searchg2_17493305302968976({ "responseHeader":{ "zkConnected":true, "status":0, "QTime":4, "params":{ "q":"information", "defType":"edismax", "json.wrf":"searchg2_17493305302968976", "echoParams":"explicit", "indent":"true", "fl":"*,score", "start":"0", "fq":["custom_s_template:\"blog post\"", "-id:\"216630\""], "sort":"custom_dt_date desc", "rows":"5", "wt":"json"}}, "response":{"numFound":2285,"start":0,"maxScore":6.8330407,"docs":[ { "id":"242885", "url":"242885", "custom_s_template":"blog post", "metadata_title":"What is ransomware-as-a-service and how is it evolving?", "metadata_description":"", "metadata_keywords":"", "custom_s_lastpublished":"10/27/2022 6:56:24 PM", "custom_t_content_html":"<$@ Register TagPrefix=\"uc\" TagName=\"widget216983_242885\" Src=\"~/widgets/blog/blog-header-code.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget50434_242885\" Src=\"~/widgets/blog/blog-subnav.ascx\" $>\n
\n
\n \n \n
\n
\n
\n
\n \n

\n \"hacker-person\"\n

\n

\n Business\n

\n

What is ransomware-as-a-service and how is it evolving?

\n

\n Posted: \n by Bill Cozens\n

\n
Diving into how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks.\n\n
\n
\n

Ransomware attacks are becoming more frequent and costlier—breaches caused by ransomware grew 41 percent in the last year, the average cost of a destructive attack rising to $5.12 milllion. What’s more, a good chunk of the cyber criminals doing these attacks operate on a ransomware-as-a-service (RaaS) model.

\n

RaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent out” their technology to you on a subscription basis—just swap out ‘cloud providers’ with ‘ransomware gangs’ and ‘technology’ with ransomware (and the related crimes involved). 

\n

In this post, we’ll talk more about how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks.

\n

How does ransomware-as-a-service work?

\n

How ransomware-as-a-service changed the game

\n

Why ransomware-as-a-service attacks are so dangerous

\n

Is ransomware here to stay? The evolution of RaaS attacks

\n

How SMBs can protect themselves against next-gen RaaS

\n

The perfect one-two combo for fighting RaaS

\n

\"\"

\n

How does ransomware-as-a-service work?

\n

Don’t get it twisted: RaaS gangs aren’t your run-of-the-mill hackers looking to score a few hundred bucks. We’re talking big, sophisticated businesses with up to a hundred employees—LockBit, BlackBasta, and AvosLocker are just a few of the RaaS gangs we cover in our monthly ransomware review.

\n

“This is run as a business,” says Mark Stockley, Security Evangelist at Malwarebytes. “You've got developers, you've got managers, you've got maybe a couple of levels of people doing the negotiations, things like that. And these gangs have made hundreds of millions of dollars each year in the last few years.”

\n

RaaS gangs like LockBit make money by selling “RaaS kits” and other services to groups called affiliates who actually launch the ransomware attacks. In other words, affiliates don’t need crazy technical skills or knowledge to carry out attacks. By working closely with “Initial Access Brokers” (IABs), some RaaS gangs can even offer affiliates direct access into a company's network.

\n

How ransomware-as-a-service changed the game

\n

Let’s jump back to the year 2015. These were the \"good ol’ days\" where ransomware attacks were automated and carried out on a much smaller scale. 

\n

Here’s how it went: somebody would send you an email with an attachment, you double-clicked on it, and ransomware ran on your machine. You’d be locked out of your machine and would have to pay about $300 in Bitcoin to get it unlocked. Attackers would send out loads of these emails, lots of people would get encrypted, and lots of people would pay them a few hundred bucks. That was the business model in a nutshell. 

\n

But then ransomware gangs sniffed out a golden opportunity. 

\n

Rather than attacking individual endpoints for chump change, they realized they could target organizations for big money. Gangs switched from automated campaigns to human-operated ones, where the attack is controlled by an operator. In human-operated attacks, attackers try hard to wedge themselves into a network so that they can move laterally throughout an organization. 

\n

At the forefront of this evolution from automated ransomware to human-operated ransomware attacks are ransomware-as-a-service gangs—and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments.

\n

Why ransomware-as-a-service attacks are so dangerous

\n

The fact that RaaS attacks are human-operated means that ransomware attacks are more targeted than they used to be—and targeted attacks are far more dangerous than un-targeted ones. 

\n

In targeted attacks, attackers spend more time, resources, and effort to infiltrate a businesses network and steal information. Such attacks often take advantage of well-known security weaknesses to gain access, with attackers spending days to even months burrowing themselves in your network. 

\n

The human-operated element of RaaS attacks also means that RaaS affiliates can control precisely when to launch an attack—including during times where organizations are more vulnerable, such as on holidays or weekends.

\n

Famously, RaaS affiliates love long weekends,” Stockley said. “They want to run the ransomware when you're not going to notice to give themselves however much time they need in order for the encryption to complete. So they like to do it at nighttime, they love to do it during holidays.”

\n

“You’re dealing with a person,” Stockley continued. “It's not about software running trying to figure everything out; it’s a person trying to figure everything out. And they're trying to figure out what's the best way to attack you.”

\n

Is ransomware here to stay? The evolution of RaaS attacks

\n

One of the biggest innovations in the RaaS space in recent years has been the use of double extortion schemes, where attackers steal data before encryption and threaten to leak it if the ransom isn’t paid. 

\n

Companies have gotten more aware of ransomware and better prepared in terms of things like backups, for example. But if affiliates have already broken into your environment, they can simply use stolen data as extra leverage, leaking bits of it to get your attention, to speed up negotiations, or prove what kind of access they have.   

\n

All of the RaaS gangs these days do double extortion, leaking data on dedicated leak websites on the dark web. Many RaaS programs even feature a suite of extortion support offerings, including leak site hosting. Not only is this trend growing, but there’s chatter about whether or not stand-alone data leaking is the next stage in evolution for RaaS. 

\n

“There are now gangs that only do data leaking, and they don't bother doing the encryption at all,” Stockley said. “Because it's sufficiently successful. And you don't have to worry about software, you don't have to worry about software being detected, you don’t have to worry about it running.”

\n

\"\"A LockBit data leak site. Source.

\n

In other words, the evolution from “ransomware-focused” RaaS to “leaking-focused” RaaS means that businesses need to rethink the nature of the problem: It’s not about ransomware per se, it’s about an intruder on your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. 

\n

How SMBs can protect themselves against next-gen RaaS

\n

Preparing for RaaS attacks isn’t any different from preparing for ransomware attacks in general, and advice isn’t going to vary all that much across different sized businesses or industries. Because next-gen RaaS is so focused on intrusion, however, SMBs have their own unique challenges in combating it. 

\n

Monitoring a network 24/7 for signs of a RaaS intrusion is tough work, period, let alone for organizations with shoe-string budgets and barely any security staff. Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.

\n

By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23 percent of intrusions lead to ransomware, 29 percent to data theft, and 30 percent to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.

\n

Even with tools such as EDR, SIEM, and XDR, sifting through alerts and recognizing Indicators of Compromise (IOCs) is the work of seasoned cyber threat hunters—talent that SMBs just can’t afford. That’s why investing in Managed Detection and Response (MDR) is hugely beneficial for SMBs looking to get a leg-up against RaaS attacks. 

\n

“Obviously, the most cost effective thing is to not let people in in the first place. And this is why things like patching, two-factor authentication, and multi-vector Endpoint Protection (EP) are so important,” Stockley said. “But at the point where they've broken in, then you want to detect them before they do anything bad. That’s where MDR comes in.”

\n

The perfect one-two combo for fighting RaaS 

\n

Human-operated, targeted, and easy to execute, RaaS attacks are a dangerous evolution in the history of ransomware. 

\n

Double-extortion tactics, where attackers threaten to leak stolen data to the dark web, are another important evolutionary stage of RaaS campaigns today—to the point where ransomware itself might become obsolete in the future. As a result, SMBs should focus their anti-RaaS efforts on intruder detection with MDR, in addition to implementing ransomware prevention and resilience best practices.

\n

More resources

\n

Get the eBook: Is MDR right for my business?

\n

Top 5 ransomware detection techniques: Pros and cons of each

\n

Cyber threat hunting for SMBs: How MDR can help

\n

A threat hunter talks about what he’s learned in his 16+ year cybersecurity career

\n
\n

SHARE THIS ARTICLE

\n \n \n \n
\n
\n
\n

COMMENTS

\n
\n
\n
\n
\n
\n

RELATED ARTICLES

\n
\n
\n
\n
\n
\n \n
\n

ABOUT THE AUTHOR

\n
\n author\n
\n

\n Bill Cozens\n \n
\n Content Writer\n

\n

Bill Cozens is content writer for the Malwarebytes business blog, where he writes about industry challenges and how best to address them.

\n
\n
\n
\n \n \n
\n
\n
\n
\n
<$@ Register TagPrefix=\"uc\" TagName=\"widget211394_242885\" Src=\"~/widgets/blog/blog-footer-links.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget236482_242885\" Src=\"~/widgets/blog/blog-footer-code.ascx\" $>\n", "custom_t_title":"What is ransomware-as-a-service and how is it evolving?", "custom_s_title":"What is ransomware-as-a-service and how is it evolving?", "custom_t_short_description":"Diving into how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks.\n\n", "custom_s_podcast_data":"", "custom_t_tags_text":"", "custom_s_tags_text":"", "custom_t_content":"

Ransomware attacks are becoming more frequent and costlier—breaches caused by ransomware grew 41 percent in the last year, the average cost of a destructive attack rising to $5.12 milllion. What’s more, a good chunk of the cyber criminals doing these attacks operate on a ransomware-as-a-service (RaaS) model.

\n

RaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent out” their technology to you on a subscription basis—just swap out ‘cloud providers’ with ‘ransomware gangs’ and ‘technology’ with ransomware (and the related crimes involved). 

\n

In this post, we’ll talk more about how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks.

\n

How does ransomware-as-a-service work?

\n

How ransomware-as-a-service changed the game

\n

Why ransomware-as-a-service attacks are so dangerous

\n

Is ransomware here to stay? The evolution of RaaS attacks

\n

How SMBs can protect themselves against next-gen RaaS

\n

The perfect one-two combo for fighting RaaS

\n

\"\"

\n

How does ransomware-as-a-service work?

\n

Don’t get it twisted: RaaS gangs aren’t your run-of-the-mill hackers looking to score a few hundred bucks. We’re talking big, sophisticated businesses with up to a hundred employees—LockBit, BlackBasta, and AvosLocker are just a few of the RaaS gangs we cover in our monthly ransomware review.

\n

“This is run as a business,” says Mark Stockley, Security Evangelist at Malwarebytes. “You've got developers, you've got managers, you've got maybe a couple of levels of people doing the negotiations, things like that. And these gangs have made hundreds of millions of dollars each year in the last few years.”

\n

RaaS gangs like LockBit make money by selling “RaaS kits” and other services to groups called affiliates who actually launch the ransomware attacks. In other words, affiliates don’t need crazy technical skills or knowledge to carry out attacks. By working closely with “Initial Access Brokers” (IABs), some RaaS gangs can even offer affiliates direct access into a company's network.

\n

How ransomware-as-a-service changed the game

\n

Let’s jump back to the year 2015. These were the \"good ol’ days\" where ransomware attacks were automated and carried out on a much smaller scale. 

\n

Here’s how it went: somebody would send you an email with an attachment, you double-clicked on it, and ransomware ran on your machine. You’d be locked out of your machine and would have to pay about $300 in Bitcoin to get it unlocked. Attackers would send out loads of these emails, lots of people would get encrypted, and lots of people would pay them a few hundred bucks. That was the business model in a nutshell. 

\n

But then ransomware gangs sniffed out a golden opportunity. 

\n

Rather than attacking individual endpoints for chump change, they realized they could target organizations for big money. Gangs switched from automated campaigns to human-operated ones, where the attack is controlled by an operator. In human-operated attacks, attackers try hard to wedge themselves into a network so that they can move laterally throughout an organization. 

\n

At the forefront of this evolution from automated ransomware to human-operated ransomware attacks are ransomware-as-a-service gangs—and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments.

\n

Why ransomware-as-a-service attacks are so dangerous

\n

The fact that RaaS attacks are human-operated means that ransomware attacks are more targeted than they used to be—and targeted attacks are far more dangerous than un-targeted ones. 

\n

In targeted attacks, attackers spend more time, resources, and effort to infiltrate a businesses network and steal information. Such attacks often take advantage of well-known security weaknesses to gain access, with attackers spending days to even months burrowing themselves in your network. 

\n

The human-operated element of RaaS attacks also means that RaaS affiliates can control precisely when to launch an attack—including during times where organizations are more vulnerable, such as on holidays or weekends.

\n

Famously, RaaS affiliates love long weekends,” Stockley said. “They want to run the ransomware when you're not going to notice to give themselves however much time they need in order for the encryption to complete. So they like to do it at nighttime, they love to do it during holidays.”

\n

“You’re dealing with a person,” Stockley continued. “It's not about software running trying to figure everything out; it’s a person trying to figure everything out. And they're trying to figure out what's the best way to attack you.”

\n

Is ransomware here to stay? The evolution of RaaS attacks

\n

One of the biggest innovations in the RaaS space in recent years has been the use of double extortion schemes, where attackers steal data before encryption and threaten to leak it if the ransom isn’t paid. 

\n

Companies have gotten more aware of ransomware and better prepared in terms of things like backups, for example. But if affiliates have already broken into your environment, they can simply use stolen data as extra leverage, leaking bits of it to get your attention, to speed up negotiations, or prove what kind of access they have.   

\n

All of the RaaS gangs these days do double extortion, leaking data on dedicated leak websites on the dark web. Many RaaS programs even feature a suite of extortion support offerings, including leak site hosting. Not only is this trend growing, but there’s chatter about whether or not stand-alone data leaking is the next stage in evolution for RaaS. 

\n

“There are now gangs that only do data leaking, and they don't bother doing the encryption at all,” Stockley said. “Because it's sufficiently successful. And you don't have to worry about software, you don't have to worry about software being detected, you don’t have to worry about it running.”

\n

\"\"A LockBit data leak site. Source.

\n

In other words, the evolution from “ransomware-focused” RaaS to “leaking-focused” RaaS means that businesses need to rethink the nature of the problem: It’s not about ransomware per se, it’s about an intruder on your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. 

\n

How SMBs can protect themselves against next-gen RaaS

\n

Preparing for RaaS attacks isn’t any different from preparing for ransomware attacks in general, and advice isn’t going to vary all that much across different sized businesses or industries. Because next-gen RaaS is so focused on intrusion, however, SMBs have their own unique challenges in combating it. 

