The Audit - Presented by IT Audit Labs
Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics. IT Audit Labs provides organizations with the leverage of a network of partners and specialists suited for your needs.
We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of the organization.
The Audit - Presented by IT Audit Labs
Cracking Gmail and SEO Poisoning: Inside the Latest Cyber Threats
From Gmail 2FA bypass warnings to SEO poisoning campaigns, we’re diving into the latest cybersecurity headlines reshaping the industry.
We explore how attackers are using hyper-specific search terms—like the legality of Bengal cats—to deliver malware and manipulate search results. Plus, we discuss advancements in AI-powered behavioral analytics, from cutting down false alerts to streamlining incident response. With real-world insights and actionable tips, this episode is packed with must-know updates for IT professionals navigating today’s ever-evolving threat landscape.
In this episode, we'll discuss:
- Gmail session cookie theft and bypassing two-factor authentication.
- SEO poisoning campaigns delivering malware via niche search terms.
- AI-driven behavioral analytics improving incident response.
- Real-world social engineering and user behavior risks.
- Balancing usability and security with tools like passkeys.
Thanks for tuning into The Audit. Subscribe on Spotify, Apple Podcasts, or YouTube to stay informed on the latest in cybersecurity. Don’t forget to follow us on social media and share with your network!
#CybersecurityNews #2FA #BehavioralAnalytics #IncidentResponse #SEOPoisoning #ITSecurity #DataProtection
Coming at you live. Today you're listening to the Audit presented by IT Audit Labs. My name is Joshua Schmidt, I'm your co-host and producer, and today we're joined by the usual cast Nick Mellum and Eric Brown. How are you guys doing today?
Speaker 2:Doing good. You were mid-rant, though, here when we clicked the go live button, so let's get back to that. You're more about that.
Speaker 1:So, yeah, how much time do you have? I was griping about. We'll just let the company go unnamed. But just the terrible service of cable companies in general. I guess we call them cable companies still, even though no one's buying their cable services. But yeah, we call them cable companies still, even though no one's buying their service, their cable services. But, um, yeah, we call them isp isp internet service provider.
Speaker 2:Yep, that's not the cable guy anymore you guys remember that movie, the cable cable guy. I was one of my favorites.
Speaker 1:I upgraded to quantum fiber and, uh, yeah, the usual didn't show up on time. The guy didn't get there until, uh, you know, three days after he was supposed to show up and then, you know, installed my, my modem in the wrong place, after showing him exactly where I wanted it. Then he put it in a different place and plugged into the same outlet that I have my dehumidifier plugged into in the basement. Yeah, then a wire went down up up the up the road and then, completely, uh, left all of their crap out on the street in a tangled mess under the uh telephone pole, and then it's been there for over a month.
Speaker 3:Haven't cleaned it up your internet wasn't down, though my internet wasn't down.
Speaker 1:Okay, to be fair, I I'm not quite sure whose it was um at this point well, they're guilty by association either way yeah, I probably exactly. I called the power company, I called the um, the uh, the cable providers. I called the city and no one seems to be um taking responsibility for for it.
Speaker 2:So there's a good book, josh, called tubes, by andrew bloom, and it explains the essentially how interconnected the internet is. But the I believe he was a um, a journalist for wired, and one day he was having some internet connectivity and he looks out the end of a backyard and he sees the cable coming into the house and maybe a squirrel running on the cable or something, and then he decided from there to track where that cable went and then all of the downstream implications there of the ISPs and the super ISPs and where all of the cables go. So it's a really it's a quick read and it's a good read and it's written from the perspective of a non-technologist. Well, that was your icebreaker of the day, I guess.
Speaker 1:No, no, I got a different icebreaker, so let's get to that Favorite arcade or video game. You know I'm coming from the Nintendo generation. I don't know about you, nick, you're a little younger than I am, but do you have a go-to game that you spent? What's the game you spent the most time on?
Speaker 3:I was wrestling with this for a little bit because I have a deep love for Donkey Kong, but I was actually going to say I probably spent the most time to remind me. I can't remember one of the names, but one of them was Duck Hunt oh, awesome. But what was the one with the mailman, where you were like riding the bike down and you were going off the jumps? You remember the mail boy, like mail the paper boy paper boy yes, paper boy, paperboy and Dotcom I remember like Vampire League and then like N64 came around.
