CyberWire Daily – Research Saturday

Episode: The scareware rabbit hole
Date: March 7, 2026
Guest: Marcel Lee, Cybersecurity Consultant and Researcher
Host: Dave Bittner (identified as B)

Overview

In this Research Saturday episode, host Dave Bittner and cybersecurity consultant Marcel Lee dive into a recent mobile scareware incident that Marcel stumbled upon. The conversation unpacks how seemingly innocuous web pop-ups can evolve into significant research opportunities, revealing wider security challenges in mobile device ecosystems. Marcel details her process investigating a scareware campaign, including the use of free open-source intelligence (OSINT) tools, the pitfalls of app store trust, the role of behavioral analysis in threat intelligence, and pragmatic advice for newcomers. The tone is approachable, insightful, and grounded in real-world experience.

Key Discussion Points & Insights

The Phishing Pop-Up Incident

• Marcel’s Initial Encounter (01:23)

  • Marcel randomly received a scareware warning pop-up on her phone suggesting infection from adult sites and prompting the installation of an “antivirus” app.
  • Rather than panicking, she saw it as a research opportunity:

    “I love it when this kind of stuff pops up... to me it's a research opportunity.” (02:22, Marcel)

  • Marcel notes she already uses legitimate antivirus software, highlighting both her personal practices and how most people do not.

• Personal Anecdotes (03:33)

  • Dave shares a similar story about his late father receiving bogus warnings, illustrating scareware's broad and sometimes comical reach.

Starting the Investigation

• OSINT Approach Using Free Tools (04:04–06:26)
  • Marcel began her inquiry with domain info, using tools like Censys, VirusTotal, and Domain Stack—all free accounts.
  • She stresses that even without enterprise tools, much can be accomplished:

    “...there is a lot that you could do with free tools. It's just a nice thing about cyber security, I think.” (04:58, Marcel)

  • Triangulation and verification of sources is key—don’t rely on a single tool.

Device Fingerprinting and Malicious Redirection

• URL Analysis and Device Data (06:26–08:35)

  • The malicious URLs used device fingerprinting to tailor their scareware message, a technique akin to ad fraud campaigns.
  • Oftentimes, such fingerprinting is poorly implemented, but sophisticated actors can make targeting more convincing.

  “They want to gear what they're delivering to the user accordingly... it still has all the same components. So campaign IDs, the country, the operating system, just all the data that it captures about the device.” (07:29, Marcel)

The "Antivirus" Apps – Legitimacy and Risks

• Analyzing the Targeted Apps (08:40–11:38)
  • The scareware directs users to specific apps: "Antivirus Protector" and "Antivirus Cybergate."
  • Marcel reviews developer contact information and flags use of generic email addresses as red flags.
  • High app ratings/downloads can be faked via click farms, misleading users into trusting sketchy apps.

App Store Trust Issues

• Limitations in App Store Security (14:30–15:42)

  • App store presence doesn’t guarantee safety—especially on Google Play where security checks focus on formalities like privacy policies rather than code review.

  “...as far as I know, I don't think anybody at Google is over there, you know, running the apps and seeing what they do just to, you know, to make sure that they're copacetic.” (15:22, Marcel)

Potential Motivations of Malicious Apps

• Malware vs. Ad Fraud (15:53–16:50)

  • Scareware apps may be aimed at stealing user data or facilitating ad fraud, both of which are lucrative to threat actors.

  “The whole ad fraud ecosystem is very, very deep... you can actually make a fair bit of money with just fake clicks and so on and so forth.” (16:20, Marcel)

Threat Actor Behavior – The Value of TTPs

• Indicators vs. Behaviors (16:50–18:16)
  • Marcel emphasizes the forensic maxim:

    “Indicators expire, but behaviors last.” (17:01, Dave quoting Marcel)

  • Domains and IPs change easily; behaviors and tactics (“the way the threat actor actually conducts their business”) are harder to mask.
  • Praises the MITRE ATT&CK framework for mapping threat actor behaviors.

Using Attack Mapping Proactively

• Applications of Behavioral Intelligence (18:16–21:16)
  • TTP mapping helps inform red teams, incident response, security awareness, GRC, and SOC tools.
  • Sharing real-world stories in awareness training fosters relatable and impactful education:

    “This blog, for example, could be used as a case study for an awareness program to let users know about what happens if I get some pop up like this and what should I do?” (19:33, Marcel)

Compromised Legitimate Websites

• Unwitting Hosts (21:16–22:02)
  • Often, compromised websites serve as the launchpad for malvertising without owners’ knowledge.
  • Many site owners lack the technical acumen—or resources—to detect breaches.

Empowering Beginners with Free Tools

• Building Your Security Toolbox (22:02–24:12)
  • Newcomers can accomplish meaningful research using widely available free tools—what matters is the knowledge of where and how to use them.
  • Marcel shares that she maintains a GitHub repo with useful OSINT tools and encourages joining events/meetups for tool recommendations and networking:

    “It's really useful to keep track of handy sites that you find.” (22:53, Marcel)

Integrating AI into Security Research

• AI as a Research Assistant (24:12–25:11)
  • Marcel leverages AI for parsing URLs and other tedious tasks, freeing her up for deeper investigative work:

    “AI to me is an assistant. So something that I could probably do, but my time is better spent maybe actually doing the research and writing the blog...” (24:43, Marcel)

Final Lessons Learned

• Continuous Learning and New Tools (25:11–26:47)
  • Discovers new favorite tools (e.g., Censys, URLScan) and recognizes need to revisit app analysis skillsets.
  • Encourages ongoing skill development and resource sharing.

Notable Quotes and Memorable Moments

• “I love it when this kind of stuff pops up... to me it's a research opportunity.”
  — Marcel Lee (02:22)

• “There is a lot that you could do with free tools. It's just a nice thing about cyber security, I think.”
  — Marcel Lee (04:58)

• “Indicators expire, but behaviors last.”
  — Dave Bittner quoting Marcel Lee (17:01)

• “This blog... could be used as a case study for an awareness program to let users know about what happens if I get some pop up like this and what should I do?”
  — Marcel Lee (19:33)

• “AI to me is an assistant... my time is better spent maybe actually doing the research and writing the blog...”
  — Marcel Lee (24:43)

Timestamps for Key Segments

• Scareware Encounter and Reaction: 01:23 – 03:33
• Starting the OSINT Investigation: 04:04 – 06:26
• Device Fingerprinting & URL Analysis: 06:26 – 08:35
• Examining Fake Antivirus Apps: 08:40 – 11:38
• App Store Security Flaws: 14:30 – 15:42
• Malicious Apps Motives: 15:53 – 16:50
• Indicators vs. Behaviors – MITRE ATT&CK: 16:50 – 18:16
• Applications of TTP Mapping: 18:16 – 21:16
• Compromised Legit Site Observations: 21:16 – 22:02
• Empowering with Free Tools / Toolbox Advice: 22:02 – 24:12
• Use of AI in Research: 24:12 – 25:11
• Lessons Learned & Continuous Learning: 25:11 – 26:47

Takeaways

• Scareware is a common, evolving threat that can be a valuable real-world case study for awareness and research.
• Free OSINT tools can yield significant intelligence; you do not need enterprise-grade licenses to contribute to cyber defense.
• App store apps are not inherently trustworthy—users must scrutinize developer credentials and beware of artificially inflated ratings.
• Behavioral indicators (TTPs) are more robust than simple technical indicators for tracking and anticipating threats.
• Ongoing learning, tool-sharing, and embracing new research aids (like AI) empowers both new and seasoned security practitioners.