News from SWCRC

|  Send to a Friend  |  Add to Safe Sender | Accessibility 

email header

Threat Assessment and Cyber News

December 2023

In the run up to Christmas, businesses are even more at risk. Everyone is busy, or not as careful as they might be. And of course, adverts proliferate, enticing you to buy all sorts of things. For those of us who use Google and/or Facebook, be aware of how criminals are preying on the unwary.

We’d like to start with a couple of examples, so you know what to look out for. Criminals will often create rogue websites, using symbols or letters that are subtly different: last month, researchers from Malware Bytes spotted the following advert for a password manager called KeePass. It’s fake, and it’s at the top of the listings because it’s been paid for. The only difference between the real site (which appears second) is the height of the letter ‘k’ in the domain name… the shorter one, in the first, is actually a symbol rather than a letter. You’d probably never know.. and you’d click through, download the software, and find it doing all sorts of unwanted things.


This works because your computer translates symbols into the more limited set of characters that internet addresses actually use, viasomething called ‘punycode’. There’s a good article on how it works, here.,replaced%20deceptively%20with%20Unicode%20characters

Edge, Safari and Internet Explorer browsers will indicate that there’s a probable error, but some others, like Chrome, Firefox and Opera, won’t. You can test by pasting and going to via your address bar, which some browsers will (un)helpfully translate to something looking just like

Google Adverts - a warning

So there are two things here. Firstly, always beware of adverts: a main site which has clawed its way to the top through legitimacy will always be safer. 

Secondly – and this one is a bit more technical, although probably a two-minute fix – you can do some search engine research on how to ‘enable IDN punycode’ in your browser, if your address bar made it look as though you were on a legitimate apple site. This will mean that hidden symbols are translated back into characters that you can recognise and spot as being wrong in your address bar.

So, also on the subject of bad sites. We’re continuing to hear that adverts for search terms like ‘legal’, ‘contract’, ‘law’ and ‘agreement’ are bringing up adverts that lead to malicious software. If you need to download templates, make sure you’re doing it from a reputable source. 

 And if you’re still intent on downloading something via an advert, make sure that the site description tallies with its header. There’s an example below, again from Malware Bytes, where a coding tool promises to “make your big day perfect”, and “build a happily ever after”. Hmmm. 

What happened here was that a wedding company had their site compromised, so that it delivered fake download of popular application. Because the company had also subscribed to Google’s Dynamic Search Advertising, ads were automatically created, pulling detail from the legitimate site, but taking its header from the malicious page. 

The issue is that there is no malicious redirection to a fake domain, and it’s probably not something that the cyber criminal was even anticipating. In this instance, the user would click on the advert, land on a spoof page promising a software download, and (if they continued) would have a completely unusable computer.


Facebook Adverts

This month saw the production of a phishing and malware report from Vade, which we thought had some good examples to keep you on your toes. They suggest that Facebook scams are on the rise. The following one looks pretty compelling. As ever, you’ll want to avoid entering account details, after receiving an email. If you think there are problems with your account, go to the main site or app, and sort things from there. Scam emails often use a sense of urgency to get you to comply, and this is no exception.


The second scam email uses a QR code, which takes you straight to a website whose name you can’t see, which is why QR attacks have been on the rise. You might be used to QR codes when using multi-factor authentication. Not like this, though, we hope. Both of these attacks will ask you for your account credentials. For more information, take a look at the full report here.


Gamers - a warning

If you are a small business, you might use your home computer for some of what you do. If so, we’d like to mention the report produced by Kaspersky this month, which looked at cyber security and gaming. If your work computer is being used by your kids, it makes for slightly scary reading. They detected 4,076,530 game-related desktop infection attempts over the past year, affecting Minecraft and Roblox in 90% of cases. 

 If you’re a gamer yourself, you need to be aware of scam giveaways which require you to log in. In the example below, you’re invited to do so via your Facebook account. Which means that your social media is now also potentially lost. More detail at


Finance and HR

And lastly: a trusted national advisor has suggested that campaigns aimed at finance and HR staff have seen a dramatic increase in the last three months, often using information gleaned from social media sources (“I saw you at the conference the other day…”). If you’re a bigger organisation, it’s worth thinking about where you target your training, and whether your teams are just looking for email scams, or thinking more widely about how they might be approached.

Latest update from RCCU

South West Police Regional Cyber Crime Unit newsletter covering social engineering and supply chain attacks. Click the image to see the October newsletter.


Contact Us

This email was sent by South West Cyber Resilience Centre. 

© 2023 South West Cyber Resilience Centre. 

Joint Emergency Services Building, Wimborne Road, Poole, Dorset, BH15 2BP 

Contact us:

If you want to stop receiving these monthly threat assessments, please update your preferences.

If you no longer wish to be a member of SWCRC you can unsubscribe