio1fYvfP7W68",[],{"data":953,"content":957,"nodeType":279},{"target":954},{"sys":955},{"id":956,"type":276,"linkType":277},"5CWMR1gxq3Uao4HGGhRLKE",[],{"data":959,"content":960,"nodeType":283},{},[],{"data":962,"content":963,"nodeType":293},{},[964],{"data":965,"marks":966,"value":968,"nodeType":248},{},[967],{"type":291},"Why malvertising & Google ads?",{"data":970,"content":971,"nodeType":249},{},[972],{"data":973,"marks":974,"value":975,"nodeType":248},{},[],"Malvertising attacks delivered over channels like Google Search are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. ",{"data":977,"content":978,"nodeType":249},{},[979],{"data":980,"marks":981,"value":982,"nodeType":248},{},[],"The flipside of this is that malvertising attacks are less likely to be targeted than phishing delivered directly to the victim via a direct message (i.e. email, social media DM, instant messenger app, SMS, etc.). This appears to be true in this case: we were served the ad from a UK location despite the initial ad targeting an EU-based company. ",{"data":984,"content":985,"nodeType":249},{},[986],{"data":987,"marks":988,"value":989,"nodeType":248},{},[],"However, that isn’t to say that malvertising attacks can’t be targeted. For example, Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",{"data":991,"content":992,"nodeType":249},{},[993],{"data":994,"marks":995,"value":997,"nodeType":248},{},[996],{"type":291},"In this case, it appears that the attacker was specifically targeting Google Ad Manager accounts. ",{"data":999,"content":1003,"nodeType":279},{"target":1000},{"sys":1001},{"id":1002,"type":276,"linkType":277},"5JA7xWPghOBln49SfkvefW",[],{"data":1005,"content":1006,"nodeType":249},{},[1007,1011,1019],{"data":1008,"marks":1009,"value":1010,"nodeType":248},{},[],"With malvertising on the rise as an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",{"data":1012,"content":1013,"nodeType":393},{"uri":775},[1014],{"data":1015,"marks":1016,"value":1018,"nodeType":248},{},[1017],{"type":391},"ClickFix",{"data":1020,"marks":1021,"value":1022,"nodeType":248},{},[]," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search), it makes sense that attackers are looking to increase their web of accounts from which to launch malicious ads. ",{"data":1024,"content":1025,"nodeType":249},{},[1026],{"data":1027,"marks":1028,"value":1029,"nodeType":248},{},[],"Particularly for organizations that are running large numbers of ads with pre-allocated budget/cards for their ad account, or organizations performing ad management/marketing services on behalf of other organizations, it’s easy to see how attackers can take over these accounts and spin up malicious ads. ",{"data":1031,"content":1032,"nodeType":249},{},[1033,1037,1044],{"data":1034,"marks":1035,"value":1036,"nodeType":248},{},[],"Malvertising via Google Search is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",{"data":1038,"content":1039,"nodeType":393},{"uri":436},[1040],{"data":1041,"marks":1042,"value":442,"nodeType":248},{},[1043],{"type":391},{"data":1045,"marks":1046,"value":446,"nodeType":248},{},[],{"data":1048,"content":1051,"nodeType":279},{"target":1049},{"sys":1050},{"id":690,"type":276,"linkType":277},[],{"data":1053,"content":1054,"nodeType":283},{},[],{"data":1056,"content":1057,"nodeType":293},{},[1058],{"data":1059,"marks":1060,"value":553,"nodeType":248},{},[1061],{"type":291},{"data":1063,"content":1064,"nodeType":249},{},[1065],{"data":1066,"marks":1067,"value":1068,"nodeType":248},{},[],"The following domains were involved in the attacks:",{"data":1070,"content":1071,"nodeType":615},{},[1072,1082,1092,1102,1112,1122,1132],{"data":1073,"content":1074,"nodeType":594},{},[1075],{"data":1076,"content":1077,"nodeType":249},{},[1078],{"data":1079,"marks":1080,"value":1081,"nodeType":248},{},[],"hxxps://ads-adsword1.odoo.com",{"data":1083,"content":1084,"nodeType":594},{},[1085],{"data":1086,"content":1087,"nodeType":249},{},[1088],{"data":1089,"marks":1090,"value":1091,"nodeType":248},{},[],"hxxps://sing-operador2.click/accounts/v3/login",{"data":1093,"content":1094,"nodeType":594},{},[1095],{"data":1096,"content":1097,"nodeType":249},{},[1098],{"data":1099,"marks":1100,"value":1101,"nodeType":248},{},[],"hxxps://adsgooglie.odoo.com/",{"data":1103,"content":1104,"nodeType":594},{},[1105],{"data":1106,"content":1107,"nodeType":249},{},[1108],{"data":1109,"marks":1110,"value":1111,"nodeType":248},{},[],"hxxps://word4only.online/",{"data":1113,"content":1114,"nodeType":594},{},[1115],{"data":1116,"content":1117,"nodeType":249},{},[1118],{"data":1119,"marks":1120,"value":1121,"nodeType":248},{},[],"hxxps://adsloginacess.kartra.com/page/oeN7",{"data":1123,"content":1124,"nodeType":594},{},[1125],{"data":1126,"content":1127,"nodeType":249},{},[1128],{"data":1129,"marks":1130,"value":1131,"nodeType":248},{},[],"hxxps://ads-o.odoo.com",{"data":1133,"content":1134,"nodeType":594},{},[1135],{"data":1136,"content":1137,"nodeType":249},{},[1138],{"data":1139,"marks":1140,"value":1141,"nodeType":248},{},[],"hxxps://operador8-ads.lat/accounts/v3/login/",{"data":1143,"content":1144,"nodeType":249},{},[1145],{"data":1146,"marks":1147,"value":1148,"nodeType":248},{},[],"However, with the rate at which these domains were spun up and subsequently taken down (by the attacker or the site hosting the links) IoC-based detections for campaigns such as this are of limited value. ",{"data":1150,"content":1151,"nodeType":283},{},[],{"data":1153,"content":1154,"nodeType":293},{},[1155],{"data":1156,"marks":1157,"value":626,"nodeType":248},{},[1158],{"type":291},{"data":1160,"content":1161,"nodeType":249},{},[1162],{"data":1163,"marks":1164,"value":1165,"nodeType":248},{},[],"Regardless of the delivery channel, all roads lead to a web page accessed in the victim’s browser — where Push is waiting to detect