Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

In a filing with the SEC, Live Nation said on May 20th it identified “unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary)” and launched an investigation.

The third party it refers to is likely Snowflake, a cloud company used by thousands of companies to store, manage, and analyze large volumes of data. Yesterday, May 31st, Snowflake said it had “recently observed and are investigating an increase in cyber threat activity” targeting some of its customers’ accounts. It didn’t mention which customers.

In the SEC filing, Live Nation also said:

On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

The user data likely refers to the sales ad for 560 million customers’ data that was posted online earlier this week by a group calling themselves ShinyHunters. The data was advertised for $500,000 and says it includes customer names, addresses, emails, credit card details, order information, and more.

Bleeping Computer says it spoke to ShinyHunters who said they already had interested buyers, and believed one of the buyers that approached them was Ticketmaster itself.

Ticketmaster says it has begun notifying its users of the breach. We are likely to hear more in the coming days, and will update you as we do.

For now, Ticketmaster users should keep an eye on their credit and bank accounts for an unauthorized transactions and follow our general data breach tips below.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Scan for your exposed personal data

While the Ticketmaster data is yet to be published in full, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

• MaskVPN
• DewVPN
• PaladinVPN
• ProxyGate
• ShieldVPN
• ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

• Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
• Search for the name of the malicious VPN application.
• Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

• MaskVPN (mask_svc.exe)
• DewVPN (dew_svc.exe)
• PaladinVPN (pldsvc.exe)
• ProxyGate (proxygate.exe, cloud.exe)
• ShieldVPN (shieldsvc.exe)
• ShineVPN (shsvc.exe)

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

1. Open the app.
2. On the main dashboard, click the Scan button.
3. A progress page appears while the scan runs.
4. After the scan finishes, it displays the Threat scan summary.
   • If the scan detected no threats: Click Done.
   • If the scan detected threats on your device: Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking Quarantine.
5. Click View Report or View Scan Report to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Scammers love to bank on the good name of legitimate companies to gain the trust of their intended targets. Recently, it came to our attention that a cybercriminal is using fake websites for security products to spread malware. One of those websites was impersonating the Malwarebytes brand.

The download from the fake website was an information stealer with a filename that resembled that of the actual Malwarebytes installer.

Besides some common system information, this stealer goes after:

• Account tokens
• Steam tokens
• Saved card details
• System profiles
• Telegram logins
• List of running process names
• Installed browser lists and their version
• Credentials from the browser “User Data” folder, Local DB an autofill
• Cookies from the browser
• List of folders on the C drive

This is just one scam, but there are always others using our name to target people. We regularly see tech support scammers pretending to be Malwarebytes to defraud their victims.

Some scammers sell—sometimes illegal—copies of Malwarebytes for prices that are boldly exaggerated.

Others will try and phish you by sending you a confirmation mail of your subscription to Malwarebytes.

And sometimes when you search for Malwarebytes you will find imposters in between legitimate re-sellers. Some even use our logo.

In this case, Google warned us that there was danger up ahead.

The site itself was not as convincing as the advert, and some poking around in the source code told us the website was likely built by a Russian speaking individual.

How to avoid brand scams

It’s easy to see how people can fall for fake brand notices. Here are some things that can help you avoid scams that use our name:

• Download software directly from our sites if you are not sure of the legitimacy of the ones offered to you.
• Check that any emails that appear to come from Malwarebytes are sent from a malwarebytes.com address.
• If you have any questions or doubts as to the legitimacy of something, you can contact our Support team.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Earlier this week, a cybercriminal group posted an alleged database up for sale online which, it says, contains customer and card details of 560 million Live Nation/Ticketmaster users.

The data was offered for sale on one forum under the name “Shiny Hunters”. ShinyHunters is the online handle for a group of notorious cybercriminals associated with numerous data breaches, including the recent AT&T breach.

The post says:

“Live Nation / Ticketmaster

Data includes

560 million customer full details (name, address, email, phone)

Ticket sales, event information, order details

CC detail – customer last 4 of card, expiration date

Customer fraud details

Much more

Price is $500k USD. One time sale.”

The same data set was offered for sale in an almost identical post on another forum by someone using the handle SpidermanData. This could be the same person or a member of the ShinyHunters group.

According to news outlet ABC, the Australian Department of Home Affairs said it is aware of a cyber incident impacting Ticketmaster customers and is “working with Ticketmaster to understand the incident.”

Some researchers expressed their doubts about the validity of the data set:

Thoughts on the alleged Ticketmaster Data Breach

TLDR: Alert not Alarmed

The Ticketmaster data breach claim has provided BreachForums with the quick attention they need to boost their user numbers and reputation.

The claim has possibly been over-stated to boost… pic.twitter.com/WJsFkBfQbw

— CyberKnow (@Cyberknow20) May 29, 2024

While others judged it looks legitimate based on conversations with involved individuals, and studying samples of the data set:

Today we spoke with multiple individuals privy to and involved in the alleged TicketMaster breach.

Sometime in April an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider. The TicketMaster breach was not…

— vx-underground (@vxunderground) May 30, 2024

Whether or not the data is real remains to be seen. However, there’s no doubt that scammers will use this opportunity to make a quick profit.

Ticketmaster users will need to be on their guard. Read our tips below for some helpful advice on what to do in the event of a data breach.

You can also check what personal information of yours has already been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

All parties involved have refrained from any further comments. We’ll keep you posted.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

On iOS and iPadOS, location services are typically turned on when you first set up your device. However, there may be reasons why you don’t want your device to be located, perhaps because you don’t want to be found but need to keep the device with you.

There are a few options to hide your location from prying eyes.

Please note: I will only mention iOS from here on, but the instructions are almost the same for iPadOS.

Turn off location services by app

Some apps will not work properly without location services, but it’s certainly worth checking which ones are actually using them.

• Go to Settings > Privacy & Security > Location Services.
• If Location Services is on, you will see a list of apps with permissions.

• Scroll down to select an app.
• Now you can tap the app and select an option of Never, Ask Next Time Or When I Share, While Using the App, or Always.
• From here, apps should provide an explanation of how they will use your location information. Some apps might offer only two options.

Turn location services off entirely

You can turn Location Services on or off at Settings > Privacy & Security > Location Services. Move the slider control to the left to turn Location Services off.

Note that turning Location Services of will also disable the Find My feature for the device.

Turn off Find My iPhone

Find My iPhone allows a user to track their devices. It allows you to locate the device from another device, make it play a sound if you are close, and even remotely erase your device if you suspect it has fallen in the wrong hands.

To disable Find My iPhone:

• Go to Settings
• Select your account name.
• Choose Find My
• Turn the feature off. You will need to enter your iCloud password.

An iPhone can still be tracked in some cases, even if it is in Airplane Mode. The only way tracking is not possible is to turn the iPhone off completely.  And even then, since iOS 15, iPhone models 11 and up will transmit their location even when powered off if the Find My Network is enabled in your settings.

To turn off Find My network:

• Go to Settings
• Select your account name.
• Choose Find My
• Turn Find My network off.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Android devices come with location services. Some apps need access to location services to function properly. However, there may be reasons why you don’t want your device to be located, often because you don’t want to be found and the device is always with you.

Depending on who you are trying to hide your location from, there are several levels of hiding your location.

Disclaimer: the exact instructions for your make and model of Android device may look a bit different.

Turn off location for particular apps

There are apps active on most Android devices that could give away the location of the device. To check which apps have access to your device’s location:

• Swipe down from the top of the screen.
• Find the Location icon
• Touch and hold Location.
• Tap App location permissions.
• Under Allowed all the time, Allowed only while in use, and Not allowed, find the apps that can use your device’s location.
• To change the app’s permissions, tap it. Then, choose the location access for the app.
• If you see any apps that you don’t recognize, be sure to turn the permission off.

Turn off location entirely

Alternatively, you can turn Location off entirely:

• Swipe down from the top of the screen.
• Find the location icon
• If it’s highlighted, tap it to turn it off.
• You’ll see a warning that some apps may not function properly. Confirm by tapping Close.

Turn off Find My Device

Find My Device is a service which makes your device’s most recent location available to the first account activated on the device. Find My Device is included with most Android phones, and it’s automatically turned on once you add a Google account to your device.