\n

Monitoring a network 24/7 for signs of a RaaS intrusion is tough work, period, let alone for organizations with shoe-string budgets and barely any security staff. Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.

\n

By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23 percent of intrusions lead to ransomware, 29 percent to data theft, and 30 percent to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.

\n

Even with tools such as EDR, SIEM, and XDR, sifting through alerts and recognizing Indicators of Compromise (IOCs) is the work of seasoned cyber threat hunters—talent that SMBs just can’t afford. That’s why investing in Managed Detection and Response (MDR) is hugely beneficial for SMBs looking to get a leg-up against RaaS attacks. 

\n

“Obviously, the most cost effective thing is to not let people in in the first place. And this is why things like patching, two-factor authentication, and multi-vector Endpoint Protection (EP) are so important,” Stockley said. “But at the point where they've broken in, then you want to detect them before they do anything bad. That’s where MDR comes in.”

\n

The perfect one-two combo for fighting RaaS 

\n

Human-operated, targeted, and easy to execute, RaaS attacks are a dangerous evolution in the history of ransomware. 

\n

Double-extortion tactics, where attackers threaten to leak stolen data to the dark web, are another important evolutionary stage of RaaS campaigns today—to the point where ransomware itself might become obsolete in the future. As a result, SMBs should focus their anti-RaaS efforts on intruder detection with MDR, in addition to implementing ransomware prevention and resilience best practices.

\n

More resources

\n

Get the eBook: Is MDR right for my business?

\n

Top 5 ransomware detection techniques: Pros and cons of each

\n

Cyber threat hunting for SMBs: How MDR can help

\n

A threat hunter talks about what he’s learned in his 16+ year cybersecurity career

", "custom_t_content_clean":"Ransomware attacks are becoming more frequent and costlier—breaches caused by ransomware grew 41 percent in the last year, the average cost of a destructive attack rising to $5.12 milllion . What’s more, a good chunk of the cyber criminals doing these attacks operate on a ransomware-as-a-service (RaaS) model. \n\nRaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent out” their technology to you on a subscription basis—just swap out ‘cloud providers’ with ‘ransomware gangs’ and ‘technology’ with ransomware (and the related crimes involved). \n\nIn this post, we’ll talk more about how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks. \n\nHow does ransomware-as-a-service work? \n\nHow ransomware-as-a-service changed the game \n\nWhy ransomware-as-a-service attacks are so dangerous \n\nIs ransomware here to stay? The evolution of RaaS attacks \n\nHow SMBs can protect themselves against next-gen RaaS \n\nThe perfect one-two combo for fighting RaaS \n\n\nHow does ransomware-as-a-service work? \n\nDon’t get it twisted: RaaS gangs aren’t your run-of-the-mill hackers looking to score a few hundred bucks. We’re talking big, sophisticated businesses with up to a hundred employees— LockBit, BlackBasta, and AvosLocker are just a few of the RaaS gangs we cover in our monthly ransomware review . \n\n“This is run as a business,” says Mark Stockley, Security Evangelist at Malwarebytes. “You've got developers, you've got managers, you've got maybe a couple of levels of people doing the negotiations, things like that. And these gangs have made hundreds of millions of dollars each year in the last few years.” \n\nRaaS gangs like LockBit make money by selling “ RaaS kits ” and other services to groups called affiliates who actually launch the ransomware attacks. In other words, affiliates don’t need crazy technical skills or knowledge to carry out attacks. By working closely with “ Initial Access Brokers ” (IABs), some RaaS gangs can even offer affiliates direct access into a company's network. \nHow ransomware-as-a-service changed the game \n\nLet’s jump back to the year 2015. These were the \"good ol’ days\" where ransomware attacks were automated and carried out on a much smaller scale. \n\nHere’s how it went: somebody would send you an email with an attachment, you double-clicked on it, and ransomware ran on your machine. You’d be locked out of your machine and would have to pay about $300 in Bitcoin to get it unlocked. Attackers would send out loads of these emails, lots of people would get encrypted, and lots of people would pay them a few hundred bucks. That was the business model in a nutshell. \n\nBut then ransomware gangs sniffed out a golden opportunity. \n\nRather than attacking individual endpoints for chump change , they realized they could target organizations for big money . Gangs switched from automated campaigns to human-operated ones, where the attack is controlled by an operator. In human-operated attacks, attackers try hard to wedge themselves into a network so that they can move laterally throughout an organization. \n\nAt the forefront of this evolution from automated ransomware to human-operated ransomware attacks are ransomware-as-a-service gangs—and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments. \nWhy ransomware-as-a-service attacks are so dangerous \n\nThe fact that RaaS attacks are human-operated means that ransomware attacks are more targeted than they used to be—and targeted attacks are far more dangerous than un-targeted ones. \n\nIn targeted attacks, attackers spend more time, resources, and effort to infiltrate a businesses network and steal information. Such attacks often take advantage of well-known security weaknesses to gain access, with attackers spending days to even months burrowing themselves in your network. \n\nThe human-operated element of RaaS attacks also means that RaaS affiliates can control precisely when to launch an attack—including during times where organizations are more vulnerable, such as on holidays or weekends . \n\n“ Famously, RaaS affiliates love long weekends ,” Stockley said. “They want to run the ransomware when you're not going to notice to give themselves however much time they need in order for the encryption to complete. So they like to do it at nighttime, they love to do it during holidays .” \n\n“You’re dealing with a person,” Stockley continued. “It's not about software running trying to figure everything out; it’s a person trying to figure everything out. And they're trying to figure out what's the best way to attack you.” \nIs ransomware here to stay? The evolution of RaaS attacks \n\nOne of the biggest innovations in the RaaS space in recent years has been the use of double extortion schemes, where attackers steal data before encryption and threaten to leak it if the ransom isn’t paid. \n\nCompanies have gotten more aware of ransomware and better prepared in terms of things like backups, for example. But if affiliates have already broken into your environment, they can simply use stolen data as extra leverage, leaking bits of it to get your attention, to speed up negotiations, or prove what kind of access they have.   \n\nAll of the RaaS gangs these days do double extortion, leaking data on dedicated leak websites on the dark web. Many RaaS programs even feature a suite of extortion support offerings, including leak site hosting. Not only is this trend growing, but there’s chatter about whether or not stand-alone data leaking is the next stage in evolution for RaaS. \n\n“There are now gangs that only do data leaking, and they don't bother doing the encryption at all,” Stockley said. “Because it's sufficiently successful. And you don't have to worry about software, you don't have to worry about software being detected, you don’t have to worry about it running.” \n\nA LockBit data leak site. Source . \n\nIn other words, the evolution from “ransomware-focused” RaaS to “leaking-focused” RaaS means that businesses need to rethink the nature of the problem: It’s not about ransomware per se, it’s about an intruder on your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. \nHow SMBs can protect themselves against next-gen RaaS \n\nPreparing for RaaS attacks isn’t any different from preparing for ransomware attacks in general, and advice isn’t going to vary all that much across different sized businesses or industries. Because next-gen RaaS is so focused on intrusion, however, SMBs have their own unique challenges in combating it. \n\nMonitoring a network 24/7 for signs of a RaaS intrusion is tough work , period, let alone for organizations with shoe-string budgets and barely any security staff. Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days . \n\nBy that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23 percent of intrusions lead to ransomware , 29 percent to data theft, and 30 percent to exploit activity—when adversaries use vulnerabilities to initiate further intrusions. \n\nEven with tools such as EDR, SIEM, and XDR, sifting through alerts and recognizing Indicators of Compromise (IOCs) is the work of seasoned cyber threat hunters —talent that SMBs just can’t afford. That’s why investing in Managed Detection and Response (MDR) is hugely beneficial for SMBs looking to get a leg-up against RaaS attacks. \n\n“Obviously, the most cost effective thing is to not let people in in the first place. And this is why things like patching, two-factor authentication, and multi-vector Endpoint Protection (EP) are so important,” Stockley said. “But at the point where they've broken in, then you want to detect them before they do anything bad. That’s where MDR comes in.” \nThe perfect one-two combo for fighting RaaS \n\nHuman-operated, targeted, and easy to execute, RaaS attacks are a dangerous evolution in the history of ransomware. \n\nDouble-extortion tactics, where attackers threaten to leak stolen data to the dark web, are another important evolutionary stage of RaaS campaigns today—to the point where ransomware itself might become obsolete in the future. As a result, SMBs should focus their anti-RaaS efforts on intruder detection with MDR , in addition to implementing ransomware prevention and resilience best practices . \nMore resources \n\nGet the eBook: Is MDR right for my business? \n\nTop 5 ransomware detection techniques: Pros and cons of each \n\nCyber threat hunting for SMBs: How MDR can help \n\nA threat hunter talks about what he’s learned in his 16+ year cybersecurity career", "custom_s_image_alt":"hacker-person", "custom_s_date":"October 27, 2022", "custom_s_date_gmt":"10/27/2022 6:45:00 PM", "custom_s_thumbnail_image":"/blog/business/2022/10/easset_upload_file24045_242885_e.jpg", "custom_s_key_image":"/blog/business/2022/10/easset_upload_file24045_242885_e.jpg", "custom_s_thumbnail_image_medium":"/blog/business/2022/10/asset_upload_file35972_242885.jpg", "custom_s_thumbnail_image_small":"/blog/business/2022/10/asset_upload_file11859_242885.jpg", "custom_s_thumbnail_optimized_138x72":"/blog/business/2022/10/asset_upload_file56166_242885.jpg", "custom_s_tthumbnail_optimized_272x121":"", "custom_s_thumbnail_optimized_518x271":"/blog/business/2022/10/asset_upload_file65096_242885.jpg", "custom_s_thumbnail_optimized_736x413":"/blog/business/2022/10/asset_upload_file81845_242885.jpg", "custom_ss_category_id":["54741"], "custom_ss_category_display":["Business"], "custom_ss_category_key":["business-2"], "custom_ss_category_link":["/blog/category/business"], "custom_ss_author_id":["225113"], "custom_ss_author_display":["Bill Cozens"], "custom_ss_author_link":["/blog/authors/wcozens"], "custom_s_disqus_postid":"242885", "custom_s_disqus_identifier":"242885", "custom_s_country":"us", "custom_s_language":"en", "custom_s_currency":"USD", "custom_s_timezone":"Eastern Standard Time", "custom_i_page_score":0, "title":"What is ransomware-as-a-service and how is it evolving?", "custom_s_url":"/blog/business/2022/10/what-is-ransomware-as-a-service-and-how-is-it-evolving", "content":"Business \n \n What is ransomware-as-a-service and how is it evolving? \n \n\n Posted: October 27, 2022 \n by Bill Cozens \n \n Diving into how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks.\n\n\n \n \nRansomware attacks are becoming more frequent and costlier—breaches caused by ransomware grew 41 percent in the last year, the average cost of a destructive attack rising to $5.12 milllion . What’s more, a good chunk of the cyber criminals doing these attacks operate on a ransomware-as-a-service (RaaS) model. \n\nRaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent out” their technology to you on a subscription basis—just swap out ‘cloud providers’ with ‘ransomware gangs’ and ‘technology’ with ransomware (and the related crimes involved). \n\nIn this post, we’ll talk more about how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks. \n\nHow does ransomware-as-a-service work? \n\nHow ransomware-as-a-service changed the game \n\nWhy ransomware-as-a-service attacks are so dangerous \n\nIs ransomware here to stay? The evolution of RaaS attacks \n\nHow SMBs can protect themselves against next-gen RaaS \n\nThe perfect one-two combo for fighting RaaS \n\n\nHow does ransomware-as-a-service work? \n\nDon’t get it twisted: RaaS gangs aren’t your run-of-the-mill hackers looking to score a few hundred bucks. We’re talking big, sophisticated businesses with up to a hundred employees— LockBit, BlackBasta, and AvosLocker are just a few of the RaaS gangs we cover in our monthly ransomware review . \n\n“This is run as a business,” says Mark Stockley, Security Evangelist at Malwarebytes. “You've got developers, you've got managers, you've got maybe a couple of levels of people doing the negotiations, things like that. And these gangs have made hundreds of millions of dollars each year in the last few years.” \n\nRaaS gangs like LockBit make money by selling “ RaaS kits ” and other services to groups called affiliates who actually launch the ransomware attacks. In other words, affiliates don’t need crazy technical skills or knowledge to carry out attacks. By working closely with “ Initial Access Brokers ” (IABs), some RaaS gangs can even offer affiliates direct access into a company's network. \nHow ransomware-as-a-service changed the game \n\nLet’s jump back to the year 2015. These were the \"good ol’ days\" where ransomware attacks were automated and carried out on a much smaller scale. \n\nHere’s how it went: somebody would send you an email with an attachment, you double-clicked on it, and ransomware ran on your machine. You’d be locked out of your machine and would have to pay about $300 in Bitcoin to get it unlocked. Attackers would send out loads of these emails, lots of people would get encrypted, and lots of people would pay them a few hundred bucks. That was the business model in a nutshell. \n\nBut then ransomware gangs sniffed out a golden opportunity. \n\nRather than attacking individual endpoints for chump change , they realized they could target organizations for big money . Gangs switched from automated campaigns to human-operated ones, where the attack is controlled by an operator. In human-operated attacks, attackers try hard to wedge themselves into a network so that they can move laterally throughout an organization. \n\nAt the forefront of this evolution from automated ransomware to human-operated ransomware attacks are ransomware-as-a-service gangs—and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments. \nWhy ransomware-as-a-service attacks are so dangerous \n\nThe fact that RaaS attacks are human-operated means that ransomware attacks are more targeted than they used to be—and targeted attacks are far more dangerous than un-targeted ones. \n\nIn targeted attacks, attackers spend more time, resources, and effort to infiltrate a businesses network and steal information. Such attacks often take advantage of well-known security weaknesses to gain access, with attackers spending days to even months burrowing themselves in your network. \n\nThe human-operated element of RaaS attacks also means that RaaS affiliates can control precisely when to launch an attack—including during times where organizations are more vulnerable, such as on holidays or weekends . \n\n“ Famously, RaaS affiliates love long weekends ,” Stockley said. “They want to run the ransomware when you're not going to notice to give themselves however much time they need in order for the encryption to complete. So they like to do it at nighttime, they love to do it during holidays .” \n\n“You’re dealing with a person,” Stockley continued. “It's not about software running trying to figure everything out; it’s a person trying to figure everything out. And they're trying to figure out what's the best way to attack you.” \nIs ransomware here to stay? The evolution of RaaS attacks \n\nOne of the biggest innovations in the RaaS space in recent years has been the use of double extortion schemes, where attackers steal data before encryption and threaten to leak it if the ransom isn’t paid. \n\nCompanies have gotten more aware of ransomware and better prepared in terms of things like backups, for example. But if affiliates have already broken into your environment, they can simply use stolen data as extra leverage, leaking bits of it to get your attention, to speed up negotiations, or prove what kind of access they have.   \n\nAll of the RaaS gangs these days do double extortion, leaking data on dedicated leak websites on the dark web. Many RaaS programs even feature a suite of extortion support offerings, including leak site hosting. Not only is this trend growing, but there’s chatter about whether or not stand-alone data leaking is the next stage in evolution for RaaS. \n\n“There are now gangs that only do data leaking, and they don't bother doing the encryption at all,” Stockley said. “Because it's sufficiently successful. And you don't have to worry about software, you don't have to worry about software being detected, you don’t have to worry about it running.” \n\nA LockBit data leak site. Source . \n\nIn other words, the evolution from “ransomware-focused” RaaS to “leaking-focused” RaaS means that businesses need to rethink the nature of the problem: It’s not about ransomware per se, it’s about an intruder on your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. \nHow SMBs can protect themselves against next-gen RaaS \n\nPreparing for RaaS attacks isn’t any different from preparing for ransomware attacks in general, and advice isn’t going to vary all that much across different sized businesses or industries. Because next-gen RaaS is so focused on intrusion, however, SMBs have their own unique challenges in combating it. \n\nMonitoring a network 24/7 for signs of a RaaS intrusion is tough work , period, let alone for organizations with shoe-string budgets and barely any security staff. Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days . \n\nBy that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23 percent of intrusions lead to ransomware , 29 percent to data theft, and 30 percent to exploit activity—when adversaries use vulnerabilities to initiate further intrusions. \n\nEven with tools such as EDR, SIEM, and XDR, sifting through alerts and recognizing Indicators of Compromise (IOCs) is the work of seasoned cyber threat hunters —talent that SMBs just can’t afford. That’s why investing in Managed Detection and Response (MDR) is hugely beneficial for SMBs looking to get a leg-up against RaaS attacks. \n\n“Obviously, the most cost effective thing is to not let people in in the first place. And this is why things like patching, two-factor authentication, and multi-vector Endpoint Protection (EP) are so important,” Stockley said. “But at the point where they've broken in, then you want to detect them before they do anything bad. That’s where MDR comes in.” \nThe perfect one-two combo for fighting RaaS \n\nHuman-operated, targeted, and easy to execute, RaaS attacks are a dangerous evolution in the history of ransomware. \n\nDouble-extortion tactics, where attackers threaten to leak stolen data to the dark web, are another important evolutionary stage of RaaS campaigns today—to the point where ransomware itself might become obsolete in the future. As a result, SMBs should focus their anti-RaaS efforts on intruder detection with MDR , in addition to implementing ransomware prevention and resilience best practices . \nMore resources \n\nGet the eBook: Is MDR right for my business? \n\nTop 5 ransomware detection techniques: Pros and cons of each \n\nCyber threat hunting for SMBs: How MDR can help \n\nA threat hunter talks about what he’s learned in his 16+ year cybersecurity career \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Bill Cozens \n \n \n\n Content Writer \n \n \nBill Cozens is content writer for the Malwarebytes business blog, where he writes about industry challenges and how best to address them.", "custom_dt_date":"2022-10-27T18:45:00Z", "language":"en", "content_en":"Business \n \n What is ransomware-as-a-service and how is it evolving? \n \n\n Posted: October 27, 2022 \n by Bill Cozens \n \n Diving into how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks.\n\n\n \n \nRansomware attacks are becoming more frequent and costlier—breaches caused by ransomware grew 41 percent in the last year, the average cost of a destructive attack rising to $5.12 milllion . What’s more, a good chunk of the cyber criminals doing these attacks operate on a ransomware-as-a-service (RaaS) model. \n\nRaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent out” their technology to you on a subscription basis—just swap out ‘cloud providers’ with ‘ransomware gangs’ and ‘technology’ with ransomware (and the related crimes involved). \n\nIn this post, we’ll talk more about how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks. \n\nHow does ransomware-as-a-service work? \n\nHow ransomware-as-a-service changed the game \n\nWhy ransomware-as-a-service attacks are so dangerous \n\nIs ransomware here to stay? The evolution of RaaS attacks \n\nHow SMBs can protect themselves against next-gen RaaS \n\nThe perfect one-two combo for fighting RaaS \n\n\nHow does ransomware-as-a-service work? \n\nDon’t get it twisted: RaaS gangs aren’t your run-of-the-mill hackers looking to score a few hundred bucks. We’re talking big, sophisticated businesses with up to a hundred employees— LockBit, BlackBasta, and AvosLocker are just a few of the RaaS gangs we cover in our monthly ransomware review . \n\n“This is run as a business,” says Mark Stockley, Security Evangelist at Malwarebytes. “You've got developers, you've got managers, you've got maybe a couple of levels of people doing the negotiations, things like that. And these gangs have made hundreds of millions of dollars each year in the last few years.” \n\nRaaS gangs like LockBit make money by selling “ RaaS kits ” and other services to groups called affiliates who actually launch the ransomware attacks. In other words, affiliates don’t need crazy technical skills or knowledge to carry out attacks. By working closely with “ Initial Access Brokers ” (IABs), some RaaS gangs can even offer affiliates direct access into a company's network. \nHow ransomware-as-a-service changed the game \n\nLet’s jump back to the year 2015. These were the \"good ol’ days\" where ransomware attacks were automated and carried out on a much smaller scale. \n\nHere’s how it went: somebody would send you an email with an attachment, you double-clicked on it, and ransomware ran on your machine. You’d be locked out of your machine and would have to pay about $300 in Bitcoin to get it unlocked. Attackers would send out loads of these emails, lots of people would get encrypted, and lots of people would pay them a few hundred bucks. That was the business model in a nutshell. \n\nBut then ransomware gangs sniffed out a golden opportunity. \n\nRather than attacking individual endpoints for chump change , they realized they could target organizations for big money . Gangs switched from automated campaigns to human-operated ones, where the attack is controlled by an operator. In human-operated attacks, attackers try hard to wedge themselves into a network so that they can move laterally throughout an organization. \n\nAt the forefront of this evolution from automated ransomware to human-operated ransomware attacks are ransomware-as-a-service gangs—and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments. \nWhy ransomware-as-a-service attacks are so dangerous \n\nThe fact that RaaS attacks are human-operated means that ransomware attacks are more targeted than they used to be—and targeted attacks are far more dangerous than un-targeted ones. \n\nIn targeted attacks, attackers spend more time, resources, and effort to infiltrate a businesses network and steal information. Such attacks often take advantage of well-known security weaknesses to gain access, with attackers spending days to even months burrowing themselves in your network. \n\nThe human-operated element of RaaS attacks also means that RaaS affiliates can control precisely when to launch an attack—including during times where organizations are more vulnerable, such as on holidays or weekends . \n\n“ Famously, RaaS affiliates love long weekends ,” Stockley said. “They want to run the ransomware when you're not going to notice to give themselves however much time they need in order for the encryption to complete. So they like to do it at nighttime, they love to do it during holidays .” \n\n“You’re dealing with a person,” Stockley continued. “It's not about software running trying to figure everything out; it’s a person trying to figure everything out. And they're trying to figure out what's the best way to attack you.” \nIs ransomware here to stay? The evolution of RaaS attacks \n\nOne of the biggest innovations in the RaaS space in recent years has been the use of double extortion schemes, where attackers steal data before encryption and threaten to leak it if the ransom isn’t paid. \n\nCompanies have gotten more aware of ransomware and better prepared in terms of things like backups, for example. But if affiliates have already broken into your environment, they can simply use stolen data as extra leverage, leaking bits of it to get your attention, to speed up negotiations, or prove what kind of access they have.   \n\nAll of the RaaS gangs these days do double extortion, leaking data on dedicated leak websites on the dark web. Many RaaS programs even feature a suite of extortion support offerings, including leak site hosting. Not only is this trend growing, but there’s chatter about whether or not stand-alone data leaking is the next stage in evolution for RaaS. \n\n“There are now gangs that only do data leaking, and they don't bother doing the encryption at all,” Stockley said. “Because it's sufficiently successful. And you don't have to worry about software, you don't have to worry about software being detected, you don’t have to worry about it running.” \n\nA LockBit data leak site. Source . \n\nIn other words, the evolution from “ransomware-focused” RaaS to “leaking-focused” RaaS means that businesses need to rethink the nature of the problem: It’s not about ransomware per se, it’s about an intruder on your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. \nHow SMBs can protect themselves against next-gen RaaS \n\nPreparing for RaaS attacks isn’t any different from preparing for ransomware attacks in general, and advice isn’t going to vary all that much across different sized businesses or industries. Because next-gen RaaS is so focused on intrusion, however, SMBs have their own unique challenges in combating it. \n\nMonitoring a network 24/7 for signs of a RaaS intrusion is tough work , period, let alone for organizations with shoe-string budgets and barely any security staff. Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days . \n\nBy that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23 percent of intrusions lead to ransomware , 29 percent to data theft, and 30 percent to exploit activity—when adversaries use vulnerabilities to initiate further intrusions. \n\nEven with tools such as EDR, SIEM, and XDR, sifting through alerts and recognizing Indicators of Compromise (IOCs) is the work of seasoned cyber threat hunters —talent that SMBs just can’t afford. That’s why investing in Managed Detection and Response (MDR) is hugely beneficial for SMBs looking to get a leg-up against RaaS attacks. \n\n“Obviously, the most cost effective thing is to not let people in in the first place. And this is why things like patching, two-factor authentication, and multi-vector Endpoint Protection (EP) are so important,” Stockley said. “But at the point where they've broken in, then you want to detect them before they do anything bad. That’s where MDR comes in.” \nThe perfect one-two combo for fighting RaaS \n\nHuman-operated, targeted, and easy to execute, RaaS attacks are a dangerous evolution in the history of ransomware. \n\nDouble-extortion tactics, where attackers threaten to leak stolen data to the dark web, are another important evolutionary stage of RaaS campaigns today—to the point where ransomware itself might become obsolete in the future. As a result, SMBs should focus their anti-RaaS efforts on intruder detection with MDR , in addition to implementing ransomware prevention and resilience best practices . \nMore resources \n\nGet the eBook: Is MDR right for my business? \n\nTop 5 ransomware detection techniques: Pros and cons of each \n\nCyber threat hunting for SMBs: How MDR can help \n\nA threat hunter talks about what he’s learned in his 16+ year cybersecurity career \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Bill Cozens \n \n \n\n Content Writer \n \n \nBill Cozens is content writer for the Malwarebytes business blog, where he writes about industry challenges and how best to address them.", "_version_":1747868174562361344, "score":0.49814332}, { "id":"241534", "url":"241534", "custom_s_template":"blog post", "metadata_title":"Dormant Colors browser hijackers could be used for more nefarious tasks, report says", "metadata_description":"", "metadata_keywords":"", "custom_s_lastpublished":"10/27/2022 5:38:18 PM", "custom_t_content_html":"<$@ Register TagPrefix=\"uc\" TagName=\"widget216983_241534\" Src=\"~/widgets/blog/blog-header-code.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget50434_241534\" Src=\"~/widgets/blog/blog-subnav.ascx\" $>\n
\n
\n \n \n
\n
\n
\n
\n \n