and block the attack. ",{"data":1167,"content":1168,"nodeType":249},{},[1169],{"data":1170,"marks":1171,"value":1172,"nodeType":248},{},[],"By seeing what your users see, and getting an unfiltered, real-time view of the page as it loads, Push is able to pinpoint malicious content, code, and behaviors and shut the attack down before it happens. Whether it's entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA, Push detects the action and responds in real-time.",{"data":1174,"content":1175,"nodeType":249},{},[1176],{"data":1177,"marks":1178,"value":1179,"nodeType":248},{},[],"Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":1181,"content":1182,"nodeType":249},{},[1183,1186,1193,1196,1203],{"data":1184,"marks":1185,"value":659,"nodeType":248},{},[],{"data":1187,"content":1188,"nodeType":393},{"uri":662},[1189],{"data":1190,"marks":1191,"value":668,"nodeType":248},{},[1192],{"type":391},{"data":1194,"marks":1195,"value":672,"nodeType":248},{},[],{"data":1197,"content":1198,"nodeType":393},{"uri":675},[1199],{"data":1200,"marks":1201,"value":681,"nodeType":248},{},[1202],{"type":391},{"data":1204,"marks":1205,"value":685,"nodeType":248},{},[],{"data":1207,"content":1210,"nodeType":279},{"target":1208},{"sys":1209},{"id":690,"type":276,"linkType":277},[],{"data":1212,"content":1213,"nodeType":249},{},[1214],{"data":1215,"marks":1216,"value":29,"nodeType":248},{},[],"Analysing a malvertising attack targeting business Google accounts intercepted by Push","Analysing a malvertising attack targeting Google business accounts that was intercepted by Push. ","2025-12-02T00:00:00.000Z","analysing-a-malvertising-attack-targeting-business-google-accounts",{"items":1222},[1223,1227],{"sys":1224,"name":1226},{"id":1225},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1228,"name":1230},{"id":1229},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1232},[1233],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1234},{"url":236},{"__typename":841,"sys":1236,"content":1238,"title":1817,"synopsis":1818,"hashTags":62,"publishedDate":1219,"slug":1819,"tagsCollection":1820,"authorsCollection":1826},{"id":1237},"6Zosy4SU0LpjlaSWX75peb",{"json":1239},{"data":1240,"content":1241,"nodeType":698},{},[1242,1249,1256,1263,1269,1276,1279,1287,1294,1301,1308,1314,1321,1327,1334,1340,1347,1353,1384,1391,1397,1404,1410,1417,1423,1430,1473,1476,1484,1491,1498,1505,1511,1514,1522,1529,1549,1555,1561,1567,1574,1580,1586,1606,1609,1617,1636,1642,1649,1665,1673,1680,1687,1693,1711,1719,1726,1732,1735,1742,1749,1755,1758,1766,1773,1780,1806,1811],{"data":1243,"content":1244,"nodeType":249},{},[1245],{"data":1246,"marks":1247,"value":1248,"nodeType":248},{},[],"We recently investigated a sophisticated phishing campaign targeting Google Workspace and Facebook Business accounts with Calendly-themed phishing lures, based around a fake job opportunity. ",{"data":1250,"content":1251,"nodeType":249},{},[1252],{"data":1253,"marks":1254,"value":1255,"nodeType":248},{},[],"We were first alerted to the campaign when a Push customer was hit with a highly targeted email-based attack, where the attacker used an Attacker-in-the-Middle (AiTM) phishing toolkit to target the customer’s Google Workspace account. ",{"data":1257,"content":1258,"nodeType":249},{},[1259],{"data":1260,"marks":1261,"value":1262,"nodeType":248},{},[],"In this case, Google was the customer’s primary enterprise IdP account, used to access native Google suite apps as well as SSO to downstream apps — effectively, the front door to their business IT stack. Despite this, the attacker’s MO was specifically the takeover of accounts used for the management of digital ads. ",{"data":1264,"content":1268,"nodeType":279},{"target":1265},{"sys":1266},{"id":1267,"type":276,"linkType":277},"5oivBCf1Fqvnq0GNCSko8f",[],{"data":1270,"content":1271,"nodeType":249},{},[1272],{"data":1273,"marks":1274,"value":1275,"nodeType":248},{},[],"In this blog post, we break down the various TTPs used by the attacker across the campaign, and consider why ad management platforms are being specifically targeted.  ",{"data":1277,"content":1278,"nodeType":283},{},[],{"data":1280,"content":1281,"nodeType":293},{},[1282],{"data":1283,"marks":1284,"value":1286,"nodeType":248},{},[1285],{"type":291},"Variant 1: Targeting Google Workspace with a sophisticated email phish ",{"data":1288,"content":1289,"nodeType":249},{},[1290],{"data":1291,"marks":1292,"value":1293,"nodeType":248},{},[],"The first phishing variant we analyzed began with a multi-stage phishing email lure, framed as a job opportunity for LVMH (Louis Vuitton Moët Hennessy), which oversees more than 75 brands across sectors like fashion, cosmetics, watches, and spirits. The specific delivery address is impersonating “Inside LVMH”, the talent acquisition and training arm of LVMH.  ",{"data":1295,"content":1296,"nodeType":249},{},[1297],{"data":1298,"marks":1299,"value":1300,"nodeType":248},{},[],"This lure is notable for multiple reasons. It is highly targeted, well-written, populated with information from the victim, and coming from what appears to be a legitimate employee of LVMH. Even if the victim was initially suspicious, searching for the recruiter’s name would appear to confirm their identity.  ",{"data":1302,"content":1303,"nodeType":249},{},[1304],{"data":1305,"marks":1306,"value":1307,"nodeType":248},{},[],"It is possible, even likely, that this interaction was operated using AI, using information scraped from the internet — but in any case, the outcome achieved is highly convincing. ",{"data":1309,"content":1313,"nodeType":279},{"target":1310},{"sys":1311},{"id":1312,"type":276,"linkType":277},"46BYpquURERbkhWc6C2Lpc",[],{"data":1315,"content":1316,"nodeType":249},{},[1317],{"data":1318,"marks":1319,"value":1320,"nodeType":248},{},[],"Only after the victim has responded to an initial email was the phishing link delivered under the guise of a Calendly link to book time for a call. ",{"data":1322,"content":1326,"nodeType":279},{"target":1323},{"sys":1324},{"id":1325,"type":276,"linkType":277},"37GBkfXGEdWvdQbMq65sad",[],{"data":1328,"content":1329,"nodeType":249},{},[1330],{"data":1331,"marks":1332,"value":1333,"nodeType":248},{},[],"Clicking the link takes the victim to an authentic-looking page impersonating a Calendly landing page.",{"data":1335,"content":1339,"nodeType":279},{"target":1336},{"sys":1337},{"id":1338,"type":276,"linkType":277},"1DwOPzK7mxsoJlEBp8cMpr",[],{"data":1341,"content":1342,"nodeType":249},{},[1343],{"data":1344,"marks":1345,"value":1346,"nodeType":248},{},[],"After completing the CAPTCHA check and selecting \"Continue with Google” the victim is redirected to an AiTM phishing page designed to capture Google Workspace credentials, with specific branding impersonating Calendly — making this visually distinct from most common Google-themed phishing pages. ",{"data":1348,"content":1352,"nodeType":279},{"target":1349},{"sys":1350},{"id":1351,"type":276,"linkType":277},"u1SY1uUX23sxfBYLpyaKb",[],{"data":1354,"content":1355,"nodeType":249},{},[1356,1360,1368,1372,1380],{"data":1357,"marks":1358,"value":1359,"nodeType":248},{},[],"This page uses ",{"data":1361,"content":1362,"nodeType":393},{"uri":470},[1363],{"data":1364,"marks":1365,"value":1367,"nodeType":248},{},[1366],{"type":391},"specific targeting parameters",{"data":1369,"marks":1370,"value":1371,"nodeType":248},{},[]," to ensure that only the intended recipient is able to access the page’s malicious functionality — a well-known ",{"data":1373,"content":1374,"nodeType":393},{"uri":385},[1375],{"data":1376,"marks":1377,"value":1379,"nodeType":248},{},[1378],{"type":391},"detection evasion technique",{"data":1381,"marks":1382,"value":1383,"nodeType":248},{},[]," to prevent security analysts from being able to fully analyse the page (as malicious elements are not rendered until this check is completed). ",{"data":1385,"content":1386,"nodeType":249},{},[1387],{"data":1388,"marks":1389,"value":1390,"nodeType":248},{},[],"As you can see in the example below, attempts to use any email other than the intended victim’s email domain are blocked.   ",{"data":1392,"content":1396,"nodeType":279},{"target":1393},{"sys":1394},{"id":1395,"type":276,"linkType":277},"5m8LvVYjXz0zrITgTWqxio",[],{"data":1398,"content":1399,"nodeType":249},{},[1400],{"data":1401,"marks":1402,"value":1403,"nodeType":248},{},[],"Only entering an allowed email domain loads the password entry field. ",{"data":1405,"content":1409,"nodeType":279},{"target":1406},{"sys":1407},{"id":1408,"type":276,"linkType":277},"6KFRJSsgk2pB6x67kWdpws",[],{"data":1411,"content":1412,"nodeType":249},{},[1413],{"data":1414,"marks":1415,"value":1416,"nodeType":248},{},[],"We identified a number of pages that appear to be part of the same campaign. All these pages have the same visual style, Calendly-themed lure targeting Google Workspace accounts, and appear to match real employees of the respective companies being impersonated. ",{"data":1418,"content":1422,"nodeType":279},{"target":1419},{"sys":1420},{"id":1421,"type":276,"linkType":277},"zMkN1U5QlvIEcfOGmhBBf",[],{"data":1424,"content":1425,"nodeType":249},{},[1426],{"data":1427,"marks":1428,"value":1429,"nodeType":248},{},[],"The different pages include:",{"data":1431,"content":1432,"nodeType":615},{},[1433,1443,1453,1463],{"data":1434,"content":1435,"nodeType":594},{},[1436],{"data":1437,"content":1438,"nodeType":249},{},[1439],{"data":1440,"marks":1441,"value":1442,"nodeType":248},{},[],"A different visual match for the LVMH page.",{"data":1444,"content":1445,"nodeType":594},{},[1446],{"data":1447,"content":1448,"nodeType":249},{},[1449],{"data":1450,"marks":1451,"value":1452,"nodeType":248},{},[],"A Lego recruitment themed page.",{"data":1454,"content":1455,"nodeType":594},{},[1456],{"data":1457,"content":1458,"nodeType":249},{},[1459],{"data":1460,"marks":1461,"value":1462,"nodeType":248},{},[],"A Mastercard HR themed page.",{"data":1464,"content":1465,"nodeType":594},{},[1466],{"data":1467,"content":1468,"nodeType":249},{},[1469],{"data":1470,"marks":1471,"value":1472,"nodeType":248},{},[],"An Uber recruitment themed page.",{"data":1474,"content":1475,"nodeType":283},{},[],{"data":1477,"content":1478,"nodeType":293},{},[1479],{"data":1480,"marks":1481,"value":1483,"nodeType":248},{},[1482],{"type":291},"Variant 2: Targeting Facebook Business accounts",{"data":1485,"content":1486,"nodeType":249},{},[1487],{"data":1488,"marks":1489,"value":1490,"nodeType":248},{},[],"Upon further investigation, we found links to a second phishing page style that appears to be part of a longer campaign targeting Facebook accounts, dating back more than two years. ",{"data":1492,"content":1493,"nodeType":249},{},[1494],{"data":1495,"marks":1496,"value":1497,"nodeType":248},{},[],"In total, we identified 31 unique URLs associated with the same campaign, many of which were recycled over time to impersonate different brands. ",{"data":1499,"content":1500,"nodeType":249},{},[1501],{"data":1502,"marks":1503,"value":1504,"nodeType":248},{},[],"Since most of these pages appeared to be older (and no longer live) they could not be analysed further, beyond giving an indication of how the phishing campaign has evolved over time. ",{"data":1506,"content":1510,"nodeType":279},{"target":1507},{"sys":1508},{"id":1509,"type":276,"linkType":277},"5PFRI9XtNVdkpYiRoIYpF",[],{"data":1512,"content":1513,"nodeType":283},{},[],{"data":1515,"content":1516,"nodeType":293},{},[1517],{"data":1518,"marks":1519,"value":1521,"nodeType":248},{},[1520],{"type":291},"Variant 3: Targeting both Google and Facebook