How to turn off Find My Device:

• Open Settings.
• Tap (Biometrics &) Security.
• Tap Find My Device, then tap the switch to turn it off.

Turning off Find My Device may backfire if you ever truly need to find your device because you lost it. But if someone may have the login credentials for the Google account associated with the phone, you may want to turn it off.

The last resort is to turn your phone off.

Even in airplane mode, GPS on your phone is still working. As long as a phone isn’t turned off, it’s possible to track the location because the device sends signals to nearby cell towers. Even when it’s turned off, the service provider or internet provider can show the last location once it’s switched back on.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Notorious data leak site BreachForums appears to be back online after it was seized by law enforcement a few weeks ago.

At least one of BreachForums domains and its dark web site are live again. However, questions have been raised over whether it is a genuine attempt to revive the forums once again or set up as a lure by law enforcement to entrap more data dealers and cybercriminals.

The administrator of the new forum posts under the handle ShinyHunters, which is a name associated with the AT&T breach and others, and believed to be the main administrator of the previous BreachForums.

Yesterday, ShinyHunters posted a new dataset for sale that allegedly stems from Live Nation/Ticketmaster.

“Live Nation / Ticketmaster

Data includes

560 million customer full details (name, address, email, phone)

Ticket sales, event information, order details

CC detail – customer last 4 of card, expiration date

Customer fraud details

Much more

Price is $500k USD. One time sale.”

But, an avatar and a handle are easily copied, and there are a few things that raised our spidey-senses that something is up.

First, the data set was offered for sale on another dark web forum by a user going by SpidermanData with the exact same text.

Second, this data set seems way too big for its nature. Live Nation and Ticketmaster are big enough to be considered a monopolist, but 560 million users seems like a stretch.

After looking at the shared evidence, security researcher CyberKnow tweeted:

“While there is some new data in the shared evidence there is also old customer information, making it possibly this is a series of data jammed together.”

Third, a new feature is that visitors need to register before they can see any content. Why would the administrators change that?

And, last but not least, would the FBI let the cybercriminals regain control over the domains that easily? That would be quite embarrassing.

So, we dare conclude that this dataset’s goal is to generate some attention and act as a lure to let old forum users know that BreachForums is alive and kicking. But who is running the show, is the question that we hope to answer soon.

Stay tuned for updates on this developing story.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Our Digital Footprint portal allows you to quickly and easily check if your personal information has been exposed online. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The idea behind the software is simple. When the spying party installs the stalkerware, they grant permission to record what happens on the targeted Android or Windows device. The observer can then log in on an online portal and activate recording, at which point a screen capture is taken on the target’s device.

What goes around comes around, you might say. As you may have read many times before on our blog, some spyware companies have a surprisingly low standard of security .

In 2021, we reported that “employee and child-monitoring” software vendor pcTattletale hadn’t been very careful about securing the screenshots it sneakily took from its victims’ phones. A security researcher found an issue while using a trial version of pcTattleTale, noticing that the company uploaded the screenshots to an unsecured online database (meaning anyone could view the screenshots as they weren’t protected by any form of authentication—such as a user name and password).

Last week another security researcher, Eric Daigle, found the company appears to have learned nothing from its previous security issue. Daigle found that pcTattletale’s Application Programming Interface (API) allows any attacker to access the most recent screen capture recorded from any device on which the spyware is installed. Despite repeated warnings from Daigle and others, no improvements were made.

Then, yet another researcher found yet another bug in pcTattletale which allowed them to gain full access to the backend infrastructure. This allowed them to deface the website and steal the AWS credentials which turned out to be the same for all devices. Amazon has now locked pcTattletale’s entire AWS infrastructure.

After a quick sweep, stalkerware researcher, Maia Crimew stated:

“pcTattletale currently holds over 17 terabytes of victim device screenshots (upwards of 300 million of them from over 10 thousand devices), with some of them dating back to 2018.”

According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Given the low security of the apps available to home users, this is extremely concerning. Installing monitoring software is not just a huge invasion of privacy, there is a big chance that it will backfire.

Removing stalkerware

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes can help you.

1. Open your Malwarebytes dashboard
2. Tap Scan now
3. It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

• Uninstall. The threat will be deleted from your device.
• Ignore Always. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
• Ignore Once: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

On Windows machines Malwarebytes detects pcTattleTale as PUP.Optional.PCTattletale.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Last week on Malwarebytes Labs:

• How AI will change your credit card behind the scenes
• Criminal record database of millions of Americans dumped online
• Microsoft AI “Recall” feature records everything, secures far less
• How to remove a user from a shared Android device
• How to remove a user from a shared Mac
• How to remove a user from a shared Windows device
• Your vacation, reservations, and online dates, now chosen by AI: Lock and Code S05E11
• What is real-time protection and why do you need it?
• Financial institutions ordered to notify customers after a breach, have an incident response plan

Last week on ThreatDown:

• Patch now! Critical vulnerability in Veeam’s Backup Enterprise Manager
• Carbon Black and Broadcom: Acquisition, Symantec, and what’s next
• “Linguistic Lumberjack” vulnerability impacts all major cloud providers
• Threat actors ride the hype for newly released Arc browser
• Update now! GitHub patches critical vulnerability in Enterprise Server
• How to get CIPA compliant with Web Content Filtering
• Gootloader walkthrough

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Many companies are starting to implement Artificial Intelligence (AI) within their services. Whenever there are large amounts of data involved, AI offers a way to turn that pile of data into actionable insights.

And there’s a big chance that our data are somewhere in that pile, whether they can be traced back to us or not. In this blog we’ll look at the different ways in which credit card companies are planning to use AI.

Two of the major credit card companies, MasterCard and Visa, made announcements this month on how they will use AI in the near future.

Mastercard announced the introduction of generative AI for earlier detection of credit card fraud.

Johan Gerber, executive vice president of security and cyber innovation at Mastercard, said:

“Generative AI is going to allow to figure out where did you perhaps get your credentials compromised, how do we identify how it possibly happened, and how do we very quickly remedy that situation not only for you, but the other customers who don’t know they are compromised yet.”

Generative AI models learn the patterns and structure of their input training data and then generate new data with similar characteristics.

There’s an enormous amount of stolen credit and debit card details available on various marketplaces, some of which aren’t even on the dark web. These details come from many different data breaches, and they can go unnoticed for extended periods of time. Analyzing the data and spotting patterns in the abuse can help the credit card company identify and inform affected customers before the criminals actually use the card.

VISA, on the other hand, said it will use AI to tailor a better shopping experience. This, it says, will allow it to share more information about customers’ preferences based on their shopping history with retailers.

VISA will require consumer consent for sharing the required information. According to VISA CEO Ryan McInerney, consumers will have the option, through their bank app, to revoke access to their information.

And last but not least, American Express Global Business Travel revealed in February that it started an AI initiative to improve efficiency. As one of the early results it reported it has reduced customer call times by about a minute.

All in all, credit card companies are gathering data to predict our behavior. They are not the only ones, for sure, but they do have access to some information that most people are not prone to share freely, our finances.

Sure, less time spent being held up by that slightly less annoying chatbot, or a warning about a compromised credit card before the abuse happens, that sounds great. But an online store guessing what I am likely to purchase isn’t something I’m so keen on—about the same level of spooky as targeted ads.

Does increased efficiency outweigh the cost of handing over our data? What we’d like to see are improved security AND ease of use. Let us know how you feel in the comments below.

---

We don’t just talk about credit cards—we help monitor them

Cybersecurity risks should never spread beyond a headline. Keep an eye on your finances with identity and credit monitoring.

A cybercriminal going by the names of EquationCorp and USDoD has released an enormous database containing the criminal records of millions of Americans. The database is said to contain 70 million rows of data.

The leaked database is said to include full names, dates of birth, known aliases, addresses, arrest and conviction dates, sentences, and much more. Dates reportedly range from 2020 to 2024.

The exact source of the database is as yet unknown.

USDoD is a high-profile player in this field, closely associated with “Pompompurin”, the operator of the first iteration of data leak site BreachForums. USDoD is said to have plans to set up a successor to the second iteration of BreachForums which was recently seized by law enforcement. Releasing this database may be USDoD’s way to round up some interested users.