Speaker 3:Then it was Donkey Kong. So you didn't get into, like the computer games, like Myst or Diablo or anything like that, a tiny bit. I'm not a gamer, I wouldn't classify myself as that.
Speaker 1:I dabbled Growing up in the northern climes. There wasn't a whole lot to do, but I did. I did get thoroughly into mist for a while, if you guys remember mist I, I don't, I don't um but it was hella confusing, especially in a pre-internet, because it's such like a puzzle game where you know you're, you're going through this, this kind of uh 3, uh 3d world. Yeah, m Y S.
Speaker 3:T Cause I thought you said NIST like national Institute of standards.
Speaker 1:See, I'm dating myself. Now, Eric, back me up on this man?
Speaker 2:I'm right there with you. Yeah, did you, I think for me, I was young at the time. But if you remember this, this is the opening line of the game West of house, you are standing in an open field west of a white house with a boarded front door. West of a white house with a boarded front door. So the opening line is Zork. And then it's a text-based game, it's an open mailbox and so on and so forth, and you go through and you play the game by just inputting text, the command prompt. So that just kind of. I don't know. I was young at the time but really opened up to how fun computer games could be or can be or are. And from there it just progressed into more games. And then in college and right after college, the MM RPGs, the massive multiplayer online role playing games.
Speaker 2:Like World of Warcraft and things like that yeah, I got in a little bit before world of warcraft certainly a lot of world of warcraft time, but before that, um, dark age of camelot. So my buddies and I spent quite a bit of time, uh, in that game that was such a time sink I I didn't get into that, I'm gonna.
Speaker 1:I actually kind of lost a buddy in high school. Just he played so much that it just like overtook his life of world of warcraft. Yeah, we need to have an intervention for that guy. Uh, it was, it was a little bit too much.
Speaker 2:I thought he was alone on that, I don't think he was yeah, and then you had what, what was, uh, colloquially known as the chinese farmers in those games. You guys know what I'm talking about there yeah, I know about farming.
Speaker 1:Yeah, it's where you just do repetitive actions to gain coins or like stats or something right?
Speaker 2:and then they would be sold for fiat coin. Right, you'd sell, you know, a hundred thousand whatever gold bullion game, gold bullion, on ebay. For you know what was it like? A hundred dollars or whatever it's the original crypto.
Speaker 1:Yeah, speaking of crypto, have you guys been paying attention to what's been going on? Wow, dude crazy yeah yeah, I had to get in a little bit. I had a little fomo. I had to throw a couple jelly beans on there late at night on Coinbase Nice.
Speaker 3:You got actual Bitcoin or something else.
Speaker 1:I had Bitcoin before, but I bought some XRP Just going and then going in back into Doge again. I'm a glutton for punishment.
Speaker 3:I got fleeced on Doge last time I actually did okay on doge last time, but uh, I actually okay on on doge and uh, the other one was, I think, shib shib coin, shib shiba shiba coin yeah, but I think that isn't it just shit I believe they call those shib coins yep there's uh over.
Speaker 2:There's probably over 10 000 now uh coins out there.
Speaker 3:Well, it sounds like again. Wasn't Tesla taking Dogecoin at one?
Speaker 2:point. I know Elon talked about it a lot. I don't know if they were.
Speaker 1:Yeah, I think there were rumors. Yeah, but we'll have to see what happens. It looks like it's going to be in for a wild crypto ride. What a time to be alive. Yeah, I had to get in.
Speaker 3:I didn't want the fear of missing out to take over.
Speaker 1:So hopefully you don't get fleeced again. No, I just gotta, just gotta hodl, as they say. So, um, yeah, speaking of current events, we're jumping into a news episode today. We're going live here. We will be uh, recording this podcast as well, and then, um, publishing it with all of our audio spotify, uh video on youtube again, and um, apple podcast is among many others. So we're going to jump into it today, publishing it with all of our audio Spotify video on YouTube again, and Apple Podcasts, among many others. So we're going to jump into it today.
