Jérôme Segura
LightNews LightNews
banner
Jérôme Segura
@jeromesegura.com
120 followers 91 following 67 posts
Security researcher with a special interest for web threats.
Posts Media Videos Starter Packs
Jérôme Segura @jeromesegura.com · 3h
Specifically those related to web-bot-auth (Signature, Signature-Input and Signature-Agent).
1
Jérôme Segura @jeromesegura.com · 5h
Did you notice the lack of the Signature headers in Atlas?
1
Jérôme Segura @jeromesegura.com · Apr 30
Also, this seems like a small feature but much appreciated:
1 3
Reposted by Jérôme Segura
hi.ls
Max Hils @hi.ls · Apr 29
mitmproxy 12 is out! 🚀 It’s now possible to modify the prettified representation of binary protocols. Editing Protobufs is now as easy as editing YAML, no .proto schema needed. 🙌

mitmproxy.org/posts/releas...
Mitmproxy 12: Interactive Contentviews
mitmproxy.org
1 7 8
Reposted by Jérôme Segura
malware-traffic-analysis.net
Brad @malware-traffic-analysis.net · Apr 22
2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the "ClickFix" style instructions trying to convince viewers to infect their computers with malware. Saw #StealC from an infection today. Indicators at github.com/malware-traf...
Step 1: Search for bsc-dataseed.binance[.]org on URLscan (urlscan.io). You can sign up for a URLscan account for free. The search results should contain pages from legitimate sites that have been compromised for this campaign. Step 2: Try one of the sites you found on the URLscan search in a web browser. It should return a fake CAPTCHA page, with a box to check/click. You have to click the box twice. It then shows instructions on how to copy and run script that's been injected into the viewer's clipboard. Note: Make sure you do this in a controlled lab environment on a Windows host specifically used for testing malware. Don't try this on your regular Windows computer! Step 3: Run the script to infect a Windows host. To emphasize once again, this should be done in a controlled lab environment. This image shows network traffic from an infection filtered in Wireshark and it shows C2 traffic from the StealC infection.
2 1
Jérôme Segura @jeromesegura.com · Apr 12
Crooks doing quality control the hard way 😂

console.log("!!!WORKING!!!")

#skimming #ecommerce
2
Reposted by Jérôme Segura
ericlawrence.com
EricLaw 🎻 @ericlawrence.com · Apr 8
“Attack techniques so stupid, they can’t possibly succeed… except they do!”,

The Unwitting Accomplice
textslashplain.com/2024/06/04/a...
Attack Techniques: Trojaned Clipboard
Today in “Attack techniques so stupid, they can’t possibly succeed… except they do!” — the trojan clipboard technique. The attacking website convinces the victim user …
textslashplain.com
2 6
Reposted by Jérôme Segura
ericlawrence.com
EricLaw 🎻 @ericlawrence.com · Apr 7
Understanding (and debugging) SmartScreen/Network Protection

textslashplain.com/2025/04/07/u...
Understanding SmartScreen and Network Protection
The vast majority of cyberthreats arrive via one of two related sources: That means that combining network-level sensors and throttles with threat intelligence (which sites deliver attacks), securi…
textslashplain.com
1 8 15
Jérôme Segura @jeromesegura.com · Apr 1
OSS...
Reposted by Jérôme Segura
squiblydoo.bsky.social
Squiblydoo @squiblydoo.bsky.social · Apr 1
Fake PuTTy, signed "Eptins Enterprises Llp"

Sets scheduled task "Security Updater" and checks into IP address: 185.196.10.127

Triage: tria.ge/250401-wnbad...

www.virustotal.com/gui/file/7ca...

@jeromesegura.com
1
Jérôme Segura @jeromesegura.com · Mar 27
I moved to mitmproxy, but I do miss certain features from Fiddler Classic. I've been working on an add-on that brings some of those back: github.com/jeromesegura...
GitHub - jeromesegura/fiddleitm: Your Swiss Army knife to analyze malicious web traffic based on mitmproxy.
Your Swiss Army knife to analyze malicious web traffic based on mitmproxy. - jeromesegura/fiddleitm
github.com
2
Jérôme Segura @jeromesegura.com · Mar 27
Yes!