USDoD is also believed to be involved in a breach at TransUnion, the data of which was (partly) dumped in September, 2023.

Needless to say, having the criminal information leaked could have a tremendous impact, not only for the listed individuals but also for the justice system. We’ll keep you updated.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out how much of your own data has been exposed online, including your criminal record data, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll give you a free report, along with tips on what to do next.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Developing an AI-powered threat to security, privacy, and identity is certainly a choice, but it’s one that Microsoft was willing to make this week at its “Build” developer conference.

On Monday, the computing giant unveiled a new line of PCs that integrate Artificial Intelligence (AI) technology to promise faster speeds, enhanced productivity, and a powerful data collection and search tool that screenshots a device’s activity—including password entry—every few seconds.

This is “Recall,” a much-advertised feature within what Microsoft is calling its “Copilot+ PCs,” a reference to the AI assistant and companion which the company released in late 2023. With Recall on the new Copilot+ PCs, users no longer need to manage and remember their own browsing and chat activity. Instead, by regularly taking and storing screenshots of a user’s activity, the Copilot+ PCs can comb through that visual data to deliver answers to natural language questions, such as “Find the site with the white sneakers,” and “blue pantsuit with a sequin lace from abuelita.”

As any regularly updated repository of device activity poses an enormous security threat—imagine hackers getting access to a Recall database and looking for, say, Social Security Numbers, bank account info, and addresses—Microsoft has said that all Recall screenshots are encrypted and stored locally on a device.

But, in terms of security, that’s about all users will get, as Recall will not detect and obscure passwords, shy away from recording pornographic material, or turn a blind eye to sensitive information.

According to Microsoft:

“Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

The consequences of such a system could be enormous.

With Recall, a CEO’s personal laptop could become an even more enticing target for hackers equipped with infostealers, a journalist’s protected sources could be within closer grasp of an oppressive government that isn’t afraid to target dissidents with malware, and entire identities could be abused and impersonated by a separate device user.

In fact, Recall seems to only work best in a one-device-per-person world. Though Microsoft explained that its Copilot+ PCs will only record Recall snapshots to specific device accounts, plenty of people share devices and accounts. For the domestic abuse survivor who is forced to share an account with their abuser, for the victim of theft who—like many people—used a weak device passcode that can easily be cracked, and for the teenager who questions their identity on the family computer, Recall could be more of a burden than a benefit.

For Malwarebytes General Manager of Consumer Business Unit Mark Beare, Recall raises yet another issue:

“I worry that we are heading to a social media 2.0 like world.”

When users first raced to upload massive quantities of sensitive, personal data onto social media platforms more than 10 years ago, they couldn’t predict how that data would be scrutinized in the future, or how it would be scoured and weaponized by cybercriminals, Beare said.

“With AI there will be a strong pull to put your full self into a model (so it knows you),” Beare said. “I don’t think it’s easy to understand all the negative aspects of what can happen from doing that and how bad actors can benefit.”

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Some of our loyal readers may remember my little mishap when I was able to track my wife by accident after inadvertently adding myself to her phone as a user.

For exactly that reason we want to warn against sharing devices and at least show you how to remove other people’s accounts from your device.

The steps may be slightly different depending on your Android version, device type, and vendor, but most users should be able to follow these steps.

For the primary user:

• Open Settings
• Tap System > Multiple users.

If you can’t find this setting, try searching your Settings app for users.

• Tap the name of the user you want to remove.
• Tap Delete user > Delete. If successful, the user will be removed from the list.
• If you want to stay the only user, you can turn the Multiple users feature off.

If you’re not the primary user (you can’t delete the primary user):

• Under Multiple Users tap More (three stacked dots).
• Tap Delete [username] from this device. Important: You can’t undo this.
• The device will switch to the owner’s profile.

Note: Android devices allow two types of additional users:

• Secondary user: This is any user added to the device other than the system user. Secondary users can be removed (either by themselves or by an admin user) and cannot impact other users on a device. These users can run in the background and continue to have network connectivity.
• Guest user: Temporary secondary user. Guest users have an explicit option to quickly delete the guest user when its usefulness is over. There can be only one guest user at a time.

Another privacy issue can be caused by having additional accounts on the device. Accounts are contained within a user but are not linked to a particular user. The tracking issue I discussed was caused by adding one of my Google accounts to my wife’s phone.

To remove unwanted accounts:

• Under Settings, tap on Accounts and Backups
• Then tap on Manage Accounts
• Select the account you want to remove and you will see the option to do that.

If you’re having trouble finding any of these settings on your specific Android device, reach out through the comments and when we can, we’ll add as many specific instructions as possible to the post.

There will be times when you need to remove a user from a device. In this article we’ll show you how to remove a user from a Mac.

For a better understanding it’s good to understand the difference between an actual user of the device and a “sharing only user.” On a Mac, you can use Sharing Only User settings to create a user that has access to your files and folders over the network. You can also use these settings to limit their access to your shared information and system.

Both have very similar ways of removal:

• Apple menu > System Settings
• Click Users & Groups in the sidebar. (You may need to scroll down.)
• Click the Info button next to the user or group you want to delete, then click Delete User or Delete Group. Note: If a user is logged in to this Mac now, you can’t select them.

This will delete sharing users immediately. For other users you’ll have to decide what you want to do with their Home folder first. You can delete it, keep it, or save it in a disk image.

• To save it in a disk image, select Save the home folder in a disk image, then click Delete User. This archives all the user’s documents and information so the user can be restored later if needed. The disk image is saved in /Users/Deleted Users/.
• To leave the user’s home folder as is, select Don’t change the home folder, then click Delete User. The user’s documents and information are saved and the user can be restored later if needed. The Home folder remains in /Users/.
• To remove the user’s home folder from the computer: Select Delete the home folder, then click Delete User. The user’s folder will be deleted.

If you don’t delete a user’s home folder, you can restore the user and the contents of the home folder. (A sharing-only user doesn’t have a home folder.)

---

Did you know there’s a Malwarebytes for Mac? Give it a try!

There will be times when you need to remove a user from a device. In this article we’ll show you how to remove a user from Windows 10 or 11.

On Windows you can create a local user account (an offline account) for anyone who will frequently use your PC. But the best option in most cases, is for everyone who uses your PC to have a Microsoft account. With a Microsoft account, you can access your apps, files, and Microsoft services across your devices.

Should you want to remove an additional user account from Windows 10 or 11, you can:

• Select Start > Settings > Accounts > Family & other users. 
• Under Other users, select the flyout for the account you want to remove.
• Next to Account and data, select Remove. Note: this will not delete their Microsoft account, it will just remove their sign-in info from your Windows device.

Please note that Windows devices can have more than one administrator account. A user with an administrator account can access everything on the system, and any malware they encounter can use the administrator permissions to potentially infect or damage any files on the system. Only grant that level of access when absolutely necessary and to people you trust.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

The irrigation of the internet is coming.

For decades, we’ve accessed the internet much like how we, so long ago, accessed water—by traveling to it. We connected (quite literally), we logged on, and we zipped to addresses and sites to read, learn, shop, and scroll. 

Over the years, the internet was accessible from increasingly more devices, like smartphones, smartwatches, and even smart fridges. But still, it had to be accessed, like a well dug into the ground to pull up the water below.

Moving forward, that could all change.

This year, several companies debuted their vision of a future that incorporates Artificial Intelligence to deliver the internet directly to you, with less searching, less typing, and less decision fatigue. 

For the startup Humane, that vision includes the use of the company’s AI-powered, voice-operated wearable pin that clips to your clothes. By simply speaking to the AI pin, users can text a friend, discover the nutritional facts about food that sits directly in front of them, and even compare the prices of an item found in stores with the price online.

For a separate startup, Rabbit, that vision similarly relies on a small, attractive smart-concierge gadget, the R1. With the bright-orange slab designed in coordination by the company Teenage Engineering, users can hail an Uber to take them to the airport, play an album on Spotify, and put in a delivery order for dinner.