accounts",{"data":1523,"content":1524,"nodeType":249},{},[1525],{"data":1526,"marks":1527,"value":1528,"nodeType":248},{},[],"We also discovered a third, more recent variant targeting both Google and Facebook accounts with Calendly-styled pages.",{"data":1530,"content":1531,"nodeType":249},{},[1532,1536,1545],{"data":1533,"marks":1534,"value":1535,"nodeType":248},{},[],"This variant looks to leverage a Browser-in-the-Browser style pop-up window similar to the ",{"data":1537,"content":1539,"nodeType":393},{"uri":1538},"https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page/",[1540],{"data":1541,"marks":1542,"value":1544,"nodeType":248},{},[1543],{"type":391},"Sneaky2FA attacks we reported on recently",{"data":1546,"marks":1547,"value":1548,"nodeType":248},{},[],". BITB allows the attacker to mask the phishing page URL by presenting a fake URL set by the attacker, inside a pop-up login window. ",{"data":1550,"content":1554,"nodeType":279},{"target":1551},{"sys":1552},{"id":1553,"type":276,"linkType":277},"7w4cmyqPvhxAFrokaK9CE1",[],{"data":1556,"content":1560,"nodeType":279},{"target":1557},{"sys":1558},{"id":1559,"type":276,"linkType":277},"6FUSNecz0BXLxJxoJTsALD",[],{"data":1562,"content":1566,"nodeType":279},{"target":1563},{"sys":1564},{"id":1565,"type":276,"linkType":277},"2zwFDrgsLuxi4Xv2q0nPFK",[],{"data":1568,"content":1569,"nodeType":249},{},[1570],{"data":1571,"marks":1572,"value":1573,"nodeType":248},{},[],"The attacker also implemented additional anti-analysis functionality, beyond the specific domain targeting we observed in the first page variant — the result of which meant the page IP blocked us from interacting with it further. ",{"data":1575,"content":1579,"nodeType":279},{"target":1576},{"sys":1577},{"id":1578,"type":276,"linkType":277},"3ZPdxi5cGZcn5hF1ISIUa7",[],{"data":1581,"content":1585,"nodeType":279},{"target":1582},{"sys":1583},{"id":1584,"type":276,"linkType":277},"3J5pmgNL9LevE1FdX4oksf",[],{"data":1587,"content":1588,"nodeType":249},{},[1589,1593,1602],{"data":1590,"marks":1591,"value":1592,"nodeType":248},{},[],"Often ",{"data":1594,"content":1596,"nodeType":393},{"uri":1595},"https://phishing-techniques.pushsecurity.com/techniques/anti-sandbox/",[1597],{"data":1598,"marks":1599,"value":1601,"nodeType":248},{},[1600],{"type":391},"accessing dev tools",{"data":1603,"marks":1604,"value":1605,"nodeType":248},{},[]," on a page is enough to trigger this, specifically targeting security analysts and web-crawling security bots/tools. ",{"data":1607,"content":1608,"nodeType":283},{},[],{"data":1610,"content":1611,"nodeType":293},{},[1612],{"data":1613,"marks":1614,"value":1616,"nodeType":248},{},[1615],{"type":291},"Why are attackers targeting business ad management accounts?",{"data":1618,"content":1619,"nodeType":249},{},[1620,1624,1632],{"data":1621,"marks":1622,"value":1623,"nodeType":248},{},[],"The campaign shows signs of being a long-running, targeted initiative focused on compromising accounts responsible for managing digital ads on behalf of businesses. The attackers have demonstrated that they are continuing to iterate on their TTPs, introducing new page styles with increased sophistication, and new ",{"data":1625,"content":1627,"nodeType":393},{"uri":1626},"https://phishing-techniques.pushsecurity.com/#techniques-table",[1628],{"data":1629,"marks":1630,"value":392,"nodeType":248},{},[1631],{"type":391},{"data":1633,"marks":1634,"value":1635,"nodeType":248},{},[]," to defeat security analysis tools.  ",{"data":1637,"content":1641,"nodeType":279},{"target":1638},{"sys":1639},{"id":1640,"type":276,"linkType":277},"m5GsTsDb55T70MU2m72B1",[],{"data":1643,"content":1644,"nodeType":249},{},[1645],{"data":1646,"marks":1647,"value":1648,"nodeType":248},{},[],"We also discovered that Google recently issued a security warning specifically for agency organizations managing ads for a number of businesses, urging them to create security alerts whenever a new account is added to a Manager Account (MCC) used to view and manage multiple Google Ads accounts from a single view. ",{"data":1650,"content":1651,"nodeType":249},{},[1652,1655,1662],{"data":1653,"marks":1654,"value":1010,"nodeType":248},{},[],{"data":1656,"content":1657,"nodeType":393},{"uri":775},[1658],{"data":1659,"marks":1660,"value":1018,"nodeType":248},{},[1661],{"type":391},{"data":1663,"marks":1664,"value":1022,"nodeType":248},{},[],{"data":1666,"content":1667,"nodeType":406},{},[1668],{"data":1669,"marks":1670,"value":1672,"nodeType":248},{},[1671],{"type":291},"Why are attackers turning to malvertising?",{"data":1674,"content":1675,"nodeType":249},{},[1676],{"data":1677,"marks":1678,"value":1679,"nodeType":248},{},[],"Malvertising attacks delivered over search engines (e.g. Google Search) and social media apps (Facebook, LinkedIn, etc.) are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. ",{"data":1681,"content":1682,"nodeType":249},{},[1683],{"data":1684,"marks":1685,"value":1686,"nodeType":248},{},[],"The flipside of this is that malvertising attacks are less likely to be targeted than phishing delivered directly to the victim via a direct message (i.e. email, social media DM, instant messenger app, SMS, etc.). ",{"data":1688,"content":1689,"nodeType":249},{},[1690],{"data":1691,"marks":1692,"value":989,"nodeType":248},{},[],{"data":1694,"content":1695,"nodeType":249},{},[1696,1700,1707],{"data":1697,"marks":1698,"value":1699,"nodeType":248},{},[],"Malvertising is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",{"data":1701,"content":1702,"nodeType":393},{"uri":436},[1703],{"data":1704,"marks":1705,"value":442,"nodeType":248},{},[1706],{"type":391},{"data":1708,"marks":1709,"value":1710,"nodeType":248},{},[],"” criminal collective, all of which began with identity-based initial access). For this reason, credentials and access are an increasingly profitable commodity for cyber