\n \"a\n

\n

\n News\n

\n

Dormant Colors browser hijackers could be used for more nefarious tasks, report says

\n

\n Posted: \n by Malwarebytes Labs\n

\n
Dormant Colors, a browser extension campaign, was spotted stealing browser data and hijacking search results and affiliation to thousands of sites.
\n
\n

Researchers from Guardio, a cybersecurity company specializing in web browser protection, recently revealed a campaign involving a trove of popular yet malicious extensions programmed to steal user searches, browsing data, and affiliation to thousands of targeted sites.

\n

Nicknamed \"Dormant Colors,\" this campaign involves at least 30 variants of browser extensions for Chrome and Edge, once available in their respective stores (you can't find them there now). The campaign was named as such because all the extensions offer browser color customization options, and their \"maliciousness\" lie dormant until triggered by their creator.

\n

\"\"

\n

The inexhaustive list of 30 browser extensions belonging to the Dormant Colors campaign. Note these are extension names with their icons. (Source: Guardio)

\n

According to researchers, the campaign starts with malvertising in the form of ads on web pages or redirects from offered video and download links. If a site visitor attempts to download what an ad offers or watch a video stream, they are redirected to a page informing them they need to download an extension first. Of course, an extension is never required. It's part of the campaign to make users believe an extension download is needed.

\n

Once visitors confirm the download, one of the 30 extensions above is installed on the browser. The extension then redirects users to various pages that surreptitiously side-load malicious scripts, which instruct it to begin hijacking user searches and inserting affiliate links.

\n

When hijacking user searches, the extension redirects search query results to display results from sites affiliated with the extension developers. Doing this gives them money from ad impressions and the sale of search data.

\n

Another way that surreptitious extension developers wrongfully gain money is by redirecting users to the same page but with an affiliate link appended to the URL. For example, a user visits 365games.co.uk to buy video game merchandise. After the default page to this site finishes loading, the extension redirects the user to the same page but with an affiliate link included. The URL in the address bar would look something like this: 365games.co.uk/{affiliate-related string}.

\n

Users visiting Amazon, AliExpress, and porn sites should expect to see affiliate redirections when hit with this campaign. 

\n

It's worrying that the average internet user hardly notices this campaign's quick and easy money-making schemes because it has the potential to go beyond hijacking and URL sleight-of-hand. Guardio researchers say developers could program their extensions to direct users to phishing pages to steal credentials, especially those used to log in to work-related accounts. They could also write side-loaded code telling the extension to point users to a malware download site.

\n

\"This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without,\" said Guardio researchers in their full write-up. \"At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data.\"

\n
\n

SHARE THIS ARTICLE

\n \n \n \n
\n
\n
\n

COMMENTS

\n
\n
\n
\n
\n
\n

RELATED ARTICLES

\n
\n
\n
\n
\n
\n \n
\n

ABOUT THE AUTHOR

\n
\n author\n
\n

\n Malwarebytes Labs\n \n
\n \n

\n

\n
\n
\n
\n \n \n
\n
\n
\n
\n
<$@ Register TagPrefix=\"uc\" TagName=\"widget211394_241534\" Src=\"~/widgets/blog/blog-footer-links.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget236482_241534\" Src=\"~/widgets/blog/blog-footer-code.ascx\" $>\n", "custom_t_title":"Dormant Colors browser hijackers could be used for more nefarious tasks, report says", "custom_s_title":"Dormant Colors browser hijackers could be used for more nefarious tasks, report says", "custom_t_short_description":"Dormant Colors, a browser extension campaign, was spotted stealing browser data and hijacking search results and affiliation to thousands of sites.", "custom_s_podcast_data":"", "custom_t_tags_text":"Dormant Colors, Guardio, browser hijacking, affiliate hijacking, search hijacking, malicious browser extension", "custom_s_tags_text":"Dormant Colors, Guardio, browser hijacking, affiliate hijacking, search hijacking, malicious browser extension", "custom_t_content":"

Researchers from Guardio, a cybersecurity company specializing in web browser protection, recently revealed a campaign involving a trove of popular yet malicious extensions programmed to steal user searches, browsing data, and affiliation to thousands of targeted sites.