Away from physical devices, The Browser Company of New York is also experimenting with AI in its own web browser, Arc. In February, the company debuted its endeavor to create a “browser that browses for you” with a snazzy video that showed off Arc’s AI capabilities to create unique, individualized web pages in response to questions about recipes, dinner reservations, and more.

But all these small-scale projects, announced in the first month or so of 2024, had to make room a few months later for big-money interest from the first ever internet conglomerate of the world—Google. At the company’s annual Google I/O conference on May 14, VP and Head of Google Search Liz Reid pitched the audience on an AI-powered version of search in which “Google will do the Googling for you.”

Now, Reid said, even complex, multi-part questions can be answered directly within Google, with no need to click a website, evaluate its accuracy, or flip through its many pages to find the relevant information within.

This, it appears, could be the next phase of the internet… and our host David Ruiz has a lot to say about it.

Today, on the Lock and Code podcast, we bring back Director of Content Anna Brading and Cybersecurity Evangelist Mark Stockley to discuss AI-powered concierges, the value of human choice when so many small decisions could be taken away by AI, and, as explained by Stockley, whether the appeal of AI is not in finding the “best” vacation, recipe, or dinner reservation, but rather the best of anything for its user.

“It’s not there to tell you what the best chocolate chip cookie in the world is for everyone. It’s there to help you figure out what the best chocolate chip cookie is for you, on a Monday evening, when the weather’s hot, and you’re hungry.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

The constant barrage of cyber threats can be overwhelming for all of us. And, as those threats evolve and attackers find new ways to compromise us, we need a way to keep on top of everything nasty that’s thrown our way. 

Malwarebytes’ free version tackles and reactively resolves threats already on your system, but the real-time protection you get with Malwarebytes Premium Security goes one step further and actively monitors your computer’s files, processes, and system memory in real time to block threats before they have a chance to do any damage. You don’t need to worry about what happens after your initial scan, because real-time protection is actively waiting to combat new threats and keep you safe. 

Imagine your computer is like a castle, and you want to protect your people from potential invaders. Having real-time protection is like having guards stationed all around your castle, constantly watching for signs of trouble and stopping them in their path before they can cause harm. 

Here’s how guarding that castle looks like in cybersecurity terms: 

1. Proactive and continuous monitoring

We monitor your files, processes, and system memory, your incoming and outgoing data, and the behavior of applications on your system. All in real time. 

2. Dynamic detection

Unlike traditional approaches that rely heavily on detecting malware that is already known to exist, Malwarebytes employs dynamic detection techniques, such as heuristic analysis, behavior monitoring, and machine learning to detect and block threats based on their behavior and characteristics, even if the threats have never been seen before.  

3. Multi-layered defense

Malwarebytes real-time protection offers a multi-layered approach to security, combining various technologies to provide comprehensive protection against a variety of threats. This includes protection against viruses, ransomware, potentially unwanted programs (PUPs), spyware, trojans, exploits, and other forms of malware.  

4. Rapid response 

When Malwarebytes detects suspicious activity or potential threats, it responds quickly. Malwarebytes quarantines or removes malicious files, protects you from harmful websites, and blocks unauthorized access to your system.  

5. Minimal impact 

Malwarebytes runs quietly in the background and protects you without hogging your device’s resources.  

6. Regular updates to malware detection database 

To ensure our program is equipped to detect and block the latest threats, we continuously update our database and algorithms.  

In short, real-time protection serves as a proactive defense layer against constantly evolving cyber threats. Having this layer improves your cybersecurity and gives you peace of mind in this increasingly digital world.  

Don’t just take our word for it: Malwarebytes Premium Security was awarded “Product of the Year” in a recent AVLab test. 

Keep yourself protected and upgrade to Malwarebytes Premium Security.  

The Securities and Exchange Commission (SEC) has announced rules around breaches for certain financial institutions—registered broker-dealers, investment companies, investment advisers, and transfer agents— that require them to have written incident response policies and procedures that can be used in the event of a breach.

The requirement is an adoption of amendments to Regulation S-P, which was enacted in 2000 to safeguard the financial information of consumers, requiring financial institutions to tell customers about how they use their personal information.

But things have changed drastically since 2000. Even in the four years between 2018 and 2022, complaints about identity theft more than doubled, per the FBI’s Internet Crime Complaint Center.

SEC Chair Gary Gensler said:

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. “

Under these amendments, covered firms will be required to notify customers of breaches that might put their personal data at risk. This will give these customers the chance to prepare themselves for the negative consequences of a breach.

Covered organizations have to provide notice to victims as soon as possible and no later than 30 days after becoming aware of an incident involving the leak of customer information. Organizations must include details about the incident, the data leaked and what victims can do to protect themselves. As Gensler puts it:

“The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify.”

The amendments will become effective 60 days after publication in the Federal Register. Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.

Has your data been exposed?

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Deleted iPhone photos show up again after iOS update
• Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it
• Notorious data leak site BreachForums seized by law enforcement
• Apple and Google join forces to stop unwanted tracking
• Update Chrome now! Google releases emergency security patch
• Why car location tracking needs an overhaul

Last week on ThreatDown:

• Wi-Fi design flaw makes networks vulnerable to hijacking
• Black Basta ransomware affiliates use Quick Assist to target users
• Update now! Microsoft’s May Patch Tuesday includes two actively exploited vulnerabilities
• F5 fixes two remotely exploitable vulnerabilities in BIG-IP Next Central Manager
• A peek inside a malvertising campaign

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

iPhone owners are reporting that photos they’d deleted are now back on their phones, after updating to iOS 17.5.

With so many users reporting similar oddities, it would seem something went wrong, or at least different than to be expected. Here are some examples from Reddit:

“When in conversation with my partner, I went to send a picture and saw that the latest pictures were nsfw material we’d made years ago”

“I have four pics from 2010 that keep reappearing as the latest pics uploaded to iCloud. I have deleted them repeatedly.”

“Same thing happened to me. Six photos from different times, all I have deleted. Some I had deleted in 2023.”

When you delete a photo from an iPhone or iPad, it goes into a “Recently deleted” album for up to 30 days to make it easy to recover if the photo is accidentally deleted. However, the above examples vastly exceed this timeframe, and it’s unclear exactly what’s happened here.

When you delete a file, actually all that happens is you remove the pointer that tells you where exactly the file is located. This makes it hard to find, but not impossible. Until the system uses the location of the deleted file and replaces it with other data, the file can be retrieved.

Apple’s last update for iOS 17.5 and iPadOS 17.5 came out on Monday with a warning to update your iPhone as soon as possible. That’s because iOS 17.5 fixes 15 security vulnerabilities, some of which are serious. Please don’t let this article stop you from installing the update, but it’s good to be prepared for some unexpected behavior.

At the time of writing, Apple hasn’t commented on the issue.

Update May 21

Apple issued a fix in iOS and iPadOS 17.5.1. This update “addresses a rare issue where photos that experienced database corruption could reappear in the Photos library even if they were deleted.” It must be a first time that a “database corruption” leads to the return of deleted data. All I’ve ever known them to do was misplace data that was still needed.

We’ll keep you posted if we find out more.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. That’s a great thing. But as security evolves, so do cybercriminals who are always looking for new ways to scam us.

A type of phishing we’re calling authentication-in-the-middle is showing up in online media. While these techniques, named after man-in-the-middle (MitM) attacks, have existed for a while, they appear to be gaining traction now.

It works like this: A user gets lured to a phishing site masquerading as a site they normally use, such as a bank, email or social media account. Once the user enters their login into the fake site, that information gets redirected by the cybercriminals to the actual site, without the user knowing.

The user is then prompted for their MFA step. They complete this, usually by entering a code or accepting a push notification, and this information is then relayed to the criminals, allowing them to login to the site.

Once the criminals are into an account, they can start changing settings like the account’s email address, phone number, and password, so the user can no longer log in, or they can simply clean out a bank account. This may help you understand why many platforms ask for your PIN or other authentication again when you try to change one of these important settings.

Victims are lured to phishing sites like these via links from social media or emails where it can be hard to identify the real link.  Phishing sites can even show up in sponsored search results, in the same way as we reported about tech support scams.