criminals. ",{"data":1712,"content":1713,"nodeType":406},{},[1714],{"data":1715,"marks":1716,"value":1718,"nodeType":248},{},[1717],{"type":291},"Additional considerations",{"data":1720,"content":1721,"nodeType":249},{},[1722],{"data":1723,"marks":1724,"value":1725,"nodeType":248},{},[],"As previously mentioned, compromising a Google Workspace account (particularly where it is the primary enterprise cloud platform used by the organization) provides comprehensive access to business apps, data, and functionality that can be exploited by attackers — effectively, it’s the access point to modern business IT. There’s a good chance that attackers establishing a foothold in this way would look to leverage this access further, or at least sell on that access to a criminal group looking to take the attack further. ",{"data":1727,"content":1731,"nodeType":279},{"target":1728},{"sys":1729},{"id":1730,"type":276,"linkType":277},"7jnQqRk0JuqEtrQ3HXy3f8",[],{"data":1733,"content":1734,"nodeType":283},{},[],{"data":1736,"content":1737,"nodeType":293},{},[1738],{"data":1739,"marks":1740,"value":553,"nodeType":248},{},[1741],{"type":291},{"data":1743,"content":1744,"nodeType":249},{},[1745],{"data":1746,"marks":1747,"value":1748,"nodeType":248},{},[],"We have opted not to provide the domains associated with that campaign to preserve the privacy of the individuals being impersonated by the attacker. In many cases, their full name was included in the URL for the phishing page, while their name and profile picture (most likely scraped from LinkedIn) are also visible on the landing page. ",{"data":1750,"content":1751,"nodeType":249},{},[1752],{"data":1753,"marks":1754,"value":1148,"nodeType":248},{},[],{"data":1756,"content":1757,"nodeType":283},{},[],{"data":1759,"content":1760,"nodeType":293},{},[1761],{"data":1762,"marks":1763,"value":1765,"nodeType":248},{},[1764],{"type":291},"Learn more about Push",{"data":1767,"content":1768,"nodeType":249},{},[1769],{"data":1770,"marks":1771,"value":1772,"nodeType":248},{},[],"Push researchers are continuously analysing and developing new detections based on the latest phishing kits and TTPs which enables us to stay two steps ahead of attackers.",{"data":1774,"content":1775,"nodeType":249},{},[1776],{"data":1777,"marks":1778,"value":1779,"nodeType":248},{},[],"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",{"data":1781,"content":1782,"nodeType":249},{},[1783,1786,1793,1796,1803],{"data":1784,"marks":1785,"value":659,"nodeType":248},{},[],{"data":1787,"content":1788,"nodeType":393},{"uri":662},[1789],{"data":1790,"marks":1791,"value":668,"nodeType":248},{},[1792],{"type":391},{"data":1794,"marks":1795,"value":672,"nodeType":248},{},[],{"data":1797,"content":1798,"nodeType":393},{"uri":675},[1799],{"data":1800,"marks":1801,"value":681,"nodeType":248},{},[1802],{"type":391},{"data":1804,"marks":1805,"value":685,"nodeType":248},{},[],{"data":1807,"content":1810,"nodeType":279},{"target":1808},{"sys":1809},{"id":690,"type":276,"linkType":277},[],{"data":1812,"content":1813,"nodeType":249},{},[1814],{"data":1815,"marks":1816,"value":29,"nodeType":248},{},[],"Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts","Investigating a phishing campaign targeting Google Ads Manager MCC accounts to propagate malvertising lures. ","uncovering-a-calendly-themed-phishing-campaign",{"items":1821},[1822,1824],{"sys":1823,"name":1230},{"id":1229},{"sys":1825,"name":1226},{"id":1225},{"items":1827},[1828],{"fullName":1829,"firstName":1830,"jobTitle":1831,"profilePicture":1832},"Luke Jennings","Luke","Vice President, R&D",{"url":1833},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":841,"sys":1835,"content":1837,"title":2415,"synopsis":2416,"hashTags":62,"publishedDate":2417,"slug":2418,"tagsCollection":2419,"authorsCollection":2425},{"id":1836},"7rVNBW6rYXnXMpI0JEwzgR",{"json":1838},{"nodeType":698,"data":1839,"content":1840},{},[1841,1848,1855,1867,1873,1880,1883,1891,1898,1904,1920,1927,1950,1957,1963,1966,1974,2006,2012,2032,2038,2057,2064,2070,2073,2081,2088,2108,2115,2135,2142,2148,2151,2159,2166,2199,2206,2213,2259,2278,2289,2296,2299,2307,2327,2334,2341,2347,2350,2358,2378,2404,2409],{"nodeType":249,"data":1842,"content":1843},{},[1844],{"nodeType":248,"value":1845,"marks":1846,"data":1847},"ClickFix attacks have skyrocketed in the last year. This social engineering attack has established itself as a key part of the modern attacker’s toolkit, tricking victims into running malicious code on their device.",[],{},{"nodeType":249,"data":1849,"content":1850},{},[1851],{"nodeType":248,"value":1852,"marks":1853,"data":1854},"As we showcased in our last webinar and at our threat briefing in London earlier this month, ClickFix is evolving fast, in terms of the web pages themselves, the delivery mechanisms by which they are sent to victims, and the nature of the payload and its execution.",[],{},{"nodeType":249,"data":1856,"content":1857},{},[1858,1862],{"nodeType":248,"value":1859,"marks":1860,"data":1861},"One particular example stood out to us in our research. ",[],{},{"nodeType":248,"value":1863,"marks":1864,"data":1866},"So, is this the most advanced ClickFix you’ve seen?",[1865],{"type":291},{},{"nodeType":279,"data":1868,"content":1872},{"target":1869},{"sys":1870},{"id":1871,"type":276,"linkType":277},"ID7VKJNOZk729P5zBOBjZ",[],{"nodeType":249,"data":1874,"content":1875},{},[1876],{"nodeType":248,"value":1877,"marks":1878,"data":1879},"Let’s break it down further.",[],{},{"nodeType":283,"data":1881,"content":1882},{},[],{"nodeType":293,"data":1884,"content":1885},{},[1886],{"nodeType":248,"value":1887,"marks":1888,"data":1890},"How ClickFix pages are evolving",[1889],{"type":291},{},{"nodeType":249,"data":1892,"content":1893},{},[1894],{"nodeType":248,"value":1895,"marks":1896,"data":1897},"The CloudFlare-based lure is a great