Speaker 1:Our first article is about this new Gmail 2FA attack warning. Stop the email hackers. Now, it says. We scroll down here a little bit. The Federal Bureau of Investigation published on October 30th, public alert relating to the theft of what are known as session cookies by cyber criminals in order to bypass 2FA account protections. The FBI Atlanta division's warning stated that hackers are gaining access to email accounts by stealing cookies from a victim's computer. Gmail, being the world's biggest free email service, with more than 2.5 billion active accounts, according to Google, is naturally a prime target for these ongoing attacks. So, yeah, I had a couple of questions that I kind of prepared for this, for our non-gamers, non-computer nerds what are cookies? I think I know what they are, but I'd love to have a pro explain it to me.
Speaker 2:Yeah, I think that you know if I was sitting around a Thanksgiving table, maybe a cookie is a way of collecting information about either the user or the compute resource and using that information to enable the user to have a potentially better browsing experience.
Speaker 1:So in this case, this is what the hackers are going after in order to gain credential information. It seems like using their cookies on their browser to then bypass the two-f, the two FAA, rather the two-factor authentication or multi-factor authentication.
Speaker 2:Yeah, nick, so how would you explain that from a cookie perspective?
Speaker 3:Yeah. So what I was going to say is I think what they're getting at here is they're probably trying to, you know, get these cookies and then reroute you to a fake login page. Right, that's that would be my worry. We see it all the time. We do it in in our you know events, social engineering, pen testing, whatnot.
Speaker 3:Uh, if you can reroute somebody to what looks like a legitimate Gmail page, in this case, um, you're able to, you know, harvest tons of credentials, um, without the uh, you know innocent party being aware, uh, they think they're just logging into Gmail. You know innocent party being aware, they think they're just logging into Gmail. You know, our folks, or whatever. That's what I get out of this one. But going back to the cookie thing, that kind of exactly what Eric said you know, it's just a way of and I think we see it with like marketing, right, they're collecting those cookies and they pitch it as having a better experience browsing the web, right, seeing what you like to see, what you want to see, and then it's feeding that to you.
Speaker 1:One thing that helped me understand the cookie thing is that recommended Remember Me tab where, instead of signing in each time, you can click the Remember Me. So that would be leaving some sort of an identifier of your credentials so that you can bypass some security features. Correct, are you clicking?
Speaker 3:the remember me. Thing.
Speaker 1:Not anymore, attaboy. I have in the past, you know, per the recommendations of the podcast here. I actually got a password manager in working for me here, bitwarden. I've actually talked a few other friends into getting it as well. The one thing I will say about that is it's really hard to use on your iphone. Um, the browser extension is very clunky as far as I know, so maybe you guys can show me something. I don't know, but it's pretty smooth, uh, experience on the computer though.
Speaker 2:Yeah, on the mobile device I just copy and paste. You know, go into Bitwarden copy paste.
Speaker 1:I might have to try that out. And that gets into this boundary between usability and security that we often talk about. I know that. So how do you guys speak to an organization or people working within an organization to kind of convince them to take that one extra step, even though if the usability becomes slightly more clunky, kind of like in the case of what I'm talking about on my iPhone with the Bitwarden? You know, I know that's what I should be doing, but it makes my day a little bit more frustrating. So what's kind of the messaging around that when speaking to organizations?
Speaker 3:Yeah, I think it's become increasingly difficult because once you put you know, put an extra speed bump in front of an organization or an individual user. People are apprehensive to do that because, unless you're a professional in the space or you know a lot about it, it is making their day a little bit more difficult. It takes monotonous, easy tasks, it takes them a little longer. I think we found success in training. I know I've said that a lot, preaching the training and user-based education. What are they getting out of this? Why do they want to use it? Speak to it on their I don't want to say their level, but something they might understand, like why we'd want to do this, protecting their credit, facebook, whatever it may be.