\n

Nicknamed \"Dormant Colors,\" this campaign involves at least 30 variants of browser extensions for Chrome and Edge, once available in their respective stores (you can't find them there now). The campaign was named as such because all the extensions offer browser color customization options, and their \"maliciousness\" lie dormant until triggered by their creator.

\n

\"\"

\n

The inexhaustive list of 30 browser extensions belonging to the Dormant Colors campaign. Note these are extension names with their icons. (Source: Guardio)

\n

According to researchers, the campaign starts with malvertising in the form of ads on web pages or redirects from offered video and download links. If a site visitor attempts to download what an ad offers or watch a video stream, they are redirected to a page informing them they need to download an extension first. Of course, an extension is never required. It's part of the campaign to make users believe an extension download is needed.

\n

Once visitors confirm the download, one of the 30 extensions above is installed on the browser. The extension then redirects users to various pages that surreptitiously side-load malicious scripts, which instruct it to begin hijacking user searches and inserting affiliate links.

\n

When hijacking user searches, the extension redirects search query results to display results from sites affiliated with the extension developers. Doing this gives them money from ad impressions and the sale of search data.

\n

Another way that surreptitious extension developers wrongfully gain money is by redirecting users to the same page but with an affiliate link appended to the URL. For example, a user visits 365games.co.uk to buy video game merchandise. After the default page to this site finishes loading, the extension redirects the user to the same page but with an affiliate link included. The URL in the address bar would look something like this: 365games.co.uk/{affiliate-related string}.

\n

Users visiting Amazon, AliExpress, and porn sites should expect to see affiliate redirections when hit with this campaign. 

\n

It's worrying that the average internet user hardly notices this campaign's quick and easy money-making schemes because it has the potential to go beyond hijacking and URL sleight-of-hand. Guardio researchers say developers could program their extensions to direct users to phishing pages to steal credentials, especially those used to log in to work-related accounts. They could also write side-loaded code telling the extension to point users to a malware download site.

\n

\"This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without,\" said Guardio researchers in their full write-up. \"At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data.\"

", "custom_t_content_clean":"Researchers from Guardio, a cybersecurity company specializing in web browser protection, recently revealed a campaign involving a trove of popular yet malicious extensions programmed to steal user searches, browsing data, and affiliation to thousands of targeted sites. \n\nNicknamed \"Dormant Colors,\" this campaign involves at least 30 variants of browser extensions for Chrome and Edge, once available in their respective stores (you can't find them there now). The campaign was named as such because all the extensions offer browser color customization options, and their \"maliciousness\" lie dormant until triggered by their creator. \n\n\n\nThe inexhaustive list of 30 browser extensions belonging to the Dormant Colors campaign. Note these are extension names with their icons. (Source: Guardio ) \n\nAccording to researchers, the campaign starts with malvertising in the form of ads on web pages or redirects from offered video and download links. If a site visitor attempts to download what an ad offers or watch a video stream, they are redirected to a page informing them they need to download an extension first. Of course, an extension is never required. It's part of the campaign to make users believe an extension download is needed. \n\nOnce visitors confirm the download, one of the 30 extensions above is installed on the browser. The extension then redirects users to various pages that surreptitiously side-load malicious scripts, which instruct it to begin hijacking user searches and inserting affiliate links. \n\nWhen hijacking user searches, the extension redirects search query results to display results from sites affiliated with the extension developers. Doing this gives them money from ad impressions and the sale of search data. \n\nAnother way that surreptitious extension developers wrongfully gain money is by redirecting users to the same page but with an affiliate link appended to the URL. For example, a user visits 365games.co.uk  to buy video game merchandise. After the default page to this site finishes loading, the extension redirects the user to the same page but with an affiliate link included. The URL in the address bar would look something like this: 365games.co.uk/{affiliate-related string} . \n\nUsers visiting Amazon, AliExpress, and porn sites should expect to see affiliate redirections when hit with this campaign. \n\nIt's worrying that the average internet user hardly notices this campaign's quick and easy money-making schemes because it has the potential to go beyond hijacking and URL sleight-of-hand. Guardio researchers say developers could program their extensions to direct users to phishing pages to steal credentials, especially those used to log in to work-related accounts. They could also write side-loaded code telling the extension to point users to a malware download site. \n\n\"This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without,\" said Guardio researchers in their full write-up . \"At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data.\"", "custom_s_image_alt":"a burst of colours", "custom_txt_tags":["Dormant Colors", " Guardio", " browser hijacking", " affiliate hijacking", " search hijacking", " malicious browser extension"], "custom_s_date":"October 27, 2022", "custom_s_date_gmt":"10/27/2022 5:30:00 PM", "custom_s_thumbnail_image":"/blog/news/2022/10/easset_upload_file31001_241534_e.jpg", "custom_s_key_image":"/blog/news/2022/10/easset_upload_file31001_241534_e.jpg", "custom_s_thumbnail_image_medium":"/blog/news/2022/10/asset_upload_file15137_241534.jpg", "custom_s_thumbnail_image_small":"/blog/news/2022/10/asset_upload_file92923_241534.jpg", "custom_s_thumbnail_optimized_138x72":"/blog/news/2022/10/asset_upload_file45745_241534.jpg", "custom_s_tthumbnail_optimized_272x121":"", "custom_s_thumbnail_optimized_518x271":"/blog/news/2022/10/asset_upload_file48879_241534.jpg", "custom_s_thumbnail_optimized_736x413":"/blog/news/2022/10/asset_upload_file78716_241534.jpg", "custom_ss_category_id":["215042"], "custom_ss_category_display":["News"], "custom_ss_category_key":["news"], "custom_ss_category_link":["/blog/category/news"], "custom_ss_author_id":["50773"], "custom_ss_author_display":["Malwarebytes Labs"], "custom_ss_author_link":["/blog/authors/malwarebyteslabs"], "custom_s_disqus_postid":"241534", "custom_s_disqus_identifier":"241534", "custom_s_country":"us", "custom_s_language":"en", "custom_s_currency":"USD", "custom_s_timezone":"Eastern Standard Time", "custom_i_page_score":0, "title":"Dormant Colors browser hijackers could be used for more nefarious tasks, report says", "custom_s_url":"/blog/news/2022/10/report-popular-yet-harmful-browser-hijackers-could-be-used-for-more-nefarious-tasks", "content":"News \n \n Dormant Colors browser hijackers could be used for more nefarious tasks, report says \n \n\n Posted: October 27, 2022 \n by Malwarebytes Labs \n \n Dormant Colors, a browser extension campaign, was spotted stealing browser data and hijacking search results and affiliation to thousands of sites. \n \n \nResearchers from Guardio, a cybersecurity company specializing in web browser protection, recently revealed a campaign involving a trove of popular yet malicious extensions programmed to steal user searches, browsing data, and affiliation to thousands of targeted sites. \n\nNicknamed \"Dormant Colors,\" this campaign involves at least 30 variants of browser extensions for Chrome and Edge, once available in their respective stores (you can't find them there now). The campaign was named as such because all the extensions offer browser color customization options, and their \"maliciousness\" lie dormant until triggered by their creator. \n\n\n\nThe inexhaustive list of 30 browser extensions belonging to the Dormant Colors campaign. Note these are extension names with their icons. (Source: Guardio ) \n\nAccording to researchers, the campaign starts with malvertising in the form of ads on web pages or redirects from offered video and download links. If a site visitor attempts to download what an ad offers or watch a video stream, they are redirected to a page informing them they need to download an extension first. Of course, an extension is never required. It's part of the campaign to make users believe an extension download is needed. \n\nOnce visitors confirm the download, one of the 30 extensions above is installed on the browser. The extension then redirects users to various pages that surreptitiously side-load malicious scripts, which instruct it to begin hijacking user searches and inserting affiliate links. \n\nWhen hijacking user searches, the extension redirects search query results to display results from sites affiliated with the extension developers. Doing this gives them money from ad impressions and the sale of search data. \n\nAnother way that surreptitious extension developers wrongfully gain money is by redirecting users to the same page but with an affiliate link appended to the URL. For example, a user visits 365games.co.uk  to buy video game merchandise. After the default page to this site finishes loading, the extension redirects the user to the same page but with an affiliate link included. The URL in the address bar would look something like this: 365games.co.uk/{affiliate-related string} . \n\nUsers visiting Amazon, AliExpress, and porn sites should expect to see affiliate redirections when hit with this campaign. \n\nIt's worrying that the average internet user hardly notices this campaign's quick and easy money-making schemes because it has the potential to go beyond hijacking and URL sleight-of-hand. Guardio researchers say developers could program their extensions to direct users to phishing pages to steal credentials, especially those used to log in to work-related accounts. They could also write side-loaded code telling the extension to point users to a malware download site. \n\n\"This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without,\" said Guardio researchers in their full write-up . \"At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data.\" \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Malwarebytes Labs", "custom_dt_date":"2022-10-27T17:30:00Z", "language":"en", "content_en":"News \n \n Dormant Colors browser hijackers could be used for more nefarious tasks, report says \n \n\n Posted: October 27, 2022 \n by Malwarebytes Labs \n \n Dormant Colors, a browser extension campaign, was spotted stealing browser data and hijacking search results and affiliation to thousands of sites. \n \n \nResearchers from Guardio, a cybersecurity company specializing in web browser protection, recently revealed a campaign involving a trove of popular yet malicious extensions programmed to steal user searches, browsing data, and affiliation to thousands of targeted sites. \n\nNicknamed \"Dormant Colors,\" this campaign involves at least 30 variants of browser extensions for Chrome and Edge, once available in their respective stores (you can't find them there now). The campaign was named as such because all the extensions offer browser color customization options, and their \"maliciousness\" lie dormant until triggered by their creator. \n\n\n\nThe inexhaustive list of 30 browser extensions belonging to the Dormant Colors campaign. Note these are extension names with their icons. (Source: Guardio ) \n\nAccording to researchers, the campaign starts with malvertising in the form of ads on web pages or redirects from offered video and download links. If a site visitor attempts to download what an ad offers or watch a video stream, they are redirected to a page informing them they need to download an extension first. Of course, an extension is never required. It's part of the campaign to make users believe an extension download is needed. \n\nOnce visitors confirm the download, one of the 30 extensions above is installed on the browser. The extension then redirects users to various pages that surreptitiously side-load malicious scripts, which instruct it to begin hijacking user searches and inserting affiliate links. \n\nWhen hijacking user searches, the extension redirects search query results to display results from sites affiliated with the extension developers. Doing this gives them money from ad impressions and the sale of search data. \n\nAnother way that surreptitious extension developers wrongfully gain money is by redirecting users to the same page but with an affiliate link appended to the URL. For example, a user visits 365games.co.uk  to buy video game merchandise. After the default page to this site finishes loading, the extension redirects the user to the same page but with an affiliate link included. The URL in the address bar would look something like this: 365games.co.uk/{affiliate-related string} . \n\nUsers visiting Amazon, AliExpress, and porn sites should expect to see affiliate redirections when hit with this campaign. \n\nIt's worrying that the average internet user hardly notices this campaign's quick and easy money-making schemes because it has the potential to go beyond hijacking and URL sleight-of-hand. Guardio researchers say developers could program their extensions to direct users to phishing pages to steal credentials, especially those used to log in to work-related accounts. They could also write side-loaded code telling the extension to point users to a malware download site. \n\n\"This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without,\" said Guardio researchers in their full write-up . \"At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data.\" \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Malwarebytes Labs", "_version_":1747863260586049536, "score":0.87376285}, { "id":"241531", "url":"241531", "custom_s_template":"blog post", "metadata_title":"Medibank customers' personal data compromised by cyber attack", "metadata_description":"Medibank confirmed that the threat actor behind the cyberattack had access to the data of at least 4 million customers", "metadata_keywords":"Medibank, health care data", "custom_s_lastpublished":"10/27/2022 5:27:32 PM", "custom_t_content_html":"<$@ Register TagPrefix=\"uc\" TagName=\"widget216983_241531\" Src=\"~/widgets/blog/blog-header-code.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget50434_241531\" Src=\"~/widgets/blog/blog-subnav.ascx\" $>\n
\n
\n \n \n
\n
\n
\n
\n \n

\n \"medibank\n

\n

\n News\n

\n

Medibank customers' personal data compromised by cyber attack

\n

\n Posted: \n by Pieter Arntz\n

\n
Australian health care insurance company Medibank confirmed that the threat actor behind the cyberattack on the company had access to the data of at least 4 million customers
\n
\n

Australian health care insurance company Medibank confirmed that the threat actor behind a cyberattack on the company had access to the data of at least 4 million customers.

\n

Although Medibank at first said that there was “no evidence that customer data has been accessed,” a week later their investigation shows that the threat actor had access to all Medibank customers’ personal data and significant amounts of health claims data.

\n

Stolen data

\n

The cybercrime investigation shows that the criminal had access to:

\n
    \n
  • All ahm customers’ personal data and significant amounts of health claims data
    • \n
  • All international student customers’ personal data and significant amounts of health claims data
    • \n
  • All Medibank customers’ personal data and significant amounts of health claims data
    • \n
\n

This does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. They provided a sample of records for 100 policy records which are believed to come from the ahm and international student systems.

\n

The provided data sample includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.

\n

The claim that the attackers have stolen other information, including data related to credit card security, has not yet been verified.

\n

Not just current customers

\n

Medibank has promised it will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. There may be some surprises, because not all affected people are current customers. Australian law required Medibank to hold onto past customers' data, which was why former clients could be caught out by this breach. Relevant laws in the country require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old.

\n

What to do?

\n

Medibank and ahm customers can contact Medibank by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates.

\n

Until the investigation has verified the full extent of the stolen data, it is hard to establish whether your data have been stolen. So far it has been confirmed international students have been affected. Of which there are many, since private health insurance is a requirement when they start a study in Australia.

\n

Medibank provides comprehensive support package for customers who have had their data stolen which includes:

\n
    \n
  • Financial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis.
    • \n
  • Free identity monitoring services for customers who have had their primary ID compromised
    • \n
  • Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime
    • \n
\n

And they are offering all customers access to:

\n
    \n
  • Specialist identity protection advice and resources from IDCARE
    • \n
  • Medibank's mental health and wellbeing support line
    • \n
\n

This and any new information can be found on Medibank’s webpage about the cybersecurity incident.