example of how ClickFix pages themselves are evolving — and becoming increasingly convincing to users. ",[],{},{"nodeType":279,"data":1899,"content":1903},{"target":1900},{"sys":1901},{"id":1902,"type":276,"linkType":277},"4wJOgtofImjbsekyXMc5Ec",[],{"nodeType":249,"data":1905,"content":1906},{},[1907,1911,1916],{"nodeType":248,"value":1908,"marks":1909,"data":1910},"This is an incredibly slick example — ",[],{},{"nodeType":248,"value":1912,"marks":1913,"data":1915},"it almost looks like Cloudflare shipped a new kind of bot check service. ",[1914],{"type":291},{},{"nodeType":248,"value":1917,"marks":1918,"data":1919},"The embedded video, countdown timer, and counter for “users verified in the last hour” all serve to increase the sense of authenticity, and put extra pressure on the victim to complete the check. ",[],{},{"nodeType":249,"data":1921,"content":1922},{},[1923],{"nodeType":248,"value":1924,"marks":1925,"data":1926},"There are a couple of extra things happening under the hood here, too:",[],{},{"nodeType":615,"data":1928,"content":1929},{},[1930,1940],{"nodeType":594,"data":1931,"content":1932},{},[1933],{"nodeType":249,"data":1934,"content":1935},{},[1936],{"nodeType":248,"value":1937,"marks":1938,"data":1939},"The page is adapting to the device that you’re visiting from, serving up instructions specific to the user’s Mac (increasingly common as ClickFix expands to support different Operating Systems).",[],{},{"nodeType":594,"data":1941,"content":1942},{},[1943],{"nodeType":249,"data":1944,"content":1945},{},[1946],{"nodeType":248,"value":1947,"marks":1948,"data":1949},"The page is automatically copying the malicious code to the user’s clipboard via JavaScript (which we see in 9/10 cases).",[],{},{"nodeType":249,"data":1951,"content":1952},{},[1953],{"nodeType":248,"value":1954,"marks":1955,"data":1956},"For the past decade or more, user awareness has focused on stopping users from clicking links in suspicious emails, downloading risky files, and entering their username and password into random websites. It hasn’t focused on opening up a program and running a command — so it’s no surprise that this kind of highly convincing page is so effective at duping victims into following the instructions. ",[],{},{"nodeType":279,"data":1958,"content":1962},{"target":1959},{"sys":1960},{"id":1961,"type":276,"linkType":277},"LiVIyGxdAaUXUfvKjD6ON",[],{"nodeType":283,"data":1964,"content":1965},{},[],{"nodeType":293,"data":1967,"content":1968},{},[1969],{"nodeType":248,"value":1970,"marks":1971,"data":1973},"How ClickFix delivery methods are evolving",[1972],{"type":291},{},{"nodeType":249,"data":1975,"content":1976},{},[1977,1981,1989,1993,2002],{"nodeType":248,"value":1978,"marks":1979,"data":1980},"There’s also the fact that this page wasn’t accessed via email. The top delivery vector for ClickFix attacks that we’ve observed is, in fact, Google Search — in the form of ",[],{},{"nodeType":393,"data":1982,"content":1983},{"uri":416},[1984],{"nodeType":248,"value":1985,"marks":1986,"data":1988},"poisoned search results and malicious advertising (malvertising)",[1987],{"type":391},{},{"nodeType":248,"value":1990,"marks":1991,"data":1992},". Attackers are either taking over legitimate sites (there’s a ",[],{},{"nodeType":393,"data":1994,"content":1996},{"uri":1995},"https://www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/",[1997],{"nodeType":248,"value":1998,"marks":1999,"data":2001},"steady supply of website hosting and CMS vulnerabilities",[2000],{"type":391},{},{"nodeType":248,"value":2003,"marks":2004,"data":2005}," to take advantage of) or simply vibe-coding their own sites and optimizing them for various search terms. ",[],{},{"nodeType":279,"data":2007,"content":2011},{"target":2008},{"sys":2009},{"id":2010,"type":276,"linkType":277},"6N9EmH6AaN6Hr4xk6ozATR",[],{"nodeType":249,"data":2013,"content":2014},{},[2015,2019,2028],{"nodeType":248,"value":2016,"marks":2017,"data":2018},"And because most anti-phishing controls are implemented via email, by using ",[],{},{"nodeType":393,"data":2020,"content":2022},{"uri":2021},"https://pushsecurity.com/blog/why-attackers-are-moving-beyond-email-based-phishing?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2023],{"nodeType":248,"value":2024,"marks":2025,"data":2027},"non-email delivery vectors, an entire layer of detection opportunity is cut out",[2026],{"type":391},{},{"nodeType":248,"value":2029,"marks":2030,"data":2031},". ",[],{},{"nodeType":279,"data":2033,"content":2037},{"target":2034},{"sys":2035},{"id":2036,"type":276,"linkType":277},"1CWsZlLFX9TS53J1uamOG8",[],{"nodeType":249,"data":2039,"content":2040},{},[2041,2045,2053],{"nodeType":248,"value":2042,"marks":2043,"data":2044},"But even when they are sent via email, ClickFix pages, like other modern phishing sites, are using a range of ",[],{},{"nodeType":393,"data":2046,"content":2048},{"uri":2047},"https://pushsecurity.com/blog/phishing-detection-evasion-launch?