Speaker 3:Some things that we're using at current organizations, that we're going to other technologies are, like YubiKey, single sign-on methods, which even makes things a little bit more safe than 2FA right, I mean, it's a form of it, but you would sign into this device. I think a lot of us are familiar with Yubico's YubiKey, like I just mentioned, and it allows you. I have a YubiKey right here and it allows the users to plug this into their computer. If they've got single sign-on and applications allow single sign-on, it'll allow them to bypass that in the first place. So I kind of went off on a little bit of a tangent, but it's multi-vector authentication. But it actually, to me, makes multi-vector authentication a little bit easier because of that small device and it might you know, it takes the users out of the equation a little bit because it's making their life even easier versus trying to have a conversation about why they should take an extra step.
Speaker 1:So is that like a passkey then, Eric?
Speaker 3:It is. It is a physical passkey. Yep, I'm glad you brought that up. I think they talk about it in this article. Passkeys, you know, and there's a difference too. Right, we talk about pass phrases, right, Pass keys. This is a physical pass key where you have, instead of using a password, once you would put this into your computer machine, whatever you're using desktop, you'd put in a six-digit PIN. That you know, and that's how you get your multi-vector authentication.
Speaker 2:And the pass keys. You can use the physical one, the YubiKey, like Nick's talking about. Google's got pass key authentication where one side of that key is stored with a server, the other side is stored locally with you, and then you're essentially just comparing the two keys, like does the key fit in the lock? And you're. You're typically getting to that key through some form of biometric authentication, like maybe your fingerprints on the computer or you know a passphrase to get into, and essentially unlock the key on your side and then match it with the key on the server. Fortunately for the user, you don't have to know any of that Just when you go through and set up that passkey with Google. That's what's happening behind the scenes.
Speaker 1:So, eric, what is your messaging around? Getting people to take that extra step, whether it's organizationally or for personal information?
Speaker 2:Organizationally it's a little bit easier, because if you hired us to come in and help with information security, it's like you know this new sheriff in town. This is just how we're going to do it. So you know, like it or don't, but this is the way it is and organizations can set that policy right, because people are coming there to perform a function, they're getting paid to perform that function and the company is saying this is how we're going to operate, these are the standards that we're going to operate by to protect the greater good. It's much harder when there's not that function of employee and company in our personal lives. It sounds like you've had some good success in getting your friends to do it, and all too often, unfortunately, it is. Someone has had a bad event that has occurred to them. They've had information theft, they've had something happen to them and now they want to get clean, and then they're certainly willing to take the steps that it takes.
Speaker 3:Yeah, that's absolutely true and unfortunately sometimes it does take, let's say, a disaster for an organization to maybe wake up or an individual to wake up to see how important this is. We see it all the time with organizations not wanting to maybe spend the money on cybersecurity. Something big, something notable happens. There's a loss, whatever it is. You know IT Out of Labs is getting a phone call and you know we're in there trying to help them remediate or, you know, make them whole again.
Speaker 2:And you know we've got some really cool tools on the corporate side where and they're similar, just less expensive on the user side, where we can come in and we can essentially create the ability to lock all of the corporate accounts. So all of the username and passwords that are used to get into servers or network devices can essentially be locked and then require a checkout process to get the credential. That's relatively easy to set up. The hard part is getting the adoption and using the tools and configuring the tools in a way where it's not overly cumbersome, because it's really easy to turn the tool on and walk away. But the usability side of that can be difficult if the tool is not set up and configured properly. Or maybe you purchased a tool that might have been a little bit cheaper but it doesn't have the functionality to make it easy for the users to interact with.
Speaker 1:And stop clicking the remember me box.
Speaker 3:You tell them Josh.
Speaker 1:That was new to me. So you know, if that was one takeaway for me today, that would probably be it. Just because that's seemingly an issue now, that probably wasn't, you know, not that long ago. Cool, thanks for your advice on that, guys. We're going to head on to the next article.
Speaker 1:Nick had some insights on this one as we were getting prepared for today, but this article is, uh, from the hacker news again. It's five ways behavioral analytics is revolutionized. It's an incident response and it kind of goes through. You know how this whole ai tooling and the ai analysis of data is really kind of matured over the last handful of years and kind of being useful now as before. It might have been a little more clunky, you know. It might have been flagging things that were maybe not any kind of a threat or kind of an anomaly. It's just kind of clunky. So it sounds like things have kind of changed.