Alternatively, have you thought about existing OSS that you could fork/contribute to?
1
Jérôme Segura @jeromesegura.com · Mar 24
If you manage #wordpress sites using #managewp, watch out for this #phishing campaign via #googleads.

-> menagewp[.]com (ad URL and redirect)

-> orion[.]manaqewp[.]com (phishing page)
1 1
Reposted by Jérôme Segura
helpnetsecurity.com
Help Net Security @helpnetsecurity.com · Mar 21
Malicious ads target Semrush users to steal Google account credentials

📖 Read more: www.helpnetsecurity.com/2025/03/21/m...

#cybersecurity #cybersecuritynews #accountcredentials #SEO @malwarebytes.com @jeromesegura.com @semrushofficial.bsky.social
Malicious ads target Semrush users to steal Google account credentials - Help Net Security
Cyber crooks are exploiting users' interest in Semrush, a popular SEO and market research SaaS platform, to steal Google account credentials.
www.helpnetsecurity.com
2 1
Jérôme Segura @jeromesegura.com · Mar 11
Scammers are happily abusing multiple platforms at once thanks to lack of controls.

Who's going to protect users here? Google? Facebook?
1 2
Jérôme Segura @jeromesegura.com · Feb 28
PayPal’s “no-code checkout” abused by scammers

www.malwarebytes.com/blog/scams/2...

#malvertising #techsupportscams
3
Jérôme Segura @jeromesegura.com · Feb 20
SecTopRAT bundled in Chrome installer distributed via Google Ads

📖
www.malwarebytes.com/blog/news/20...

⚠️
sites[.]google[.]com/view/gfbtechd/
chrome[.]browser[.]com[.]de/GoogleChrome.exe

#malvertising #SecTopRAT
2
Jérôme Segura @jeromesegura.com · Feb 8
If you are a developer and use #homebrew, beware of this fraudulent ad on Google.

⚠️
Fake site: brewsh[.]org
Malicious curl command: hxxps[://]raw[.]brewsh[.]org/Homebrew/install/HEAD/install[.]sh
Atomic Stealer (AMOS): www.virustotal.com/gui/file/389...
⚠️

#malvertising #atomicstealer
Jérôme Segura @jeromesegura.com · Jan 31
ClickFix vs. traditional download in new DarkGate campaign

www.malwarebytes.com/blog/news/20...

#ClickFix #malvertising
ClickFix vs. traditional download in new DarkGate campaign
Social engineering methods are being put to the test to distribute malware.
www.malwarebytes.com
1
Jérôme Segura @jeromesegura.com · Jan 30
Microsoft advertisers phished via malicious Google ads

www.malwarebytes.com/blog/news/20...

#malvertising #googleads #microsoft #bing
Microsoft advertisers phished via malicious Google ads
Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft...
www.malwarebytes.com
Jérôme Segura @jeromesegura.com · Jan 15
Imagine for a moment that Google allowed a sponsored link to a phishing site for Google ads...

www.malwarebytes.com/blog/news/20...

#GoogleSearch #GoogleAds #malvertising #phishing
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads
An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.
www.malwarebytes.com
1 1
Jérôme Segura @jeromesegura.com · Dec 28
Malicious Google ad for Virtuals Protocol

⚠️ virtnals[.]com

#malvertising
Jérôme Segura @jeromesegura.com · Dec 27
Malicious Google ad for Aerodrome Finance

⚠️ aeroclrome[.]finance

#malvertising
1
Jérôme Segura @jeromesegura.com · Dec 22
Malicious Google ad for #Freecad

⚠️
freecad3dmodeling[.]com
freecad3d-download[.]com
hxxps[://]3d-digitals[.]org/downloads/guthub/FreeCAD_Setup_2[.]0[.]74_win_x64[.]zip

#malvertising
2
Jérôme Segura @jeromesegura.com · Dec 19
‘Fix It’ social-engineering scheme impersonates several brands

www.malwarebytes.com/blog/news/20...
2