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2049],{"nodeType":248,"value":392,"marks":2050,"data":2052},[2051],{"type":391},{},{"nodeType":248,"value":2054,"marks":2055,"data":2056}," that prevent them being flagged by security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. Detection evasion mainly involves camouflaging and rotating domains to stay ahead of known-bad detections (i.e. blocklists), using bot protection to prevent analysis, and heavily obfuscating page content to stop detection signatures firing. ",[],{},{"nodeType":249,"data":2058,"content":2059},{},[2060],{"nodeType":248,"value":2061,"marks":2062,"data":2063},"Finally, because the code is copied inside the browser sandbox, typical security tools are unable to observe and flag this action as potentially malicious. This means that the last — and only — opportunity for organizations to stop ClickFix is on the endpoint, after the user has attempted to run the malicious code.",[],{},{"nodeType":279,"data":2065,"content":2069},{"target":2066},{"sys":2067},{"id":2068,"type":276,"linkType":277},"3HiqpIBWWMr5FMi3IBzXcc",[],{"nodeType":283,"data":2071,"content":2072},{},[],{"nodeType":293,"data":2074,"content":2075},{},[2076],{"nodeType":248,"value":2077,"marks":2078,"data":2080},"How ClickFix payloads are evolving",[2079],{"type":291},{},{"nodeType":249,"data":2082,"content":2083},{},[2084],{"nodeType":248,"value":2085,"marks":2086,"data":2087},"It’s not just the ClickFix page and delivery mechanisms that are evolving — the services where code is being run, and the type of payload, are also increasingly varied. ",[],{},{"nodeType":249,"data":2089,"content":2090},{},[2091,2095,2104],{"nodeType":248,"value":2092,"marks":2093,"data":2094},"While the main payloads observed by Push are mshta and PowerShell, ",[],{},{"nodeType":393,"data":2096,"content":2098},{"uri":2097},"https://mhaggis.github.io/ClickGrab/techniques.html",[2099],{"nodeType":248,"value":2100,"marks":2101,"data":2103},"attackers are abusing a wide range of LOLBINS",[2102],{"type":391},{},{"nodeType":248,"value":2105,"marks":2106,"data":2107}," targeting different services across Operating Systems.",[],{},{"nodeType":249,"data":2109,"content":2110},{},[2111],{"nodeType":248,"value":2112,"marks":2113,"data":2114},"While it is possible to disable the Win+R dialog box and limit the applications that can be run from the File Explorer address bar, it is not possible to similarly restrict users from interacting with other legitimate services to run malicious commands. ",[],{},{"nodeType":249,"data":2116,"content":2117},{},[2118,2122,2131],{"nodeType":248,"value":2119,"marks":2120,"data":2121},"Another recent example termed ",[],{},{"nodeType":393,"data":2123,"content":2125},{"uri":2124},"https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/",[2126],{"nodeType":248,"value":2127,"marks":2128,"data":2130},"cache smuggling",[2129],{"type":391},{},{"nodeType":248,"value":2132,"marks":2133,"data":2134}," was also identified by security researchers. This technique combines a ClickFix approach with JavaScript that caches a malicious file posing as a JPG. This means that the ClickFix command executes locally — effectively getting an entire zip file onto the local system without the PowerShell command needing to make any web requests.",[],{},{"nodeType":249,"data":2136,"content":2137},{},[2138],{"nodeType":248,"value":2139,"marks":2140,"data":2141},"Finally, it’s worth considering the future of ClickFix. The current attack path straddles browser and endpoint — what if it could take place entirely in the browser and evade EDR altogether? ",[],{},{"nodeType":279,"data":2143,"content":2147},{"target":2144},{"sys":2145},{"id":2146,"type":276,"linkType":277},"2rUDKawJnrmZVtxfNcSNha",[],{"nodeType":283,"data":2149,"content":2150},{},[],{"nodeType":293,"data":2152,"content":2153},{},[2154],{"nodeType":248,"value":2155,"marks":2156,"data":2158},"What’s the impact of ClickFix evolution?",[2157],{"type":291},{},{"nodeType":249,"data":2160,"content":2161},{},[2162],{"nodeType":248,"value":2163,"marks":2164,"data":2165},"To summarize:",[],{},{"nodeType":615,"data":2167,"content":2168},{},[2169,2179,2189],{"nodeType":594,"data":2170,"content":2171},{},[2172],{"nodeType":249,"data":2173,"content":2174},{},[2175],{"nodeType":248,"value":2176,"marks":2177,"data":2178},"ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering.",[],{},{"nodeType":594,"data":2180,"content":2181},{},[2182],{"nodeType":249,"data":2183,"content":2184},{},[2185],{"nodeType":248,"value":2186,"marks":2187,"data":2188},"ClickFix delivery is evading traditional monitoring controls at the email layer to reach victims. ",[],{},{"nodeType":594,"data":2190,"content":2191},{},[2192],{"nodeType":249,"data":2193,"content":2194},{},[2195],{"nodeType":248,"value":2196,"marks":2197,"data":2198},"ClickFix payloads are becoming more varied and are finding new ways to evade security controls. ",[],{},{"nodeType":249,"data":2200,"content":2201},{},[2202],{"nodeType":248,"value":2203,"marks":2204,"data":2205},"This means that EDR-based interception of malware execution is the last — and only — real line of defense for most organizations, kicking in after the initial script has been run (typically acting as a stager for the real malware). ",[],{},{"nodeType":249,"data":2207,"content":2208},{},[2209],{"nodeType":248,"value":2210,"marks":2211,"data":2212},"Malware execution can and should be intercepted by EDR, but it’s not foolproof. ",[],{},{"nodeType":615,"data":2214,"content":2215},{},[2216,2239,2249],{"nodeType":594,"data":2217,"content":2218},{},[2219],{"nodeType":249,"data":2220,"content":2221},{},[2222,2226,2235],{"nodeType":248,"value":2223,"marks":2224,"data":2225},"Attackers are constantly ",[],{},{"nodeType":393,"data":2227,"content":2229},{"uri":2228},"https://www.infostealers.com/article/logins-zip-leverages-chromium-zero-day-stealthy-infostealer-builder-promises-99-credential-theft-in-under-12-seconds/",[2230],{"nodeType":248,"value":2231,"marks":2232,"data":2234},"developing new tools and capabilities",[2233],{"type":391},{},{"nodeType":248,"value":2236,"marks":2237,"data":2238}," to bypass EDR in the cat-and-mouse game between attackers and defenders.",[],{},{"nodeType":594,"data":2240,"content":2241},{},[2242],{"nodeType":249,"data":2243,"content":2244},{},[2245],{"nodeType":248,"value":2246,"marks":2247,"data":2248},"Because ClickFix attacks are user initiated, context might be missing that lead to the alert being misclassified. This can mean the difference between the level of priority alert that is raised, and whether or not it is automatically