Speaker 1:The article states behavioral analytics, along associated with the threat detection, is experiencing a renaissance. Once primarily used to identify suspicious activity, it's now being reimagined as a powerful post-detection technology that enhances incident response processes. By leveraging behavioral insights during alert, triage and investigation, socs can transform their workflow to become more accurate, efficient and impactful. Fortunately, many new cybersecurity products like AI, soc analysts are able to incorporate these techniques into their investigation capabilities, thus allowing SOCs to utilize them into their response processes. It's a lot there, but maybe, nick, you could break it down and speak to if you've used any of these tools or if you've seen any of this crop up in your work.
Speaker 3:Yeah, I mean, I think most of us have seen it right. We're seeing all these new tools come out with some sort of AI benefit, some way to make your job easier, and in a lot of ways it is. You know, I think something a lot of organizations have in common is probably bandwidth issues. You know, I think something a lot of organizations have in common is probably bandwidth issues. You know you need a lot more personnel than you may have, so a lot of your I don't want to say junior employees, but people in your organization wear multiple hats. I think a downfall to this in the past was it was very noisy. You get a lot of false alerts and you end up chasing something that's, you know, not important, but it maybe looked important or alarming, I should say, when it comes in, when the threat comes in, but it's, you know, totally benign and it has nothing no inherent risk.
Speaker 3:But you know, for me the big takeaway here is how do we save time, how do we fill position? Or you know manpower, you know with tools and I think it's starting to do that now. I think something that I connected to is recently we had the presidential election and you know we were all hands on deck for some of our clients. You know watching network traffic and many other things, but most notably that you know what's going on, what's coming in and out from insider threats to everything, and you, you know not getting those false alarms is huge, especially when maybe you're overnight. You've got one or two guys on, gals on. You know watching alerts, so I think that's a big one for me. And then also josh, if you scroll down a little bit further, they've kind of got that. They're spelling out one through five, but I think it was number three. Oh, number two as well.
Speaker 3:I was, I was reading and I was finding that to be very interesting and important, because a lot of times, let's say, somebody, we get an alert that somebody is working out of the country, right, and we can't get ahold of them, or you know, the time change is so great we're maybe getting an alert. Well, if we don't have to them or, you know, the time change is so great, um, we're maybe getting an alert. Well, if we don't have to contact or wait for the user to contact us. You know, with these tools we can take immediate action to make sure there's no, uh, potential threat, or neutralize the threat right away. And then I think it was number four, if you would scroll down a tiny bit further.
Speaker 3:Uh yeah, enhance the in deeper investigation, and this, to me, goes kind of back to the bandwidth issue. Right, we don't like to abandon, you know, any searches before we can get as deep as possible, find the root cause. But a lot of times either it's a bandwidth issue or a know-how. And I think when we get these tools, you know, it allows us to maybe get to that root cause a lot faster, and then we're able to teach ourselves and our teammates, you know, maybe some new tactics on how to get there and how it actually happened, you know, and inherently making the organization that we're working for at the time, you know, much safer. But to me, out of all the articles, this one had the most to chew on, I think.
Speaker 1:That sounds great Like streamlining your job, making it a little more accurate. You know, I've definitely had my credit card shut off while traveling. You know, forget to notify the bank and all of a sudden you're in a different city and your credit card's not working. So what other examples might there be of detections that might go off or set off some red flags on these kinds of tools that might alert professionals that there might be some malicious activity going on?
Speaker 2:You know, josh, there's some. The tools are getting pretty good. But I go back to the end user and it's that end user education piece the behaviors that we have just ingrained to take shortcuts in life right. To make things easier, the malicious actors are able to do that now at scale with AI. So we've got to be able to, at scale, respond to that. But just a couple of weeks ago, during the election cycle, I went in to do the pre-voting a couple of days early, where you go in, you get a ballot, an absentee ballot, and then you take that to, you fill it out, you take it to an election judge and then the election judge reviews it, looks you up in the system and gives you a ballot to vote. During that process I'm standing in front of the election judge there was about three of them and they're all helping different customers and I look down. He's sitting there in front of me and I'm standing. I look down on his computer. Pink sticky note is the password of that election judge computer.
Speaker 1:Josh Bahr Jr, your favorite sticky notes. You got an eagle eye for sticky notes, I must say, eric. Well, this one was hot pink.