\n

As always, when personal data have been stolen it is advisable to deploy some extra vigilance when it comes to phishing attempts that could very well use some of the stolen information to gain credibility.

\n
\n

SHARE THIS ARTICLE

\n \n \n \n
\n
\n
\n

COMMENTS

\n
\n
\n
\n
\n
\n

RELATED ARTICLES

\n
\n
\n
\n
\n
\n \n
\n

ABOUT THE AUTHOR

\n
\n author\n
\n

\n Pieter Arntz\n \n
\n Malware Intelligence Researcher\n

\n

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

\n
\n
\n
\n \n \n
\n
\n
\n
\n
<$@ Register TagPrefix=\"uc\" TagName=\"widget211394_241531\" Src=\"~/widgets/blog/blog-footer-links.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget236482_241531\" Src=\"~/widgets/blog/blog-footer-code.ascx\" $>\n", "custom_t_title":"Medibank customers' personal data compromised by cyber attack", "custom_s_title":"Medibank customers' personal data compromised by cyber attack", "custom_t_short_description":"Australian health care insurance company Medibank confirmed that the threat actor behind the cyberattack on the company had access to the data of at least 4 million customers", "custom_s_podcast_data":"", "custom_t_tags_text":"Medibank, data breach", "custom_s_tags_text":"Medibank, data breach", "custom_t_content":"

Australian health care insurance company Medibank confirmed that the threat actor behind a cyberattack on the company had access to the data of at least 4 million customers.

\n

Although Medibank at first said that there was “no evidence that customer data has been accessed,” a week later their investigation shows that the threat actor had access to all Medibank customers’ personal data and significant amounts of health claims data.

\n

Stolen data

\n

The cybercrime investigation shows that the criminal had access to:

\n
    \n
  • All ahm customers’ personal data and significant amounts of health claims data
    • \n
  • All international student customers’ personal data and significant amounts of health claims data
    • \n
  • All Medibank customers’ personal data and significant amounts of health claims data
    • \n
\n

This does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. They provided a sample of records for 100 policy records which are believed to come from the ahm and international student systems.

\n

The provided data sample includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.

\n

The claim that the attackers have stolen other information, including data related to credit card security, has not yet been verified.

\n

Not just current customers

\n

Medibank has promised it will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. There may be some surprises, because not all affected people are current customers. Australian law required Medibank to hold onto past customers' data, which was why former clients could be caught out by this breach. Relevant laws in the country require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old.

\n

What to do?

\n

Medibank and ahm customers can contact Medibank by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates.

\n

Until the investigation has verified the full extent of the stolen data, it is hard to establish whether your data have been stolen. So far it has been confirmed international students have been affected. Of which there are many, since private health insurance is a requirement when they start a study in Australia.

\n

Medibank provides comprehensive support package for customers who have had their data stolen which includes:

\n
    \n
  • Financial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis.
    • \n
  • Free identity monitoring services for customers who have had their primary ID compromised
    • \n
  • Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime
    • \n
\n

And they are offering all customers access to:

\n
    \n
  • Specialist identity protection advice and resources from IDCARE
    • \n
  • Medibank's mental health and wellbeing support line
    • \n
\n

This and any new information can be found on Medibank’s webpage about the cybersecurity incident.

\n

As always, when personal data have been stolen it is advisable to deploy some extra vigilance when it comes to phishing attempts that could very well use some of the stolen information to gain credibility.

", "custom_t_content_clean":"Australian health care insurance company Medibank confirmed that the threat actor behind a cyberattack on the company had access to the data of at least 4 million customers. \n\nAlthough Medibank at first said that there was “no evidence that customer data has been accessed,” a week later their investigation shows that the threat actor had access to all Medibank customers’ personal data and significant amounts of health claims data. \nStolen data \n\nThe cybercrime investigation shows that the criminal had access to: \n\nAll ahm customers’ personal data and significant amounts of health claims data \nAll international student customers’ personal data and significant amounts of health claims data \nAll Medibank customers’ personal data and significant amounts of health claims data \n\n\nThis does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. They provided a sample of records for 100 policy records which are believed to come from the ahm and international student systems. \n\nThe provided data sample includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures. \n\nThe claim that the attackers have stolen other information, including data related to credit card security, has not yet been verified. \nNot just current customers \n\nMedibank has promised it will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. There may be some surprises, because not all affected people are current customers. Australian law required Medibank to hold onto past customers' data, which was why former clients could be caught out by this breach. Relevant laws in the country require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old. \nWhat to do? \n\nMedibank and ahm customers can contact Medibank by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page  on the website for any updates. \n\nUntil the investigation has verified the full extent of the stolen data, it is hard to establish whether your data have been stolen. So far it has been confirmed international students have been affected. Of which there are many, since private health insurance is a requirement when they start a study in Australia. \n\nMedibank provides comprehensive support package for customers who have had their data stolen which includes: \n\nFinancial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis. \nFree identity monitoring services for customers who have had their primary ID compromised \nReimbursement of fees for re-issue of identity documents that have been fully compromised in this crime \n\n\nAnd they are offering all customers access to: \n\nSpecialist identity protection advice and resources from IDCARE \nMedibank's mental health and wellbeing support line \n\n\nThis and any new information can be found on Medibank’s webpage about the cybersecurity incident . \n\nAs always, when personal data have been stolen it is advisable to deploy some extra vigilance when it comes to phishing attempts that could very well use some of the stolen information to gain credibility.", "custom_s_image_alt":"medibank logo", "custom_txt_tags":["Medibank", " data breach"], "custom_s_date":"October 27, 2022", "custom_s_date_gmt":"10/27/2022 5:15:00 PM", "custom_s_thumbnail_image":"/blog/news/2022/10/easset_upload_file66182_241531_e.png", "custom_s_key_image":"/blog/news/2022/10/easset_upload_file66182_241531_e.png", "custom_s_thumbnail_image_medium":"/blog/news/2022/10/asset_upload_file52779_241531.png", "custom_s_thumbnail_image_small":"/blog/news/2022/10/asset_upload_file44742_241531.png", "custom_s_thumbnail_optimized_138x72":"/blog/news/2022/10/asset_upload_file58479_241531.png", "custom_s_tthumbnail_optimized_272x121":"", "custom_s_thumbnail_optimized_518x271":"/blog/news/2022/10/asset_upload_file93017_241531.png", "custom_s_thumbnail_optimized_736x413":"/blog/news/2022/10/asset_upload_file87108_241531.png", "custom_ss_category_id":["215042"], "custom_ss_category_display":["News"], "custom_ss_category_key":["news"], "custom_ss_category_link":["/blog/category/news"], "custom_ss_author_id":["50768"], "custom_ss_author_display":["Pieter Arntz"], "custom_ss_author_link":["/blog/authors/metallicamvp"], "custom_s_disqus_postid":"241531", "custom_s_disqus_identifier":"241531", "custom_s_country":"us", "custom_s_language":"en", "custom_s_currency":"USD", "custom_s_timezone":"Eastern Standard Time", "custom_i_page_score":0, "title":"Medibank customers' personal data compromised by cyber attack", "custom_s_url":"/blog/news/2022/10/medibank-customers-personal-data-compromised-by-cyber-attack", "content":"News \n \n Medibank customers' personal data compromised by cyber attack \n \n\n Posted: October 27, 2022 \n by Pieter Arntz \n \n Australian health care insurance company Medibank confirmed that the threat actor behind the cyberattack on the company had access to the data of at least 4 million customers \n \n \nAustralian health care insurance company Medibank confirmed that the threat actor behind a cyberattack on the company had access to the data of at least 4 million customers. \n\nAlthough Medibank at first said that there was “no evidence that customer data has been accessed,” a week later their investigation shows that the threat actor had access to all Medibank customers’ personal data and significant amounts of health claims data. \nStolen data \n\nThe cybercrime investigation shows that the criminal had access to: \n\nAll ahm customers’ personal data and significant amounts of health claims data \nAll international student customers’ personal data and significant amounts of health claims data \nAll Medibank customers’ personal data and significant amounts of health claims data \n\n\nThis does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. They provided a sample of records for 100 policy records which are believed to come from the ahm and international student systems. \n\nThe provided data sample includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures. \n\nThe claim that the attackers have stolen other information, including data related to credit card security, has not yet been verified. \nNot just current customers \n\nMedibank has promised it will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. There may be some surprises, because not all affected people are current customers. Australian law required Medibank to hold onto past customers' data, which was why former clients could be caught out by this breach. Relevant laws in the country require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old. \nWhat to do? \n\nMedibank and ahm customers can contact Medibank by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page  on the website for any updates. \n\nUntil the investigation has verified the full extent of the stolen data, it is hard to establish whether your data have been stolen. So far it has been confirmed international students have been affected. Of which there are many, since private health insurance is a requirement when they start a study in Australia. \n\nMedibank provides comprehensive support package for customers who have had their data stolen which includes: \n\nFinancial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis. \nFree identity monitoring services for customers who have had their primary ID compromised \nReimbursement of fees for re-issue of identity documents that have been fully compromised in this crime \n\n\nAnd they are offering all customers access to: \n\nSpecialist identity protection advice and resources from IDCARE \nMedibank's mental health and wellbeing support line \n\n\nThis and any new information can be found on Medibank’s webpage about the cybersecurity incident . \n\nAs always, when personal data have been stolen it is advisable to deploy some extra vigilance when it comes to phishing attempts that could very well use some of the stolen information to gain credibility. \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Pieter Arntz \n \n \n\n Malware Intelligence Researcher \n \n \nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.", "custom_dt_date":"2022-10-27T17:15:00Z", "language":"en", "content_en":"News \n \n Medibank customers' personal data compromised by cyber attack \n \n\n Posted: October 27, 2022 \n by Pieter Arntz \n \n Australian health care insurance company Medibank confirmed that the threat actor behind the cyberattack on the company had access to the data of at least 4 million customers \n \n \nAustralian health care insurance company Medibank confirmed that the threat actor behind a cyberattack on the company had access to the data of at least 4 million customers. \n\nAlthough Medibank at first said that there was “no evidence that customer data has been accessed,” a week later their investigation shows that the threat actor had access to all Medibank customers’ personal data and significant amounts of health claims data. \nStolen data \n\nThe cybercrime investigation shows that the criminal had access to: \n\nAll ahm customers’ personal data and significant amounts of health claims data \nAll international student customers’ personal data and significant amounts of health claims data \nAll Medibank customers’ personal data and significant amounts of health claims data \n\n\nThis does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. They provided a sample of records for 100 policy records which are believed to come from the ahm and international student systems. \n\nThe provided data sample includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures. \n\nThe claim that the attackers have stolen other information, including data related to credit card security, has not yet been verified. \nNot just current customers \n\nMedibank has promised it will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. There may be some surprises, because not all affected people are current customers. Australian law required Medibank to hold onto past customers' data, which was why former clients could be caught out by this breach. Relevant laws in the country require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old. \nWhat to do? \n\nMedibank and ahm customers can contact Medibank by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page  on the website for any updates. \n\nUntil the investigation has verified the full extent of the stolen data, it is hard to establish whether your data have been stolen. So far it has been confirmed international students have been affected. Of which there are many, since private health insurance is a requirement when they start a study in Australia. \n\nMedibank provides comprehensive support package for customers who have had their data stolen which includes: \n\nFinancial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis. \nFree identity monitoring services for customers who have had their primary ID compromised \nReimbursement of fees for re-issue of identity documents that have been fully compromised in this crime \n\n\nAnd they are offering all customers access to: \n\nSpecialist identity protection advice and resources from IDCARE \nMedibank's mental health and wellbeing support line \n\n\nThis and any new information can be found on Medibank’s webpage about the cybersecurity incident . \n\nAs always, when personal data have been stolen it is advisable to deploy some extra vigilance when it comes to phishing attempts that could very well use some of the stolen information to gain credibility. \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Pieter Arntz \n \n \n\n Malware Intelligence Researcher \n \n \nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.", "_version_":1747862583895916544, "score":1.6307532}, { "id":"241532", "url":"241532", "custom_s_template":"blog post", "metadata_title":"Maintenance Mode aims to keep phone data private during repairs", "metadata_description":"", "metadata_keywords":"", "custom_s_lastpublished":"10/27/2022 5:13:54 PM", "custom_t_content_html":"<$@ Register TagPrefix=\"uc\" TagName=\"widget216983_241532\" Src=\"~/widgets/blog/blog-header-code.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget50434_241532\" Src=\"~/widgets/blog/blog-subnav.ascx\" $>\n
\n
\n \n \n
\n
\n
\n
\n \n

\n \"Man\n

\n

\n News\n

\n

Maintenance Mode aims to keep phone data private during repairs

\n

\n Posted: \n by Christopher Boyd\n

\n
We take a look at a new mode developed by Samsung which aims to keep data safe during a repair.
\n
\n

One of the biggest data related headaches you’ll face with a mobile device is what do to in the event of a repair. When you have to send your phone in for a fix, what happens to your data? In many cases, the repair technicians will simply scrub the phone by default unless you ask them not to. In cases of the latter, though, how do you keep everything safe? You have no guarantee that the technician won’t sneak a peek at files, folders, passwords, logins, your browsing history…you name it, it’s on there.

\n

A timeless problem, and one often met with a resigned sigh, a backup, and a pre-repair phone wipe “just in case”. It’s a reasonable concern. Even if it is very unlikely that the person doing the fixing is remotely interested in your day-to-day life, you’re still trusting your personal data and private information in the hands of a complete stranger.

\n

New solutions are being applied to this incredibly common, yet oddly invisible tech problem in the form of Samsung’s new “maintenance mode.”

\n

From repair to maintenance

\n

You may have heard of this new mode by another name. Back in July when word first spread, it was known as repair mode. Anyone digging into the Battery and Device Care options would see a new option to make all of your personal info, apps, and files invisible to the tech looking at the phone. At the time, this option was only available on specific models and also only in South Korea. Similarly, it was assumed this new option would roll out to other regions and devices.

\n

Sure enough, this has proven to be the case and we now have a slow global rollout of this new privacy retaining addition. We also have a name change, in the form of Maintenance Mode, and some more details as to how it operates.

\n

How does Maintenance Mode work?