blocked.",[],{},{"nodeType":594,"data":2250,"content":2251},{},[2252],{"nodeType":249,"data":2253,"content":2254},{},[2255],{"nodeType":248,"value":2256,"marks":2257,"data":2258},"If you’re an organization that allows employees and contractors to use unmanaged BYOD devices, there’s a strong chance that there are gaps in your EDR coverage.",[],{},{"nodeType":249,"data":2260,"content":2261},{},[2262,2266,2274],{"nodeType":248,"value":2263,"marks":2264,"data":2265},"This is why attackers are doubling down. According to the ",[],{},{"nodeType":393,"data":2267,"content":2269},{"uri":2268},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2270],{"nodeType":248,"value":2271,"marks":2272,"data":2273},"2025 Microsoft Digital Defense report",[],{},{"nodeType":248,"value":2275,"marks":2276,"data":2277},", ClickFix was the most common initial access method in the last year, accounting for 47% of attacks. That's a pretty significant stat.",[],{},{"nodeType":2279,"data":2280,"content":2281},"blockquote",{},[2282],{"nodeType":249,"data":2283,"content":2284},{},[2285],{"nodeType":248,"value":2286,"marks":2287,"data":2288},"47% of attacks started with ClickFix in the last year, according to Microsoft.",[],{},{"nodeType":249,"data":2290,"content":2291},{},[2292],{"nodeType":248,"value":2293,"marks":2294,"data":2295},"Ultimately, organizations are leaving themselves relying on a single line of defense — if the attack isn’t detected and blocked by EDR, it isn’t spotted at all. ",[],{},{"nodeType":283,"data":2297,"content":2298},{},[],{"nodeType":293,"data":2300,"content":2301},{},[2302],{"nodeType":248,"value":2303,"marks":2304,"data":2306},"Don’t gamble on a single point of failure ",[2305],{"type":291},{},{"nodeType":249,"data":2308,"content":2309},{},[2310,2314,2323],{"nodeType":248,"value":2311,"marks":2312,"data":2313},"Push Security’s latest feature, ",[],{},{"nodeType":393,"data":2315,"content":2317},{"uri":2316},"https://pushsecurity.com/blog/introducing-malicious-copy-paste-detection?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2318],{"nodeType":248,"value":2319,"marks":2320,"data":2322},"malicious copy and paste detection",[2321],{"type":391},{},{"nodeType":248,"value":2324,"marks":2325,"data":2326},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking. This is a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.",[],{},{"nodeType":249,"data":2328,"content":2329},{},[2330],{"nodeType":248,"value":2331,"marks":2332,"data":2333},"Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity.",[],{},{"nodeType":249,"data":2335,"content":2336},{},[2337],{"nodeType":248,"value":2338,"marks":2339,"data":2340},"By adding a new layer of protection in the browser, security teams can reduce the strain on their EDR and reduce the risk of host-based controls being bypassed through misconfiguration or attacker innovation. ",[],{},{"nodeType":279,"data":2342,"content":2346},{"target":2343},{"sys":2344},{"id":2345,"type":276,"linkType":277},"sALkMt8UbTZ2f34hKvGLj",[],{"nodeType":283,"data":2348,"content":2349},{},[],{"nodeType":293,"data":2351,"content":2352},{},[2353],{"nodeType":248,"value":2354,"marks":2355,"data":2357},"Learn more",[2356],{"type":291},{},{"nodeType":249,"data":2359,"content":2360},{},[2361,2365,2374],{"nodeType":248,"value":2362,"marks":2363,"data":2364},"If you want to learn more about ClickFix attacks and how they’re evolving, ",[],{},{"nodeType":393,"data":2366,"content":2368},{"uri":2367},"https://pushsecurity.com/resources/clickfix",[2369],{"nodeType":248,"value":2370,"marks":2371,"data":2373},"check out our latest webinar (now available on-demand!)",[2372],{"type":391},{},{"nodeType":248,"value":2375,"marks":2376,"data":2377}," where we dive into real-world ClickFix examples and demonstrate how ClickFix sites work under the hood. ",[],{},{"nodeType":249,"data":2379,"content":2380},{},[2381,2384,2391,2394,2401],{"nodeType":248,"value":659,"marks":2382,"data":2383},[],{},{"nodeType":393,"data":2385,"content":2386},{"uri":662},[2387],{"nodeType":248,"value":668,"marks":2388,"data":2390},[2389],{"type":391},{},{"nodeType":248,"value":672,"marks":2392,"data":2393},[],{},{"nodeType":393,"data":2395,"content":2396},{"uri":675},[2397],{"nodeType":248,"value":681,"marks":2398,"data":2400},[2399],{"type":391},{},{"nodeType":248,"value":685,"marks":2402,"data":2403},[],{},{"nodeType":279,"data":2405,"content":2408},{"target":2406},{"sys":2407},{"id":1961,"type":276,"linkType":277},[],{"nodeType":249,"data":2410,"content":2411},{},[2412],{"nodeType":248,"value":29,"marks":2413,"data":2414},[],{},"The most advanced ClickFix yet?","Breaking down the most sophisticated ClickFix page we’ve seen in the wild — and what it tells us about the future of malicious copy-and-paste attacks. ","2025-11-06T00:00:00.000Z","the-most-advanced-clickfix-yet",{"items":2420},[2421,2423],{"sys":2422,"name":1226},{"id":1225},{"sys":2424,"name":1230},{"id":1229},{"items":2426},[2427],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2428},{"url":236},"analysing-a-sophisticated-google-malvertising-attack","blog/analysing-a-sophisticated-google-malvertising-attack",{"json":2432},{"data":2433,"content":2434,"nodeType":698},{},[2435],{"data":2436,"content":2437,"nodeType":249},{},[2438],{"data":2439,"marks":2440,"value":2441,"nodeType":248},{},[],"Push recently detected and blocked a malvertising attack impersonating TradingView, designed to hijack Google Workspace accounts via Attacker-in-the-Middle phishing. Here’s what you need to know. ","Push recently detected and blocked a malvertising attack impersonating TradingView designed to hijack Google Workspace accounts.",{"id":2444,"publishedAt":2445},"2obwh6WiK5IP0hnqsV4CZQ","2025-12-08T12:32:23.985Z",{"items":2447},[2448,2450],{"sys":2449,"name":1230},{"id":1229},{"sys":2451,"name":1226},{"id":1225},"5rmwW2FDUq7r0NTnAqSb3KrmLQiVdaZJ0NBHjSoWThU",1784196728919]