Speaker 2:Josh, I mean, you couldn't avoid it right and I got to pull. I took a picture, I got to pull the password up here.
Speaker 3:Social engineering at its finest.
Speaker 2:I mean they're social engineering themselves, right, Absolutely social engineering themselves, right like absolutely. It's just, it's just egregious that you know there's no checks and balances. Nobody on either side of the person looked over and said you know what are you doing to be an election official is very painful I gotta find this thing now, but uh, the password was something like you know, maybe whatever the name of the building was one.
Speaker 2:But so, going back to the tools, josh, you know there's we. From a security practitioner standpoint, I think, leveraging technology to to where we can have the interactions with the users, be transparent and then create a positive experience for that user when they do report something. So one of the examples there was, if the user is out of the country, if the user is connecting in from a location that's normally not their own, great things to trigger on. In email now, which is, of course, the number one threat vector, there's a lot of content coming in that's really well written, used to socially engineer the user into taking an action, and we've talked in the past about QR codes coming in. The user then scans the QR code with their phone and it breaks them out of the walled garden of the corporation.
Speaker 2:There's some cool tools now where the user, if that does happen, to make it into their mailbox and I'm a big advocate for not putting it in a quarantine folder, not marking it as potentially malicious, just deleting it right.
Speaker 2:There's hardly anything. You're getting to get an email that is so critically important that if it looks suspicious it probably is, that if it looks suspicious it probably is and just getting it out of the user's box completely so that they can't interact with it. But the ones that do make it through. If the users do choose to report that, which hopefully they do they report that and then the system will take another look at it and allow the user to ask questions of like well, why was this malicious or why was this flagged, or whatever it was right. So you know, if the user reports it as suspicious, the system comes back and says, no, this is clean. The user can ask those questions to say, oh well, this looks suspicious because of X or why is this not a malicious email? Rather than opening a ticket waiting to hear back from somebody, the user is getting this nearly instantaneous response, which I think is really good, and I think we're going to see more that just across the board with AI and user behavior and analytics. That is outside our normal routine.
Speaker 1:Yeah, and that's what the article got into. It's, I think they're just finding, um, more algorithms or, for lack of a better word, more um, more models of people's behavior, um, and using even more data points in those models, even like the way people interact with applications, for example, and just their tendencies and their workflow. I I do wonder what this um does for our privacy, even though it's kind of shot anyway, um, it feels like a another gateway to, uh, giving away even more of just our privacy. But perhaps you know it'll be, just like everything else, kind of a kind of a seesaw effect on balancing out, you know, the risk versus the reward there.
Speaker 2:There was a company in Eden Prairie, minnesota, I believe, and I'm going back now 10 years, minnesota, I believe, and I'm going back now 10 years. I forget the name of the company, but a former colleague worked there for a while. Small kind of startup and their idea was they were going to, or they did, map how we type. So there was essentially an agent that would sit on the machine and map how you, as a user, type and then that became the way that the machine would authenticate you. So rather than you logging in with either you know a fingerprint or password or facial, you know whatever, and then you know you essentially go away and then a malicious actor could take over your computer the likelihood that the malicious actor had the same typing patterns and I think they were detecting you know the milliseconds of time between keystrokes, how long the key was pressed, all those sorts of things which would create our digital character of a. You know how we type would authenticate us, and it was just continual authentication Like every six seconds. It was kind of running this check so really cool in in theory and I think in in limited run. Practice it worked pretty well.
Speaker 2:I think some of the breakdowns where maybe if you had like an injury, but you know we're probably not getting that injured that often in our hands. Maybe nick's getting his hands scratched by his cats or whatever, but I don't know if that impacts this typing, but you know what I mean, right? So I don't know what happened to that company now that, now that we're talking about it, I want to look it up. Yeah, I got you nick as a guitar player.
Speaker 3:I've had a stint.
Speaker 1:You got it? No, actually I got it.
Speaker 3:Oh, I didn't even see it right now. Shoot. I got to go See you guys, rawr, rawr.
Speaker 2:For those of you who don't know why it's a joke is Nick's got a lot of hairless cats. For some reason he keeps getting more.