How to protect yourself from authentication-in-the-middle attacks

• Keep your wits about you. Being aware of how scammers work is the first step to avoiding them. Don’t assume sponsored search results are legit, and trust that if something seems suspicious then it probably is.
• Use security software. Many security programs block known phishing sites, although domains are often short-lived and get rotated quickly. Malwarebytes Browser Guard can help protect you.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.
• Consider passkeys. Multi-factor authentication is still super-important to enable, and will protect you from many types of attacks, so please continue to use it. However, authentication-in-the-middle attacks only work with certain types of MFA, and passkeys won’t allow the cybercriminals to login to your account in this way. Many services have already begun using passkeys and they’re no doubt here to stay.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

BreachForums—probably the largest dark web marketplace for stolen data to be leaked and sold—has been seized by law enforcement.

Now, both the regular and the TOR domain of BreachForums are plastered with a message telling visitors the site is now under control of the FBI.

The FBI said BreachForums and its predecessor Raidforums was:

“…operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services.”

Raidforums ran from early 2015 until February 2022. The first iteration of BreachForums was then set up in March 2022 and ran until March 2023, when US law enforcement arrested the alleged operator, “Pompompurin”, in New York.

A new administrator then rose to the occasion and said they were working on a plan to get the forum through the problems caused by that arrest. But on March 21, 2023, the new administrator announced the decision to shut BreachForums down.

Another forum administrator going by the account name “Baphomet” then took over.

According to BleepingComputer, the FBI has also seized the site’s Telegram channel, with law enforcement sending messages to the channel on behalf of the forum’s operator “Baphomet”.

BreachForums was in use just last week for a big name breach when a cybercriminal put up for sale breached customer data taken from Dell between 2017-2024.

We’ll keep you posted on any new developments.

Has your data been exposed?

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Apple and Google have announced an industry specification for Bluetooth tracking devices which help alert users to unwanted tracking.

The specification, called Detecting Unwanted Location Trackers, will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them.

The alert would be pushed to the users device and would say “[Item] Found Moving With You.”

In many cases “[Item]” might well actually be an AirTag.

AirTags’ intended use is to let you easily track things like your keys, wallet, purse, backpack, luggage, and more. You can simply set it up with your iPhone, iPad, or iPod touch, attach it somewhere, and the AirTag will show up in your Find My app. However, AirTags have long been associated with this unwanted tracking, which is something Apple apparently did not foresee and has been working on to make this type of abuse harder.

Apple’s first step to discourage unwanted tracking was the “Tracking Notifications” option in the Find My app. This feature is available on iOS or iPadOS 14.5 or later.

Android introduced a similar “unknown tracker alert” to find trackers placed near you or in your belongings without your knowledge or consent.

With the new capability that both tech giants have pushed, users will now get the alert, regardless of the platform the device is paired with. If a user gets such an alert on their device, it means that someone else’s Bluetooth tracker is moving with them.

Android and iPhone users can view the tracker’s identifier, have the tracker play a sound to help locate it, and access instructions to disable it. Bluetooth tag manufacturers including Chipolo, eufy, Jio, Motorola, and Pebblebee have all said that future tags will be compatible.

Apple and Google will continue to work with the Internet Engineering Task Force via the Detecting Unwanted Location Trackers working group to develop the official standard for this technology.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Google has released an emergency security update for its Chrome browser. The update includes a patch released four days earlier for a vulnerability which Google say is already being exploited.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

Click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Technical details on the vulnerabilities

If you have already updated to version 124.0.6367.201/.202 for Mac and Windows or 124.0.6367.201 for Linux, this will provide protection against the first vulnerability. The patch Google issued four days ago covered this actively exploited vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited CVE patched in this update is:

CVE-2024-4671 a use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, by exploiting the vulnerability, the attacker can escape the sandbox that should contain any threats to the browser.

Exploitation is possible by getting the target to open a specific, specially crafted webpage, so the vulnerability is suitable for exploitation as a drive-by attack.

CVE-2024-4761: An out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

V8 is Google’s open-source high-performance JavaScript and WebAssembly engine and is part of the Chromium project. Among others it runs the JavaScript code included in webpages.

Again, exploitation is possible by getting the target to open a specific, especially crafted webpage, which makes the vulnerability suitable for exploitation as a drive-by attack.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Across America, survivors of domestic abuse and stalking are facing a unique location tracking crisis born out of policy failure, unclear corporate responsibility, and potentially risky behaviors around digital sharing that are now common in relationships.

No, we’re not talking about stalkerware. Or hidden Apple AirTags. We’re talking about cars.

Modern cars are the latest consumer “device” to undergo an internet-crazed overhaul, as manufacturers increasingly stuff their automobiles with the types of features you’d expect from a smartphone, not a mode of transportation.

There are cars with WiFi, cars with wireless charging, cars with cameras that not only help while you reverse out of a driveway, but which can detect whether you’re drowsy while on a long haul. Many cars now also come with connected apps that allow you to, through your smartphone, remotely start your vehicle, schedule maintenance, and check your tire pressure.

But one feature in particular, which has legitimate uses in responding to stolen and lost vehicles, is being abused: Location tracking.

It’s time car companies do something about it.  

In December, The New York Times revealed the story of a married woman whose husband was abusing the location tracking capabilities of her Mercedes-Benz sedan to harass her. The woman tried every avenue she could to distance herself from her husband. After her husband became physically violent in an argument, she filed a domestic abuse report. Once she fled their home, she got a restraining order. She ignored his calls and texts.

But still her husband could follow her whereabouts by tracking her car—a level of access that Mercedes representatives reportedly could not turn off, as he was considered the rightful owner of the vehicle (according to The New York Times, the husband’s higher credit score convinced the married couple to have the car purchased in his name alone).

As reporter Kashmir Hill wrote of the impasse:

“Even though she was making the payments, had a restraining order against her husband and had been granted sole use of the car during divorce proceedings, Mercedes representatives told her that her husband was the customer so he would be able to keep his access. There was no button she could press to take away the app’s connection to the vehicle.”

This was far from an isolated incident.

In 2023, Reuters reported that a San Francisco woman sued her husband in 2020 for allegations of “assault and sexual battery.” But some months later, the woman’s allegations of domestic abuse grew into allegations of negligence—this time, against the carmaker Tesla.

Tesla, the woman claimed in legal filings, failed to turn off her husband’s access to the location tracking capabilities in their shared Model X SUV, despite the fact that she had obtained a restraining order against her husband, and that she was a named co-owner of the vehicle.

When The New York Times retrieved filings from the San Francisco lawsuit above, attorneys for Tesla argued that the automaker could not realistically play a role in this matter:

“Virtually every major automobile manufacturer offers a mobile app with similar functions for their customers,” the lawyers wrote. “It is illogical and impractical to expect Tesla to monitor every vehicle owner’s mobile app for misuse.”

Tesla was eventually removed from the lawsuit.

In the Reuters story, reporters also spoke with a separate woman who made similar allegations that her ex-husband had tracked her location by using the Tesla app associated with her vehicle. Because the separate woman was a “primary” account owner, she was able to remove the car’s access to the internet, Reuters reported.

A better path

Location tracking—and the abuse that can come with it—is a much-discussed topic for Malwarebytes Labs. But the type of location tracking abuse that is happening with shared cars is different because of the value that cars hold in situations of domestic abuse.

A car is an opportunity to physically leave an abusive partner. A car is a chance to start anew in a different, undisclosed location. In harrowing moments, cars have also served as temporary shelter for those without housing.

So when a survivor’s car is tracked by their abuser, it isn’t just a matter of their location and privacy being invaded, it is a matter of a refuge being robbed.

In speaking with the news outlet CalMatters, Yenni Rivera, who works on domestic violence cases, explained the stressful circumstances of exactly this dynamic.

“I hear the story over and over from survivors about being located by their vehicle and having it taken,” Rivera told CalMatters. “It just puts you in a worst case situation because it really triggers you thinking, ‘Should I go back and give in?’ and many do. And that’s why many end up being murdered in their own home. The law should make it easier to leave safely and protected.”

Though the state of California is considering legislative solutions to this problem, national lawmaking is slow.

