I have been preaching the value of reputation security for years. For those that don’t know what it is, it is a way to validate the credit score so to speak of a resource before allowing a connection. If a user attempts to access a “banking” website, reputation security would first validate if the source could or could not be a bank. If the website has been online for a few hours, hosted from go daddy, associated with a domain owner of malicious websites, then its obviously not a bank and should be blocked. I have posted details about reputation security HERE. For those in the education space, this isn’t a violation of freedom of speech since its only blocking malicious websites and providing referenceable information why the source was blocked. I suggest all businesses use this capability whenever possible.
The HackerNews posted about a new malvertising campaign that targets Google ads. The goal is to trick the victim to click an ad so they are redirected to a malicious website that links to various malware files hosted from Dropbox or Onedrive. The details of how this campaign works can be found on the post HERE.
![](https://www.thesecurityblogger.com/wp-content/uploads/2022/12/image.png)
What is the best defense? Defense in depth is always the best option meaning a combination of endpoint detection and response, web filtering, system hardening, etc. etc. however reputation security should be the FIRST line of defense. The Attacker redirection should be identified as a risk based on factors surrounding how long it has been up, where its located, who the domain owner is and other identifiers.
Most modern security vendors offer reputation security as a filtering or blocking feature (Proofpoint email, microsoft email, cisco email, cisco NGFW, Fortinet Firewalls, Palo Alto Firewalls, etc. etc). I highly suggestion you test to see if your organization is using it by going to ihaveabadreputation.com. If you see a block page, that is a good thing. If you see a ghost saying you would have been owned, you lack reputation security and should look to enable it. If your block page is coming from a gateway security tool such as a next gen firewall, that is good, but a better option would also look to enable it at the host level. This way when a host is not behind the NGFW, they are still protected. The following image is an example of Microsoft Defender SmartScreen blocking this test website.