Speaker 1:Yeah, Nick, you might want to pay attention to this article, buddy, because we got a new attack vector for Nick. It's getting really granular here.
Speaker 3:Did you have AI make this up before we came on?
Speaker 1:I actually found this. I had to kind of work it into the episode today.
Speaker 2:It's a good one, though, josh, because it really is talking about SEO poisoning, or searchGhoulish, which is an attack vector that and it's very similar to this search engine optimization compromise, but SoshGhoulish is spelled S-O-C-G-H-O-U-L-I-S-H.
Speaker 2:Threat actors compromise a website and it's typically maybe not a website that you know, run by a corporation with, you know, a dedicated security team.
Speaker 2:I know one of the examples was Mad Mothers Against Drunk Driving I think this was a while back.
Speaker 2:Their website was compromised with this malware and what the malware does is when the user connects to the website, then it pops up a message that will say, for example, your browser is out of date, you need to refresh your browser, and it will attempt to entice the user to click on that and then go through the process of injecting and installing the malware so kind of a social environment, or if it's actually a live user coming in to visit that website, and if it is a, if it's something coming through a virtual machine or a sandbox, then potentially it won't execute. But very similar to where we're going with this on the search engine optimization poisoning, where, same thing, websites are compromised and then users are socially engineered, so to speak, to when they type in a search query that they're looking for. In this case it was around, I don't know, it was at Bengal Cats in Australia. That would send them to sites that contained a malicious zip file that would then, you know, potentially be downloaded.
Speaker 1:Yeah, we might have to come up with another name. You know social engineering, it might have to be feline engineering. I see they have. I'll leave that one to you, nick, I see they have SEO poisoning up there. That's kind of interesting. But yeah, basically you summed it up, eric. I'm just going to read this for the people that don't know. In an unusual, specific campaign, users searching about the legality of Bengal cats in Australia are being targeted with the Goot Loader malware, the goot loader malware. In this case, we found that goot loader actors using search results for information about a particular cat in a particular geography being used to deliver the payload are bangle cats legal in australia? Uh, sophos researchers, trang tang and hikaru koike I think I'm saying that right and asha castle and Gallagher said it in a report published last week and Nick.
Speaker 1:Mellum, nick Mellum. Yeah, so basically what you said, eric, you know really hyper specific, which is why I did find this interesting and it was bonus points for having the cat in there.
Speaker 3:But you guys nailed it this week.
Speaker 1:Not sure. Not sure about the legality of Bengal cats here in Minnesota. Maybe Nick could let us know, or I know texas has got some looser laws.
Speaker 3:You know whatever you want.
Speaker 1:Baby tiger king was it was it tiger king down there? That was florida flow, oh, that, of course. So this one is actually going even further to say um, there had been a newer attack where it was um, making it less funny. I guess I can't remember exactly what, what, what the uh instance was. It was making a a different type of a website.
Speaker 3:Um, I would be very interested to have a industry professional on this, come on, because this would be something I'd be a lot. I'd be very curious and learning more on are you an industry professional? In this specific space also got it.
Speaker 1:But thank you very much, eric yeah, here, here's the, here it is what I was referring to. Um, they changed the seo poisoning to california law break room requirements, which is probably a lot highly cert, more highly searched than, uh, the bengal cats. I'm assuming the californians need a little extra break time. They're looking for that break room, want to get the laws around that. But yeah, that seems to be like a higher traffic kind of keyword SEO than the Bengal cats?
Speaker 2:Remember when you used to be able to smoke in the break room? No, I don't. That's going back years. Yeah, just the fact that you have a break room.
Speaker 1:We have a great break room at it audit labs. I must uh call out the pinball machines, eric. Thank you for those fun times yeah hey, I know we got a run today. Um, we got a little bit of shorter episode, but uh, that's all right, um, and we thank everyone for listening. Uh, you've been listening to the audit presented by IT Audit Labs. My name is Joshua Schmidt, co-host and producer. We're joined today by Nick Mellum and Eric Brown. Please like, share and subscribe and catch us again in two weeks. Thanks all Thanks.
Speaker 2:You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact. Our security control assessments rank the level of maturity relative to the size of your organization. Relative to the size of your organization, thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.