Instead, we believe that the companies that have the power to do something act on that power. Much like how Malwarebytes and other cybersecurity vendors banded together to launch the Coalition Against Stalkerware, automakers should work together to help users.

Fortunately, an option may already exist.

When the Alliance for Automobile Innovation warned that consumer data collection requests could be weaponized by abusers who want to comb through the car location data of their partners and exes, the automaker General Motors already had a protection built in.

According to Reuters, the roadside assistance service OnStar, which is owned by General Motors, allows any car driver—be they a vehicle’s owner or not—to hide location data from other people who use the same vehicle. Rivian, a new electric carmaker, is reportedly working on a similar feature, said senior vice president of software development Wassym Bensaid in speaking with Reuters.

Though Reuters reported that Rivian had not heard of their company’s technology being leveraged in a situation of domestic abuse, Wassym believed that “users should have a right to control where that information goes.”

We agree.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Dell notifies customers about data breach
• DocGo patient health data stolen in cyberattack
• Desperate Taylor Swift fans defrauded by ticket scams
• Tracing what went wrong in 2012 for today’s teens, with Dr. Jean Twenge: Lock and Code S04E10

Last week on ThreatDown:

• Ransomware review: May 2024
• FakeBat threat profile
• Law enforcement places new teasers on LockBit leak site and reveals sanctions

Stay safe!

Dell is warning its customers about a data breach after a cybercriminal offered a 49 million-record database of information about Dell customers on a cybercrime forum.

A cybercriminal called Menelik posted the following message on the “Breach Forums” site:

“The data includes 49 million customer and other information of systems purchased from Dell between 2017-2024.

It is up to date information registered at Dell servers.

Feel free to contact me to discuss use cases and opportunities.

I am the only person who has the data.”

According to Menelik the data includes:

• The full name of the buyer or company name
• Address including postal code and country
• Unique seven digit service tag of the system
• Shipping date of the system
• Warranty plan
• Serial number
• Dell customer number
• Dell order number

Most of the affected systems were sold in the US, China, India, Australia, and Canada.

Users on Reddit reported getting an email from Dell which was apparently sent to customers whose information was accessed during this incident:

“At this time, our investigation indicates limited types of customer information was accessed, including:

• Name
• Physical address
• Dell hardware and order information, including service tag, item description, date of order and related warranty information.

The information involved does not include financial or payment information, email address, telephone number or any highly sensitive customer information.”

Although Dell might be trying to play down the seriousness of the situation by claiming that there is not a significant risk to its customers given the type of information involved, it is reassuring that there were no email addresses included. Email addresses are a unique identifier that can allow data brokers to merge and enrich their databases.

So, this is another big data breach that leaves us with more questions than answers. We have to be careful that we don’t shrug these data breaches away with comments like “they already know everything there is to know.”

This kind of information is exactly what scammers need in order to impersonate Dell support.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

Medical health care provider DocGo has disclosed in a form 8-K that it experienced a cybersecurity incident involving some of the company’s systems. As part of the investigation of the incident, the company says it has determined that the attacker accessed and acquired data, including certain protected health information.

DocGo is a healthcare provider that offers mobile health services, ambulance services, and remote monitoring for patients in 30 US states, and across the United Kingdom. On its company website it touts over 7,000,000 patient interactions.

In the same form, DocGo says the breach concerns a limited number of healthcare records within the company’s US-based ambulance transportation business, and that no other business lines have been involved.

DocGo says it is actively reaching out to those individuals who had their data compromised in the attack.  

So far, we have no indication what the nature of the cyberattack was, but it is almost standard procedure nowadays for ransomware groups to use stolen data as extra leverage to get the victim to pay the ransom.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Ticket scams are very common and apparently hard to stop. When there are not nearly enough tickets for some concerts to accommodate all the fans that desperately want to be there, it makes for ideal hunting grounds for scammers.

With a ticket scam, you pay for a ticket and you either don’t receive anything or what you get doesn’t get you into the venue.

As reported by the BBC, Lloyds Bank estimates that fans have lost an estimated £1m ($1.25 m) in ticket scams ahead of the UK leg of Taylor Swift’s Eras tour. Roughly 90% of these scams were said to have started on Facebook.

Many of these operations work with compromised Facebook accounts and make both the buyer and the owner of the abused account feel bad. These account owners are complaining about the response, or lack thereof, they are getting from Meta (Facebook’s parent company) about their attempts to report the account takeovers.

Victims feel powerless as they see some of their friends and family fall for the ticket scam.

“After I reported it, there were still scams going on for at least two or three weeks afterwards.”

We saw the same last year when “Swifties” from the US filed reports about scammers taking advantage of fans, some of whom lost as much as $2,500 after paying for tickets that didn’t exist or never arrived. The Better Business Bureau reportedly received almost 200 complaints nationally related to the Swift tour, with complaints ranging from refund struggles to outright scams.

Now that the tour has European cities on the schedule the same is happening all over again.

And mind you, it’s not just concerts. Any event that is sold out through the regular, legitimate channels and works with transferable tickets is an opportunity for scammers. Recently we saw a scam working from sponsored search results for the Van Gogh Museum in Amsterdam. People that clicked on the ad were redirected to a fake phishing site where they were asked to fill out their credit card details.

Consider that to be a reminder that it’s easy for scammers to set up a fake website that looks genuine. Some even use a name or website url that is similar to the legitimate website. If you’re unsure or it sounds too good to be true, leave the website immediately.

Equally important to keep in mind is the power of AI which has taken the creation of a photograph of—fake—tickets to a level that it’s child’s play.

How to avoid ticket scams

No matter how desperate you are to visit a particular event, please be careful. When it’s sold out and someone offers you tickets, there are a few precautions you should take.

• Research the ticket seller. Anybody can set up a fake ticket website, and sponsored ads showing at the top of search engines can be rife with bogus sellers. You may also run into issues buying tickets from sites like eBay. Should you decide to use sites other than well-known entities like Ticketmaster, check for reviews of the seller.
• Are the tickets transferable? For some events the tickets are non-transferable which makes it, at least, unwise to try and buy tickets from someone who has decided they “don’t need or want them” after all. You may end up with tickets that you can’t use.
• Use a credit card if possible. You’ll almost certainly have more protection than if you pay using your debit card, or cash. We definitely recommend that you avoid using cash. If someone decides to rip you off, that money is gone forever.
• A “secure” website isn’t all it seems. While sites that use HTTPS (the padlock) ensure your communication is secure, this does not guarantee the site is legitimate. Anyone can set up a HTTPs website, including scammers.
• It’s ticket inspector time. One of the best ways to know for sure that your ticket is genuine is to actually look at it. Is the date and time correct? The location? Are the seat numbers what you were expecting to see? It may well be worth calling the event organizers or the event location and confirming that all is as it should be. Some events will give examples of what a genuine ticket should look like on the official website.
• Use a blocklist. Software like Malwarebytes Browser Guard will block known phishing and scam sites.

This week on the Lock and Code podcast…

You’ve likely felt it: The dull pull downwards of a smartphone scroll. The “five more minutes” just before bed. The sleep still there after waking. The edges of your calm slowly fraying.

After more than a decade of our most recent technological experiment, in turns out that having the entirety of the internet in the palm of your hands could be … not so great. Obviously, the effects of this are compounded by the fact that the internet that was built after the invention of the smartphone is a very different internet than the one before—supercharged with algorithms that get you to click more, watch more, buy more, and rest so much less.

But for one group, in particular, across the world, the impact of smartphones and constant social media may be causing an unprecedented mental health crisis: Young people.

According to the American College Health Association, the percentage of undergraduates in the US—so, mainly young adults in college—who were diagnosed with anxiety increased 134% since 2010. In the same time period for the same group, there was in increase in diagnoses of depression by 106%, ADHD by 72%, bipolar by 57%, and anorexia by 100%.

That’s not all. According to a US National Survey on Drug Use and Health, the prevalence of anxiety in America increased for every age group except those over 50, again, since 2010. Those aged 35 – 49 experienced a 52% increase, those aged 26 – 34 experienced a 103% increase, and those aged 18 – 25 experienced a 139% increase.