\n

When activated, \"Maintenance Mode\" essentially creates a temporary, disposable user account on the phone. Access to everything on there previously is restricted for as long as someone else has hold of your device. From the new mode’s splash screen:

\n

\"In maintenance mode, your personal data including pictures, messages, and accounts, can’t be accessed and only preinstalled apps can be used. You’ll need to unlock your phone to turn off maintenance mode. When you do, everything will go back to the way it was when maintenance mode was first turned on. Changes made while maintenance mode is on, such as downloaded data or settings changes, aren’t saved. Back up your data.\"

\n

This last line is good advice. You should always back your data up anyway before handing over your phone, just in case it can’t be fixed. It’s also likely that some people may mistake Maintenance Mode as an additional way of backing up data as opposed to “just” shielding it from prying eyes, so this messaging is entirely worth it.

\n

To use or not to use

\n

Regardless of new tech features for your device, you should always weigh the pros and cons of handing something over with personal details on it, versus just backing up and wiping. New and cool privacy features tend to take a bit of a tech grilling as more people see what they can and can’t do with them. If you’re worried about someone figuring out a way to exploit maintenance mode, for example, you may want to just wait a while and see if anything untoward happens first. Again, while this is probably a minor risk for most people, awful people do awful things with your private data if they feel like they can get away with it.

\n

For everyone else, this might be a new phone addition which goes some way to easing a data deletion headache. It’s definitely no fun to reinstall and reauthorize a whole mobile ecosystem when you get your device back. Perhaps this tips the fatigue odds a little bit back in your favor.

\n
\n

SHARE THIS ARTICLE

\n \n \n \n
\n
\n
\n

COMMENTS

\n
\n
\n
\n
\n
\n

RELATED ARTICLES

\n
\n
\n
\n
\n
\n \n
\n

ABOUT THE AUTHOR

\n
\n author\n
\n

\n Christopher Boyd\n \n
\n Lead Malware Intelligence Analyst\n

\n

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

\n
\n
\n
\n \n \n
\n
\n
\n
\n
<$@ Register TagPrefix=\"uc\" TagName=\"widget211394_241532\" Src=\"~/widgets/blog/blog-footer-links.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget236482_241532\" Src=\"~/widgets/blog/blog-footer-code.ascx\" $>\n", "custom_t_title":"Maintenance Mode aims to keep phone data private during repairs", "custom_s_title":"Maintenance Mode aims to keep phone data private during repairs", "custom_t_short_description":"We take a look at a new mode developed by Samsung which aims to keep data safe during a repair.", "custom_s_podcast_data":"", "custom_t_tags_text":"Samsung, mobile, cellphone, device, maintenance mode, privacy, security, data, snooping, repairs, fix", "custom_s_tags_text":"Samsung, mobile, cellphone, device, maintenance mode, privacy, security, data, snooping, repairs, fix", "custom_t_content":"

One of the biggest data related headaches you’ll face with a mobile device is what do to in the event of a repair. When you have to send your phone in for a fix, what happens to your data? In many cases, the repair technicians will simply scrub the phone by default unless you ask them not to. In cases of the latter, though, how do you keep everything safe? You have no guarantee that the technician won’t sneak a peek at files, folders, passwords, logins, your browsing history…you name it, it’s on there.

\n

A timeless problem, and one often met with a resigned sigh, a backup, and a pre-repair phone wipe “just in case”. It’s a reasonable concern. Even if it is very unlikely that the person doing the fixing is remotely interested in your day-to-day life, you’re still trusting your personal data and private information in the hands of a complete stranger.

\n

New solutions are being applied to this incredibly common, yet oddly invisible tech problem in the form of Samsung’s new “maintenance mode.”

\n

From repair to maintenance

\n

You may have heard of this new mode by another name. Back in July when word first spread, it was known as repair mode. Anyone digging into the Battery and Device Care options would see a new option to make all of your personal info, apps, and files invisible to the tech looking at the phone. At the time, this option was only available on specific models and also only in South Korea. Similarly, it was assumed this new option would roll out to other regions and devices.

\n

Sure enough, this has proven to be the case and we now have a slow global rollout of this new privacy retaining addition. We also have a name change, in the form of Maintenance Mode, and some more details as to how it operates.

\n

How does Maintenance Mode work?

\n

When activated, \"Maintenance Mode\" essentially creates a temporary, disposable user account on the phone. Access to everything on there previously is restricted for as long as someone else has hold of your device. From the new mode’s splash screen:

\n

\"In maintenance mode, your personal data including pictures, messages, and accounts, can’t be accessed and only preinstalled apps can be used. You’ll need to unlock your phone to turn off maintenance mode. When you do, everything will go back to the way it was when maintenance mode was first turned on. Changes made while maintenance mode is on, such as downloaded data or settings changes, aren’t saved. Back up your data.\"

\n

This last line is good advice. You should always back your data up anyway before handing over your phone, just in case it can’t be fixed. It’s also likely that some people may mistake Maintenance Mode as an additional way of backing up data as opposed to “just” shielding it from prying eyes, so this messaging is entirely worth it.

\n

To use or not to use

\n

Regardless of new tech features for your device, you should always weigh the pros and cons of handing something over with personal details on it, versus just backing up and wiping. New and cool privacy features tend to take a bit of a tech grilling as more people see what they can and can’t do with them. If you’re worried about someone figuring out a way to exploit maintenance mode, for example, you may want to just wait a while and see if anything untoward happens first. Again, while this is probably a minor risk for most people, awful people do awful things with your private data if they feel like they can get away with it.

\n

For everyone else, this might be a new phone addition which goes some way to easing a data deletion headache. It’s definitely no fun to reinstall and reauthorize a whole mobile ecosystem when you get your device back. Perhaps this tips the fatigue odds a little bit back in your favor.

", "custom_t_content_clean":"One of the biggest data related headaches you’ll face with a mobile device is what do to in the event of a repair. When you have to send your phone in for a fix, what happens to your data? In many cases, the repair technicians will simply scrub the phone by default unless you ask them not to. In cases of the latter, though, how do you keep everything safe? You have no guarantee that the technician won’t sneak a peek at files, folders, passwords, logins, your browsing history…you name it, it’s on there. \n\nA timeless problem, and one often met with a resigned sigh, a backup, and a pre-repair phone wipe “just in case”. It’s a reasonable concern. Even if it is very unlikely that the person doing the fixing is remotely interested in your day-to-day life, you’re still trusting your personal data and private information in the hands of a complete stranger. \n\nNew solutions are being applied to this incredibly common, yet oddly invisible tech problem in the form of Samsung’s new “maintenance mode.” \nFrom repair to maintenance \n\nYou may have heard of this new mode by another name. Back in July when word first spread, it was known as repair mode . Anyone digging into the Battery and Device Care options would see a new option to make all of your personal info, apps, and files invisible to the tech looking at the phone. At the time, this option was only available on specific models and also only in South Korea. Similarly, it was assumed this new option would roll out to other regions and devices. \n\nSure enough, this has proven to be the case and we now have a slow global rollout of this new privacy retaining addition. We also have a name change, in the form of Maintenance Mode, and some more details as to how it operates. \nHow does Maintenance Mode work? \n\nWhen activated, \"Maintenance Mode\" essentially creates a temporary, disposable user account on the phone. Access to everything on there previously is restricted for as long as someone else has hold of your device. From the new mode’s splash screen: \n\n\"In maintenance mode, your personal data including pictures, messages, and accounts, can’t be accessed and only preinstalled apps can be used. You’ll need to unlock your phone to turn off maintenance mode. When you do, everything will go back to the way it was when maintenance mode was first turned on. Changes made while maintenance mode is on, such as downloaded data or settings changes, aren’t saved. Back up your data.\" \n\nThis last line is good advice. You should always back your data up anyway before handing over your phone, just in case it can’t be fixed. It’s also likely that some people may mistake Maintenance Mode as an additional way of backing up data as opposed to “just” shielding it from prying eyes, so this messaging is entirely worth it. \nTo use or not to use \n\nRegardless of new tech features for your device, you should always weigh the pros and cons of handing something over with personal details on it, versus just backing up and wiping. New and cool privacy features tend to take a bit of a tech grilling as more people see what they can and can’t do with them. If you’re worried about someone figuring out a way to exploit maintenance mode, for example, you may want to just wait a while and see if anything untoward happens first. Again, while this is probably a minor risk for most people, awful people do awful things with your private data if they feel like they can get away with it. \n\nFor everyone else, this might be a new phone addition which goes some way to easing a data deletion headache. It’s definitely no fun to reinstall and reauthorize a whole mobile ecosystem when you get your device back. Perhaps this tips the fatigue odds a little bit back in your favor.", "custom_s_image_alt":"Man fixing smartphone", "custom_txt_tags":["Samsung", " mobile", " cellphone", " device", " maintenance mode", " privacy", " security", " data", " snooping", " repairs", " fix"], "custom_s_date":"October 27, 2022", "custom_s_date_gmt":"10/27/2022 5:00:00 PM", "custom_s_thumbnail_image":"/blog/news/2022/10/easset_upload_file14032_241532_e.jpg", "custom_s_key_image":"/blog/news/2022/10/easset_upload_file14032_241532_e.jpg", "custom_s_thumbnail_image_medium":"/blog/news/2022/10/asset_upload_file40922_241532.jpg", "custom_s_thumbnail_image_small":"/blog/news/2022/10/asset_upload_file30269_241532.jpg", "custom_s_thumbnail_optimized_138x72":"/blog/news/2022/10/asset_upload_file94245_241532.jpg", "custom_s_tthumbnail_optimized_272x121":"", "custom_s_thumbnail_optimized_518x271":"/blog/news/2022/10/asset_upload_file75558_241532.jpg", "custom_s_thumbnail_optimized_736x413":"/blog/news/2022/10/asset_upload_file74892_241532.jpg", "custom_ss_category_id":["215042"], "custom_ss_category_display":["News"], "custom_ss_category_key":["news"], "custom_ss_category_link":["/blog/category/news"], "custom_ss_author_id":["50774"], "custom_ss_author_display":["Christopher Boyd"], "custom_ss_author_link":["/blog/authors/cboyd"], "custom_s_disqus_postid":"241532", "custom_s_disqus_identifier":"241532", "custom_s_country":"us", "custom_s_language":"en", "custom_s_currency":"USD", "custom_s_timezone":"Eastern Standard Time", "custom_i_page_score":0, "title":"Maintenance Mode aims to keep phone data private during repairs", "custom_s_url":"/blog/news/2022/10/maintenance-mode-aims-to-keep-phone-data-private-during-repairs", "content":"News \n \n Maintenance Mode aims to keep phone data private during repairs \n \n\n Posted: October 27, 2022 \n by Christopher Boyd \n \n We take a look at a new mode developed by Samsung which aims to keep data safe during a repair. \n \n \nOne of the biggest data related headaches you’ll face with a mobile device is what do to in the event of a repair. When you have to send your phone in for a fix, what happens to your data? In many cases, the repair technicians will simply scrub the phone by default unless you ask them not to. In cases of the latter, though, how do you keep everything safe? You have no guarantee that the technician won’t sneak a peek at files, folders, passwords, logins, your browsing history…you name it, it’s on there. \n\nA timeless problem, and one often met with a resigned sigh, a backup, and a pre-repair phone wipe “just in case”. It’s a reasonable concern. Even if it is very unlikely that the person doing the fixing is remotely interested in your day-to-day life, you’re still trusting your personal data and private information in the hands of a complete stranger. \n\nNew solutions are being applied to this incredibly common, yet oddly invisible tech problem in the form of Samsung’s new “maintenance mode.” \nFrom repair to maintenance \n\nYou may have heard of this new mode by another name. Back in July when word first spread, it was known as repair mode . Anyone digging into the Battery and Device Care options would see a new option to make all of your personal info, apps, and files invisible to the tech looking at the phone. At the time, this option was only available on specific models and also only in South Korea. Similarly, it was assumed this new option would roll out to other regions and devices. \n\nSure enough, this has proven to be the case and we now have a slow global rollout of this new privacy retaining addition. We also have a name change, in the form of Maintenance Mode, and some more details as to how it operates. \nHow does Maintenance Mode work? \n\nWhen activated, \"Maintenance Mode\" essentially creates a temporary, disposable user account on the phone. Access to everything on there previously is restricted for as long as someone else has hold of your device. From the new mode’s splash screen: \n\n\"In maintenance mode, your personal data including pictures, messages, and accounts, can’t be accessed and only preinstalled apps can be used. You’ll need to unlock your phone to turn off maintenance mode. When you do, everything will go back to the way it was when maintenance mode was first turned on. Changes made while maintenance mode is on, such as downloaded data or settings changes, aren’t saved. Back up your data.\" \n\nThis last line is good advice. You should always back your data up anyway before handing over your phone, just in case it can’t be fixed. It’s also likely that some people may mistake Maintenance Mode as an additional way of backing up data as opposed to “just” shielding it from prying eyes, so this messaging is entirely worth it. \nTo use or not to use \n\nRegardless of new tech features for your device, you should always weigh the pros and cons of handing something over with personal details on it, versus just backing up and wiping. New and cool privacy features tend to take a bit of a tech grilling as more people see what they can and can’t do with them. If you’re worried about someone figuring out a way to exploit maintenance mode, for example, you may want to just wait a while and see if anything untoward happens first. Again, while this is probably a minor risk for most people, awful people do awful things with your private data if they feel like they can get away with it. \n\nFor everyone else, this might be a new phone addition which goes some way to easing a data deletion headache. It’s definitely no fun to reinstall and reauthorize a whole mobile ecosystem when you get your device back. Perhaps this tips the fatigue odds a little bit back in your favor. \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Christopher Boyd \n \n \n\n Lead Malware Intelligence Analyst \n \n \nFormer Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.", "custom_dt_date":"2022-10-27T17:00:00Z", "language":"en", "content_en":"News \n \n Maintenance Mode aims to keep phone data private during repairs \n \n\n Posted: October 27, 2022 \n by Christopher Boyd \n \n We take a look at a new mode developed by Samsung which aims to keep data safe during a repair. \n \n \nOne of the biggest data related headaches you’ll face with a mobile device is what do to in the event of a repair. When you have to send your phone in for a fix, what happens to your data? In many cases, the repair technicians will simply scrub the phone by default unless you ask them not to. In cases of the latter, though, how do you keep everything safe? You have no guarantee that the technician won’t sneak a peek at files, folders, passwords, logins, your browsing history…you name it, it’s on there. \n\nA timeless problem, and one often met with a resigned sigh, a backup, and a pre-repair phone wipe “just in case”. It’s a reasonable concern. Even if it is very unlikely that the person doing the fixing is remotely interested in your day-to-day life, you’re still trusting your personal data and private information in the hands of a complete stranger. \n\nNew solutions are being applied to this incredibly common, yet oddly invisible tech problem in the form of Samsung’s new “maintenance mode.” \nFrom repair to maintenance \n\nYou may have heard of this new mode by another name. Back in July when word first spread, it was known as repair mode . Anyone digging into the Battery and Device Care options would see a new option to make all of your personal info, apps, and files invisible to the tech looking at the phone. At the time, this option was only available on specific models and also only in South Korea. Similarly, it was assumed this new option would roll out to other regions and devices. \n\nSure enough, this has proven to be the case and we now have a slow global rollout of this new privacy retaining addition. We also have a name change, in the form of Maintenance Mode, and some more details as to how it operates. \nHow does Maintenance Mode work? \n\nWhen activated, \"Maintenance Mode\" essentially creates a temporary, disposable user account on the phone. Access to everything on there previously is restricted for as long as someone else has hold of your device. From the new mode’s splash screen: \n\n\"In maintenance mode, your personal data including pictures, messages, and accounts, can’t be accessed and only preinstalled apps can be used. You’ll need to unlock your phone to turn off maintenance mode. When you do, everything will go back to the way it was when maintenance mode was first turned on. Changes made while maintenance mode is on, such as downloaded data or settings changes, aren’t saved. Back up your data.\" \n\nThis last line is good advice. You should always back your data up anyway before handing over your phone, just in case it can’t be fixed. It’s also likely that some people may mistake Maintenance Mode as an additional way of backing up data as opposed to “just” shielding it from prying eyes, so this messaging is entirely worth it. \nTo use or not to use \n\nRegardless of new tech features for your device, you should always weigh the pros and cons of handing something over with personal details on it, versus just backing up and wiping. New and cool privacy features tend to take a bit of a tech grilling as more people see what they can and can’t do with them. If you’re worried about someone figuring out a way to exploit maintenance mode, for example, you may want to just wait a while and see if anything untoward happens first. Again, while this is probably a minor risk for most people, awful people do awful things with your private data if they feel like they can get away with it. \n\nFor everyone else, this might be a new phone addition which goes some way to easing a data deletion headache. It’s definitely no fun to reinstall and reauthorize a whole mobile ecosystem when you get your device back. Perhaps this tips the fatigue odds a little bit back in your favor. \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Christopher Boyd \n \n \n\n Lead Malware Intelligence Analyst \n \n \nFormer Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.", "_version_":1747861727922356224, "score":0.7054538}, { "id":"241506", "url":"241506", "custom_s_template":"blog post", "metadata_title":"New streaming ad technology plays hide-and-seek with gamers", "metadata_description":"", "metadata_keywords":"", "custom_s_lastpublished":"10/27/2022 4:38:36 PM", "custom_t_content_html":"<$@ Register TagPrefix=\"uc\" TagName=\"widget216983_241506\" Src=\"~/widgets/blog/blog-header-code.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget50434_241506\" Src=\"~/widgets/blog/blog-subnav.ascx\" $>\n
\n
\n \n \n
\n
\n
\n
\n \n