This data, and much more, was cited by the social psychologist and author Jonathan Haidt, in debuting his latest book, “The Anxious Generation: How the Great Rewiring of Childhood Is Causing an Epidemic of Mental Illness.” In the book, Haidt examines what he believes is a mental health crisis unique amongst today’s youth, and he proposes that much of the crisis has been brought about by a change in childhood—away from a “play-based” childhood and into a “phone-based” one.

This shift, Haidt argues, is largely to blame for the increased rates of anxiety, depression, suicidality, and more.

And rather than just naming the problem, Haidt also proposes five solutions to turn things around:

• Give children far more time playing with other children. 
• Look for more ways to embed children in stable real-world communities.  
• Don’t give a smartphone as the first phone.
• Don’t give a smartphone until high school.  
• Delay the opening of accounts on nearly all social media platforms until the beginning of high school (at least).

But while Haidt’s proposals may feel right—his book has spent five weeks on the New York Times Best Seller list—some psychologists disagree.

Writing for the outlet Platformer, reporter Zoe Schiffer spoke with multiple behavioral psychologists who alleged that Haidt’s book cherry-picks survey data, ignores mental health crises amongst adults, and over-simplifies a complex problem with a blunt solution.  

Today, on the Lock and Code podcast with host David Ruiz, we speak with Dr. Jean Twenge to get more clarity on the situation: Is there a mental health crisis amongst today’s teens? Is it unique to their generation? And can it really be traced to the use of smartphones and social media?

According to Dr. Twenge, the answer to all those questions is, pretty much, “Yes.” But, she said, there’s still some hope to be found.

“This is where the argument around smartphones and social media being behind the adolescent mental health crisis actually has, kind of paradoxically, some optimism to it. Because if that’s the cause, that means we can do something about it.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• You get a passkey, you get a passkey, everyone should get a passkey
• Dropbox Sign customer data accessed in breach
• Watch out for tech support scams lurking in sponsored search results
• Psychotherapy practice hacker gets jail time after extorting patients, publishing personal therapy notes online
• Wireless carriers fined $200 million after illegally sharing customer location data
• Malwarebytes Premium Security earns “Product of the Year” from AVLab
• FBI warns online daters to avoid “free” online verification schemes that prove costly
• Kaiser health insurance leaked patient data to advertisers

Last week on ThreatDown:

• ThreatDown earns “Product of the Year” from AVLab
• Gitlab zero-click vulnerability under active exploitation
• Nitrogen threat profile
• London Drugs closes retail stores after ransomware attack
• CISA pilot has sent 2,000 alerts to organizations at risk of ransomware
• LockBit Black threat profile
• The anatomy of a Medusa ransomware attack: ThreatDown MDR team investigates
• Medusa ransomware: What organizations need to know
• Corporate users targeted via malicious ads and modals

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Microsoft is rolling out passkey support for all consumer accounts.

Passkeys are a very secure replacement for passwords that can’t be cracked, guessed or phished, and let you log in easily, without having to type a password every time.

After enabling them in Windows 11 last year, Microsoft account owners can now generate passkeys across multiple platforms including Windows, Android, and iOS. You can create passkeys for your Microsoft account, and you can choose your face, fingerprint, PIN, or a security key to secure it.

How to set up a passkey

To create a passkey for your Microsoft account, follow these steps on the device where you’d like to create a passkey:

• Sign in to your Microsoft account.
• Navigate to Security  > Advanced Security Options.

• Click on Get started.
• Choose Add a new way to sign in or verify.

Note: Under certain circumstances, somewhere along the way you may end up in this screen which basically offers you the same choices in a prompt.

• To create a passkey: Select Face, fingerprint, PIN, or security key.
• Follow the instructions on your device.
• During this process, you can choose to save the passkey to different devices like your Android, iPad, or iPhone, or a hardware key.
• You’ll be presented with a QR code to scan with the selected device.
• On the selected device you’ll be asked to authenticate.
• When the procedure is successful, you’ll be asked to provide a name for the passkey. A good choice is to use a name that gives away the location where you stored the passkey.

• After confirming the name you’ll see this confirmation.

Removing a passkey

Should you have second thoughts and want to remove a passkey, follow these steps:

• Visit the Advanced Security Options.
• From the list under Ways to prove who you are, select the passkey you’d like to remove.
• Choose Remove.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Dropbox is reporting a recent “security incident” in which an attacker gained unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. During this access, the attacker had access to Dropbox Sign customer information.

Dropbox Sign is a platform that allows customers to digitally sign, edit, and track documents. The accessed customer information includes email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The access is limited to Dropbox Sign customers and does not affect users of other Dropbox services because the environments are largely separate.

“We believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Even if you never created a Dropbox Sign account but received or signed a document through Dropbox Sign, your email addresses and names were exposed. In a government (K-8) filing about the incident, Dropbox says it found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information. 

The attacker compromised a back-end service account that acted as an automated system configuration tool for the Dropbox Sign environment. The attacker used the privileges of the service account for the production environment to gain access to the customer database.

To limit the aftermath of the incident, Dropbox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.

For customers with API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach.

Dropbox says it has reported this event to data protection regulators and law enforcement.

Recommendations

Dropbox expired affected passwords and logged users out of any devices they had connected to Dropbox Sign for further protection. The next time these users log in to their Sign account, they’ll be sent an email to reset the password. Dropbox recommends users do this as soon as possible.

If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. Here is how you can easily create a new key.

API customers should be aware that names and email addresses for those who received or signed a document through Dropbox Sign, even if they never created an account, were exposed. So, this may impact their customers.

Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and use multi-factor authentication when available.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This blog post was written based on research carried out by Jérôme Segura.

A campaign using sponsored search results is targeting home users and taking them to tech support scams.

Sponsored search results are the ones that are listed at the top of search results and are labelled “Sponsored”. They’re often ads that are taken out by brands who want to get people to click through to their website. In the case of malicious sponsored ads, scammers tend to outbid the brands in order to be listed as the first search result.

The criminals that buy the ads will go as far as displaying the official brand’s website within the ad snippet, making it hard for an unsuspecting visitor to notice a difference.

Who would, for example, be able to spot that the below ad for CNN is not legitimate. You’ll have to click on the three dots (in front of where we added malicious ad) and look at the advertiser information to see that it’s not the legitimate owner of the brand.

Only then it becomes apparent that the real advertiser is not CNN, but instead a company called Yojoy Network Technology Co., Limited.

Below, you can see another fake advertisement by the same advertiser, this time impersonating Amazon.

In our example, the scammers failed to use the correct CNN or Amazon icons, but in other cases (like another recent discovery by Jerome Segura), scammers have even used the correct icon.

The systems of the people that click one of these links are likely to assessed on what the most profitable follow-up is (using a method called fingerprinting). For systems running Windows, we found visitors are redirected to tech support scam websites such as this one.

Tech Support Scam site telling the visitor to call 1-844-476-5780

You undoubtedly know the type. Endless pop-ups, soundbites, and prompts telling the visitor that they should urgently call the displayed number to free their system of alleged malware.

These tech support scammers will impersonate legitimate software companies (i.e. Microsoft) and charge their victims hundreds or even thousands of dollars for completely bogus malware removal.

Getting help if you have been scammed

Getting scammed is one of the worst feelings to experience. In many ways, you may feel like you have been violated and angry to have let your guard down. Perhaps you are even shocked and scared, and don’t really know what to do now. The following tips will hopefully provide you with some guidance.

If you’ve already let the scammers in

• Revoke any remote access the scammer has (if you are unsure, restart your computer). That should cut the remote session and kick them out of your computer.
• Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes to quickly identify and remove threats.
• Change all your passwords. (Windows password, email, banking, etc.)

If you’ve already paid

• Contact your financial institution/credit card company to reverse the charges and keep an eye out for future unwanted charges.
• If you gave them personal information such as date of birth, Social Security Number, full address, name, and maiden name, you may want to look at some form of identity theft protection.

---

Reporting the scam

File a report

• In the US: File a complaint (FTC)
• In Canada: Contact law enforcement
• In the UK: Report fraud | Report a cold call
• In Australia: Report a scam

Shut down their remote software account

• Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support. They can later use the information you provide to block people/companies.
• LogMeIn: Report abuse

Spread the word

You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although sharing your experience of falling victim to these scams may be embarrassing, educating other people will help someone caught in a similar situation and deter further scam attempts.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

On October 30, 2020, I started a article with the words:

“Hell is too nice a place for these people.”