\n \"Streaming\n

\n

\n News\n

\n

New streaming ad technology plays hide-and-seek with gamers

\n

\n Posted: \n by Christopher Boyd\n

\n
We take a look at new form of ad tech for Twitch streaming viewers, but not players. How does it work? Can it even be successful?
\n
\n

A new form of digital advertising is looking to make its way to you courtesy of video gaming. However, there’s a rather peculiar twist involved. These ads won’t appear in front of you while playing; in fact, they’re designed to trigger when someone else is in-game. The most baffling twist of all? Those people triggering the ads won’t see them either!

\n

How does this work? Let’s take a look at how advertising has been used in an Amazon gaming title previously, and see how that could create a frosty reception for any new ad technology.

\n

The sliding doors of advertising banners

\n

This is a push to place more advertising, and sales opportunities, in front of the huge streaming audiences which exist in Twitch channels. Twitch is owned by Amazon and the retail giant is also responsible for a number of gaming titles. Any way to synergise advertising or marketing across multiple platforms is potentially going to be a big revenue generator.

\n

The biggest of these titles, Old World, is sometimes used for various types of advertising promotions and methods. Often, this is to the annoyance of the people playing the game who’d much rather all of this was done somewhere else. For example, just recently players were complaining about Rings of Power advert banners inside a part of the New World title/continue screen. Rings of Power is developed by Amazon, and the ad promotes it as being available on Prime Video. Both show and game are fantasy worlds, so thematically there’s a connection but that doesn’t seem to have impressed at least one player out there.

\n

Streaming the ads

\n

Twitch streaming is a huge business, with massive audiences and a number of increasingly rich streamers. Twitch has had various types of adverts for some time now, and here too, ads are a contentious subject. Viewers complain about what they feel are too many ads in a short space of time, and streamers worry that ads can end up making your channel annoying or even reducing subscriber count.

\n

A recent change to ad types and functionality made the ads “less annoying” overall. Even so, it seems more varied types of ad presentations were required to lower the risk of turning people away from streaming or watching altogether.

\n

Now you see it…now you don’t (but you might)

\n

Way back in 2005, dynamic ads were introduced to titles like The Matrix Online. Essentially these were empty billboards, and the ad network paired up with the game could display on-the-fly adverts, which meant current products could always be advertised in the game.

\n

A whole 17 years later, we have one of the first original advancements of this digital advertising concept, though it’s a bit of an odd one. It's Old World, once again being used as a sort of test zone for advertising demo purposes:

\n
\n

Experimental ads technology is being tested with Amazon Game Studios to virtually insert ads in-game that would only be visible to people watching the streamer. pic.twitter.com/uWGXGzPfcK#StreamerNews

\n— Zach Bussey (@zachbussey) October 24, 2022
\n\n

The advert, a wobbling bit of text on a wall way off to the left, is being generated by advertising tech which only displays the ad to the people watching the stream of the game being played. Nobody actually playing the game will be able to see it, a bit of ad tech wizardry that means only people who watch other people play videogames, specifically online (and not on a couch), will potentially see this ads. 

\n

There isn’t currently a huge amount of information out there on this new experimental tech yet, but it bears a striking resemblance to Virtual Product Placement (VPP) tools used to change adverts in streamed shows and movies from Amazon and Peacock  referenced back in May. It may well be different technology, but it could have easily inspired similar thinking where gaming and game streaming products are concerned.

\n

A roll of the advertising dice

\n

The big question is how successful is this likely to be? Traditional in-game advertising relies on funnelling players into places where they’re guaranteed to see an ad. You can’t do much with your marketing and advertising strategies if nobody sees the adverts in the first place.

\n

As the player has no idea where the ads are, they may never venture anywhere near one of the new temporary adverts raising the question of who this is actually for, or how overt the adverts will have to be made to account for the possibility of missing them. It’s likely these in-game ads can’t be clicked, so how will anyone determine which ads are successful or failures especially given a “good” ad might never even make it to a screen?

\n

You should always have a choice with advertising

\n

However this is intended to work, we’ll probably have to wait a while longer to discover more concrete details. If you like streaming, whether as a player or a viewer, you are absolutely being marketed to regardless of which device or platform you use. Whether it’s pages of EULAs and data analytic opt-outs, or privacy policies filled with connected advertisers, informed decisions over your data are a good thing.

\n

You may be able to opt-out of certain data retention policies, or block certain types of ads, but this likely won’t work everywhere. It’s up to you to decide which level of advertising, or product promotion, and even tracking or profiling you’re comfortable with and go from there. As far as anyone connected to Twitch streaming where advertising is concerned, it seems to be more of an annoyance about fatigue and intrusiveness than anything related to privacy or data collection. Perhaps a “blink and you’ll miss it” ad style is just what the streaming doctor ordered.

\n
\n

SHARE THIS ARTICLE

\n \n \n \n
\n
\n
\n

COMMENTS

\n
\n
\n
\n
\n
\n

RELATED ARTICLES

\n
\n
\n
\n
\n
\n \n
\n

ABOUT THE AUTHOR

\n
\n author\n
\n

\n Christopher Boyd\n \n
\n Lead Malware Intelligence Analyst\n

\n

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

\n
\n
\n
\n \n \n
\n
\n
\n
\n
<$@ Register TagPrefix=\"uc\" TagName=\"widget211394_241506\" Src=\"~/widgets/blog/blog-footer-links.ascx\" $>\n<$@ Register TagPrefix=\"uc\" TagName=\"widget236482_241506\" Src=\"~/widgets/blog/blog-footer-code.ascx\" $>\n", "custom_t_title":"New streaming ad technology plays hide-and-seek with gamers", "custom_s_title":"New streaming ad technology plays hide-and-seek with gamers", "custom_t_short_description":"We take a look at new form of ad tech for Twitch streaming viewers, but not players. How does it work? Can it even be successful?", "custom_s_podcast_data":"", "custom_t_tags_text":"Amazon, Twitch, Prime, streaming, gamer, gaming, advert, advertising, in-game", "custom_s_tags_text":"Amazon, Twitch, Prime, streaming, gamer, gaming, advert, advertising, in-game", "custom_t_content":"

A new form of digital advertising is looking to make its way to you courtesy of video gaming. However, there’s a rather peculiar twist involved. These ads won’t appear in front of you while playing; in fact, they’re designed to trigger when someone else is in-game. The most baffling twist of all? Those people triggering the ads won’t see them either!

\n

How does this work? Let’s take a look at how advertising has been used in an Amazon gaming title previously, and see how that could create a frosty reception for any new ad technology.

\n

The sliding doors of advertising banners

\n

This is a push to place more advertising, and sales opportunities, in front of the huge streaming audiences which exist in Twitch channels. Twitch is owned by Amazon and the retail giant is also responsible for a number of gaming titles. Any way to synergise advertising or marketing across multiple platforms is potentially going to be a big revenue generator.

\n

The biggest of these titles, Old World, is sometimes used for various types of advertising promotions and methods. Often, this is to the annoyance of the people playing the game who’d much rather all of this was done somewhere else. For example, just recently players were complaining about Rings of Power advert banners inside a part of the New World title/continue screen. Rings of Power is developed by Amazon, and the ad promotes it as being available on Prime Video. Both show and game are fantasy worlds, so thematically there’s a connection but that doesn’t seem to have impressed at least one player out there.

\n

Streaming the ads

\n

Twitch streaming is a huge business, with massive audiences and a number of increasingly rich streamers. Twitch has had various types of adverts for some time now, and here too, ads are a contentious subject. Viewers complain about what they feel are too many ads in a short space of time, and streamers worry that ads can end up making your channel annoying or even reducing subscriber count.

\n

A recent change to ad types and functionality made the ads “less annoying” overall. Even so, it seems more varied types of ad presentations were required to lower the risk of turning people away from streaming or watching altogether.

\n

Now you see it…now you don’t (but you might)

\n

Way back in 2005, dynamic ads were introduced to titles like The Matrix Online. Essentially these were empty billboards, and the ad network paired up with the game could display on-the-fly adverts, which meant current products could always be advertised in the game.

\n

A whole 17 years later, we have one of the first original advancements of this digital advertising concept, though it’s a bit of an odd one. It's Old World, once again being used as a sort of test zone for advertising demo purposes:

\n
\n

Experimental ads technology is being tested with Amazon Game Studios to virtually insert ads in-game that would only be visible to people watching the streamer. pic.twitter.com/uWGXGzPfcK#StreamerNews

\n— Zach Bussey (@zachbussey) October 24, 2022
\n\n

The advert, a wobbling bit of text on a wall way off to the left, is being generated by advertising tech which only displays the ad to the people watching the stream of the game being played. Nobody actually playing the game will be able to see it, a bit of ad tech wizardry that means only people who watch other people play videogames, specifically online (and not on a couch), will potentially see this ads. 

\n

There isn’t currently a huge amount of information out there on this new experimental tech yet, but it bears a striking resemblance to Virtual Product Placement (VPP) tools used to change adverts in streamed shows and movies from Amazon and Peacock  referenced back in May. It may well be different technology, but it could have easily inspired similar thinking where gaming and game streaming products are concerned.

\n

A roll of the advertising dice

\n

The big question is how successful is this likely to be? Traditional in-game advertising relies on funnelling players into places where they’re guaranteed to see an ad. You can’t do much with your marketing and advertising strategies if nobody sees the adverts in the first place.

\n

As the player has no idea where the ads are, they may never venture anywhere near one of the new temporary adverts raising the question of who this is actually for, or how overt the adverts will have to be made to account for the possibility of missing them. It’s likely these in-game ads can’t be clicked, so how will anyone determine which ads are successful or failures especially given a “good” ad might never even make it to a screen?

\n

You should always have a choice with advertising

\n

However this is intended to work, we’ll probably have to wait a while longer to discover more concrete details. If you like streaming, whether as a player or a viewer, you are absolutely being marketed to regardless of which device or platform you use. Whether it’s pages of EULAs and data analytic opt-outs, or privacy policies filled with connected advertisers, informed decisions over your data are a good thing.

\n

You may be able to opt-out of certain data retention policies, or block certain types of ads, but this likely won’t work everywhere. It’s up to you to decide which level of advertising, or product promotion, and even tracking or profiling you’re comfortable with and go from there. As far as anyone connected to Twitch streaming where advertising is concerned, it seems to be more of an annoyance about fatigue and intrusiveness than anything related to privacy or data collection. Perhaps a “blink and you’ll miss it” ad style is just what the streaming doctor ordered.

", "custom_t_content_clean":"A new form of digital advertising is looking to make its way to you courtesy of video gaming. However, there’s a rather peculiar twist involved. These ads won’t appear in front of you while playing; in fact, they’re designed to trigger when someone else is in-game. The most baffling twist of all? Those people triggering the ads won’t see them either ! \n\nHow does this work? Let’s take a look at how advertising has been used in an Amazon gaming title previously, and see how that could create a frosty reception for any new ad technology. \nThe sliding doors of advertising banners \n\nThis is a push to place more advertising, and sales opportunities, in front of the huge streaming audiences which exist in Twitch channels. Twitch is owned by Amazon and the retail giant is also responsible for a number of gaming titles. Any way to synergise advertising or marketing across multiple platforms is potentially going to be a big revenue generator. \n\nThe biggest of these titles, Old World, is sometimes used for various types of advertising promotions and methods. Often, this is to the annoyance of the people playing the game who’d much rather all of this was done somewhere else. For example, just recently players were complaining about Rings of Power advert banners inside a part of the New World title/continue screen . Rings of Power is developed by Amazon, and the ad promotes it as being available on Prime Video. Both show and game are fantasy worlds, so thematically there’s a connection but that doesn’t seem to have impressed at least one player out there. \nStreaming the ads \n\nTwitch streaming is a huge business, with massive audiences and a number of increasingly rich streamers. Twitch has had various types of adverts for some time now, and here too, ads are a contentious subject. Viewers complain about what they feel are too many ads in a short space of time , and streamers worry that ads can end up making your channel annoying or even reducing subscriber count. \n\nA recent change to ad types and functionality made the ads “ less annoying ” overall. Even so, it seems more varied types of ad presentations were required to lower the risk of turning people away from streaming or watching altogether. \nNow you see it…now you don’t (but you might) \n\nWay back in 2005, dynamic ads were introduced to titles like The Matrix Online. Essentially these were empty billboards, and the ad network paired up with the game could display on-the-fly adverts , which meant current products could always be advertised in the game. \n\nA whole 17 years later, we have one of the first original advancements of this digital advertising concept, though it’s a bit of an odd one. It's Old World, once again being used as a sort of test zone for advertising demo purposes: \n\n\nExperimental ads technology is being tested with Amazon Game Studios to virtually insert ads in-game that would only be visible to people watching the streamer. pic.twitter.com/uWGXGzPfcK #StreamerNews \n— Zach Bussey (@zachbussey) October 24, 2022 \n\n\nThe advert, a wobbling bit of text on a wall way off to the left, is being generated by advertising tech which only displays the ad to the people watching the stream of the game being played. Nobody actually playing the game will be able to see it, a bit of ad tech wizardry that means only people who watch other people play videogames, specifically online (and not on a couch), will potentially see this ads. \n\nThere isn’t currently a huge amount of information out there on this new experimental tech yet, but it bears a striking resemblance to Virtual Product Placement (VPP) tools used to change adverts in streamed shows and movies from Amazon and Peacock  referenced back in May . It may well be different technology, but it could have easily inspired similar thinking where gaming and game streaming products are concerned. \nA roll of the advertising dice \n\nThe big question is how successful is this likely to be? Traditional in-game advertising relies on funnelling players into places where they’re guaranteed to see an ad. You can’t do much with your marketing and advertising strategies if nobody sees the adverts in the first place. \n\nAs the player has no idea where the ads are, they may never venture anywhere near one of the new temporary adverts raising the question of who this is actually for, or how overt the adverts will have to be made to account for the possibility of missing them. It’s likely these in-game ads can’t be clicked, so how will anyone determine which ads are successful or failures especially given a “good” ad might never even make it to a screen? \nYou should always have a choice with advertising \n\nHowever this is intended to work, we’ll probably have to wait a while longer to discover more concrete details. If you like streaming, whether as a player or a viewer, you are absolutely being marketed to regardless of which device or platform you use. Whether it’s pages of EULAs and data analytic opt-outs, or privacy policies filled with connected advertisers, informed decisions over your data are a good thing. \n\nYou may be able to opt-out of certain data retention policies, or block certain types of ads, but this likely won’t work everywhere. It’s up to you to decide which level of advertising, or product promotion, and even tracking or profiling you’re comfortable with and go from there. As far as anyone connected to Twitch streaming where advertising is concerned, it seems to be more of an annoyance about fatigue and intrusiveness than anything related to privacy or data collection. Perhaps a “blink and you’ll miss it” ad style is just what the streaming doctor ordered.", "custom_s_image_alt":"Streaming gamer's chair and PC", "custom_txt_tags":["Amazon", " Twitch", " Prime", " streaming", " gamer", " gaming", " advert", " advertising", " in-game"], "custom_s_date":"October 27, 2022", "custom_s_date_gmt":"10/27/2022 4:30:00 PM", "custom_s_thumbnail_image":"/blog/news/2022/10/easset_upload_file76033_241506_e.jpg", "custom_s_key_image":"/blog/news/2022/10/easset_upload_file76033_241506_e.jpg", "custom_s_thumbnail_image_medium":"/blog/news/2022/10/asset_upload_file36181_241506.jpg", "custom_s_thumbnail_image_small":"/blog/news/2022/10/asset_upload_file81066_241506.jpg", "custom_s_thumbnail_optimized_138x72":"/blog/news/2022/10/asset_upload_file89964_241506.jpg", "custom_s_tthumbnail_optimized_272x121":"", "custom_s_thumbnail_optimized_518x271":"/blog/news/2022/10/asset_upload_file45596_241506.jpg", "custom_s_thumbnail_optimized_736x413":"/blog/news/2022/10/asset_upload_file14669_241506.jpg", "custom_ss_category_id":["215042"], "custom_ss_category_display":["News"], "custom_ss_category_key":["news"], "custom_ss_category_link":["/blog/category/news"], "custom_ss_author_id":["50774"], "custom_ss_author_display":["Christopher Boyd"], "custom_ss_author_link":["/blog/authors/cboyd"], "custom_s_disqus_postid":"241506", "custom_s_disqus_identifier":"241506", "custom_s_country":"us", "custom_s_language":"en", "custom_s_currency":"USD", "custom_s_timezone":"Eastern Standard Time", "custom_i_page_score":0, "title":"New streaming ad technology plays hide-and-seek with gamers", "custom_s_url":"/blog/news/2022/10/new-streaming-ad-technology-plays-hide-and-seek-with-gamers", "content":"News \n \n New streaming ad technology plays hide-and-seek with gamers \n \n\n Posted: October 27, 2022 \n by Christopher Boyd \n \n We take a look at new form of ad tech for Twitch streaming viewers, but not players. How does it work? Can it even be successful? \n \n \nA new form of digital advertising is looking to make its way to you courtesy of video gaming. However, there’s a rather peculiar twist involved. These ads won’t appear in front of you while playing; in fact, they’re designed to trigger when someone else is in-game. The most baffling twist of all? Those people triggering the ads won’t see them either ! \n\nHow does this work? Let’s take a look at how advertising has been used in an Amazon gaming title previously, and see how that could create a frosty reception for any new ad technology. \nThe sliding doors of advertising banners \n\nThis is a push to place more advertising, and sales opportunities, in front of the huge streaming audiences which exist in Twitch channels. Twitch is owned by Amazon and the retail giant is also responsible for a number of gaming titles. Any way to synergise advertising or marketing across multiple platforms is potentially going to be a big revenue generator. \n\nThe biggest of these titles, Old World, is sometimes used for various types of advertising promotions and methods. Often, this is to the annoyance of the people playing the game who’d much rather all of this was done somewhere else. For example, just recently players were complaining about Rings of Power advert banners inside a part of the New World title/continue screen . Rings of Power is developed by Amazon, and the ad promotes it as being available on Prime Video. Both show and game are fantasy worlds, so thematically there’s a connection but that doesn’t seem to have impressed at least one player out there. \nStreaming the ads \n\nTwitch streaming is a huge business, with massive audiences and a number of increasingly rich streamers. Twitch has had various types of adverts for some time now, and here too, ads are a contentious subject. Viewers complain about what they feel are too many ads in a short space of time , and streamers worry that ads can end up making your channel annoying or even reducing subscriber count. \n\nA recent change to ad types and functionality made the ads “ less annoying ” overall. Even so, it seems more varied types of ad presentations were required to lower the risk of turning people away from streaming or watching altogether. \nNow you see it…now you don’t (but you might) \n\nWay back in 2005, dynamic ads were introduced to titles like The Matrix Online. Essentially these were empty billboards, and the ad network paired up with the game could display on-the-fly adverts , which meant current products could always be advertised in the game. \n\nA whole 17 years later, we have one of the first original advancements of this digital advertising concept, though it’s a bit of an odd one. It's Old World, once again being used as a sort of test zone for advertising demo purposes: \n\n\nExperimental ads technology is being tested with Amazon Game Studios to virtually insert ads in-game that would only be visible to people watching the streamer. pic.twitter.com/uWGXGzPfcK #StreamerNews \n— Zach Bussey (@zachbussey) October 24, 2022 \n\n\nThe advert, a wobbling bit of text on a wall way off to the left, is being generated by advertising tech which only displays the ad to the people watching the stream of the game being played. Nobody actually playing the game will be able to see it, a bit of ad tech wizardry that means only people who watch other people play videogames, specifically online (and not on a couch), will potentially see this ads. \n\nThere isn’t currently a huge amount of information out there on this new experimental tech yet, but it bears a striking resemblance to Virtual Product Placement (VPP) tools used to change adverts in streamed shows and movies from Amazon and Peacock  referenced back in May . It may well be different technology, but it could have easily inspired similar thinking where gaming and game streaming products are concerned. \nA roll of the advertising dice \n\nThe big question is how successful is this likely to be? Traditional in-game advertising relies on funnelling players into places where they’re guaranteed to see an ad. You can’t do much with your marketing and advertising strategies if nobody sees the adverts in the first place. \n\nAs the player has no idea where the ads are, they may never venture anywhere near one of the new temporary adverts raising the question of who this is actually for, or how overt the adverts will have to be made to account for the possibility of missing them. It’s likely these in-game ads can’t be clicked, so how will anyone determine which ads are successful or failures especially given a “good” ad might never even make it to a screen? \nYou should always have a choice with advertising \n\nHowever this is intended to work, we’ll probably have to wait a while longer to discover more concrete details. If you like streaming, whether as a player or a viewer, you are absolutely being marketed to regardless of which device or platform you use. Whether it’s pages of EULAs and data analytic opt-outs, or privacy policies filled with connected advertisers, informed decisions over your data are a good thing. \n\nYou may be able to opt-out of certain data retention policies, or block certain types of ads, but this likely won’t work everywhere. It’s up to you to decide which level of advertising, or product promotion, and even tracking or profiling you’re comfortable with and go from there. As far as anyone connected to Twitch streaming where advertising is concerned, it seems to be more of an annoyance about fatigue and intrusiveness than anything related to privacy or data collection. Perhaps a “blink and you’ll miss it” ad style is just what the streaming doctor ordered. \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Christopher Boyd \n \n \n\n Lead Malware Intelligence Analyst \n \n \nFormer Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.", "custom_dt_date":"2022-10-27T16:30:00Z", "language":"en", "content_en":"News \n \n New streaming ad technology plays hide-and-seek with gamers \n \n\n Posted: October 27, 2022 \n by Christopher Boyd \n \n We take a look at new form of ad tech for Twitch streaming viewers, but not players. How does it work? Can it even be successful? \n \n \nA new form of digital advertising is looking to make its way to you courtesy of video gaming. However, there’s a rather peculiar twist involved. These ads won’t appear in front of you while playing; in fact, they’re designed to trigger when someone else is in-game. The most baffling twist of all? Those people triggering the ads won’t see them either ! \n\nHow does this work? Let’s take a look at how advertising has been used in an Amazon gaming title previously, and see how that could create a frosty reception for any new ad technology. \nThe sliding doors of advertising banners \n\nThis is a push to place more advertising, and sales opportunities, in front of the huge streaming audiences which exist in Twitch channels. Twitch is owned by Amazon and the retail giant is also responsible for a number of gaming titles. Any way to synergise advertising or marketing across multiple platforms is potentially going to be a big revenue generator. \n\nThe biggest of these titles, Old World, is sometimes used for various types of advertising promotions and methods. Often, this is to the annoyance of the people playing the game who’d much rather all of this was done somewhere else. For example, just recently players were complaining about Rings of Power advert banners inside a part of the New World title/continue screen . Rings of Power is developed by Amazon, and the ad promotes it as being available on Prime Video. Both show and game are fantasy worlds, so thematically there’s a connection but that doesn’t seem to have impressed at least one player out there. \nStreaming the ads \n\nTwitch streaming is a huge business, with massive audiences and a number of increasingly rich streamers. Twitch has had various types of adverts for some time now, and here too, ads are a contentious subject. Viewers complain about what they feel are too many ads in a short space of time , and streamers worry that ads can end up making your channel annoying or even reducing subscriber count. \n\nA recent change to ad types and functionality made the ads “ less annoying ” overall. Even so, it seems more varied types of ad presentations were required to lower the risk of turning people away from streaming or watching altogether. \nNow you see it…now you don’t (but you might) \n\nWay back in 2005, dynamic ads were introduced to titles like The Matrix Online. Essentially these were empty billboards, and the ad network paired up with the game could display on-the-fly adverts , which meant current products could always be advertised in the game. \n\nA whole 17 years later, we have one of the first original advancements of this digital advertising concept, though it’s a bit of an odd one. It's Old World, once again being used as a sort of test zone for advertising demo purposes: \n\n\nExperimental ads technology is being tested with Amazon Game Studios to virtually insert ads in-game that would only be visible to people watching the streamer. pic.twitter.com/uWGXGzPfcK #StreamerNews \n— Zach Bussey (@zachbussey) October 24, 2022 \n\n\nThe advert, a wobbling bit of text on a wall way off to the left, is being generated by advertising tech which only displays the ad to the people watching the stream of the game being played. Nobody actually playing the game will be able to see it, a bit of ad tech wizardry that means only people who watch other people play videogames, specifically online (and not on a couch), will potentially see this ads. \n\nThere isn’t currently a huge amount of information out there on this new experimental tech yet, but it bears a striking resemblance to Virtual Product Placement (VPP) tools used to change adverts in streamed shows and movies from Amazon and Peacock  referenced back in May . It may well be different technology, but it could have easily inspired similar thinking where gaming and game streaming products are concerned. \nA roll of the advertising dice \n\nThe big question is how successful is this likely to be? Traditional in-game advertising relies on funnelling players into places where they’re guaranteed to see an ad. You can’t do much with your marketing and advertising strategies if nobody sees the adverts in the first place. \n\nAs the player has no idea where the ads are, they may never venture anywhere near one of the new temporary adverts raising the question of who this is actually for, or how overt the adverts will have to be made to account for the possibility of missing them. It’s likely these in-game ads can’t be clicked, so how will anyone determine which ads are successful or failures especially given a “good” ad might never even make it to a screen? \nYou should always have a choice with advertising \n\nHowever this is intended to work, we’ll probably have to wait a while longer to discover more concrete details. If you like streaming, whether as a player or a viewer, you are absolutely being marketed to regardless of which device or platform you use. Whether it’s pages of EULAs and data analytic opt-outs, or privacy policies filled with connected advertisers, informed decisions over your data are a good thing. \n\nYou may be able to opt-out of certain data retention policies, or block certain types of ads, but this likely won’t work everywhere. It’s up to you to decide which level of advertising, or product promotion, and even tracking or profiling you’re comfortable with and go from there. As far as anyone connected to Twitch streaming where advertising is concerned, it seems to be more of an annoyance about fatigue and intrusiveness than anything related to privacy or data collection. Perhaps a “blink and you’ll miss it” ad style is just what the streaming doctor ordered. \n \n \nSHARE THIS ARTICLE \n \n \n \n \n \n \n \nCOMMENTS \n \n \n \n \n \n \nRELATED ARTICLES \n \n \n \n \n \n \n \n \nABOUT THE AUTHOR \n \n \n \n \n\n Christopher Boyd \n \n \n\n Lead Malware Intelligence Analyst \n \n \nFormer Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.", "_version_":1747859506000297984, "score":0.92735314}] }})