The subject of this outrage focused on the cybercriminals behind an attack on Finnish psychotherapy practice Vastaamo. Because it was a psychotherapy practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Sadly, the attacker did not stop at extorting the clinic but also sent extortion messages to the patients, asking them to pay around $240 to prevent their data from being published online. And that was a first, as far as we know—not just demanding a ransom from the breached organization, but also from all those that were unlucky enough to have their data on record there.

The attacker demanded a €400,000 ($425,000) ransom from the company. When it refused to pay, he emailed thousands of patients asking for €200 and threatening to publish their therapy notes and personal details on the dark web if they didn’t pay. He ended up publishing it anyway.

As a result of this cyberattack and the extortion attempts:

• Vastaamo’s board fired the CEO because they held him responsible for knowing about the breaches and of the shortcomings in the psychotherapy provider’s data security systems.
• Vastaamo’s owner, who bought the practice a few months after the second breach but was not informed about it, began legal proceedings related to its purchase.
• Vastaamo had to shut its doors because it could not meet its financial obligations.
• The Finnish government contemplated expanding the options for individuals to change their social security number in certain circumstances, such as the aftermath of a hacking incident.
• At least one suicide has been linked to the case.

Now the attacker has been convicted. 26-year-old Julius Kivimäki has been sentenced to six years and three months in prison. Kivimäki, known online as Zeekill, was one of the leading members of several groups of teenage cybercriminals which caused chaos between 2009-2015. One of those groups was the infamous Lizard Squad.

At the age of 17, Kivimäki was convicted of more than 50,000 computer hacks and sentenced to a two-year prison sentence, which was suspended because he was 15 and 16 when he carried out the crimes in 2012 and 2013.

Despite the conviction, the Vastaamo case is not over as civil court cases are now likely to begin to seek compensation for the victims of the hack.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

After four years of investigation, the Federal Communications Commission (FCC) has concluded that four of the major wireless carriers in the US violated the law in sharing access to customers’ location data.

The FCC fined AT&T, Sprint, T-Mobile, and Verizon a total of almost $200 million for “illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The fines are divided up into $12 million for Sprint, $80 million for T-Mobile (which has now merged with Sprint), more than $57 million for AT&T, and an almost $47 million for Verizon.

From the press release it becomes apparent that the FCC considers real-time location data some of the most sensitive data in a carrier’s possession. Each of the four major carriers was found to be selling its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers.

The investigation by the FCC was set in motion by public reports like the ones in the New York Times, Vice.com, and a letter from Sen. Ron Wyden to the FCC. All pointed out that anyone could get location information about almost any US phone if they were willing to pay an unauthorized source.

The FCC press release specifically mentions a location-finding service operated by Securus, a provider of communications services to correctional facilities, as a source that provided the possibility to track people’s location.

The US law, including section 222 of the Communications Act, requires carriers to take reasonable measures to protect certain customer information, including location information.

The wireless carriers attempted to offload their obligation to obtain customer consent onto the downstream recipients of the location information. The end result was a failure in which no valid customer consent was obtained. And even though the carriers were aware of this, they continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.

As reported by Krebs on Security, one of the data aggregation firms, LocationSmart, had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

Spokespersons of Verizon and AT&T both indicated to BleepingComputer that they felt as if they were taking the blame for another company’s failure to obtain consent.

T-Mobile said in a statement to CNN that it discontinued the location data-sharing program over five years ago. The company wanted to make sure first that critical services like roadside assistance, fraud protection, and emergency response would not suffer any negative consequences if it did.

All three companies indicated they will appeal the order. We’ll keep you posted on any new developments.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

After blocking 100% of “in-the-wild” malware samples that were deployed in multiple, consecutive third-party tests conducted by the AVLab Cybersecurity Foundation, Malwarebytes Premium Security has earned “Product of the Year.”

The recognition cements Malwarebytes Premium Security’s perfect record of repeatable, trusted, and proven protection for users. It also comes alongside an additional AVLab certification for “Top Remediation Time.”

The latest results are part of AVLab’s regular “Advanced In-The-Wild Malware Test.”

For the March 2024 evaluation, AVLab tested 459 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 459/459 malware samples, with a remediation time of 20 seconds—a full 13 seconds faster than the industry average.

ThreatDown, powered by Malwarebytes, also participated in AVLab’s March evaluation, where it similarly blocked 100% of malware samples with a remediation time of 17 seconds.

Three cybersecurity vendors failed to block 100% of the malware samples deployed: Bitdefender, ESET, and Panda.

AVLab’s evaluations, which are performed every other month by a team of cybersecurity and information security experts, are constructed to test and compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors. To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps:

1. Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
2. Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
3. Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”

Malwarebytes is proud to receive “Product of the Year” and “Top Remediation Time” from AVLab, and is thankful to the third-party tester for its important work in the industry.

The FBI has warned of fraudsters targeting users of dating websites and apps with “free” online verification service schemes that turn out to be very costly.

Instead of being free, as advertised, the verification schemes involve steep monthly subscription fees, and will steal personal information on the side.

The scammers collect the information entered by victims at registrations and use it to commit further fraudulent activity such as identity theft or selling the information on the dark web. The stolen information may include email addresses, phone numbers, and even credit card information.

The scam works like this: The scammer initiates contact on a dating website or app, but then quickly asks the victim to move the conversation to a more private, encrypted platform.

Once there, the scammer will recommend a verification link that supposedly provides protection against predators like sex offenders and serial killers. This verification website asks the victim to provide their name, phone number, email address, and credit card number to complete the process.

After completing the registration, the victim is redirected to a shady dating site that charges hefty monthly fees to the victim’s credit card. These charges show up on the credit card statement as a company the victim has never heard of.

The personal information the victim gives the scammers is useful because it allows them to defraud the victims even more. Whether the scammers are the same ones, or others who have bought the information on the dark web makes no difference to the victims.

Avoid falling victim

There are some pointers that may help you to fall victim to scammers such as these:

• Stay on the platform of your choice. If someone contacts you and wants to continue the conversation elsewhere, that should be a red flag. We saw the same when we discussed scams on Airbnb: It is in the scammers’ interest that the fraud takes place on a platform under their control, where they can’t be as easily tracked.
• Don’t click on links, downloads or attachments sent to you by strangers. Even if you have been in contact with someone for some time on the internet, they are still strangers. Sometimes they will get to the point fast, but in pig butchering scams for example, the contact can be ongoing for quite a while.
• If you are contacted by someone and they come across as untrustworthy or suspicious, report them to the platform’s administrators. You may prevent others from falling victim to the scammers.
• Don’t provide someone you have just met with personal details and information.
• Monitor your credit card statements and bank accounts for irregularities and contact your bank if you see payments you don’t recognise.
• Avoid websites that use scare tactics to trick you into registering for a service. At least do a background check to find out if they are legitimate and live up to their promises.
• Consider identity monitoring. This alerts you if your personal information is found being traded illegally online, and helps you recover after.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Health insurance giant Kaiser has announced it will notify millions of patients about a data breach after sharing patients’ data with advertisers.

Kaiser said that an investigation led to the discovery that “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

In the required notice with the US government, Kaiser lists 13.4 million affected individuals. Among these third-party ad vendors are Google, Microsoft, and X. Kaiser said it subsequently removed the tracking code from its websites and mobile apps.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the information gathered by these pixels tells them a lot about your browsing behavior, and a lot about you.

This kind of data leak normally happens when a website includes sensitive information in its URLs (web addresses). The URLs you visit are shared with the company that provides the tracking pixel, so if the URL contains sensitive information it will end up in the hands of the tracking company. The good news is that while it’s easy for websites to leak information like this, there is no suggestion that tracking pixel operators are aware of it, or acting on it, and it would probably be hugely impractical for them to do so.

The leaked data includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service, how they interacted with it, how they navigated through the website and mobile applications, and what search terms they used in the health encyclopedia.

A spokesperson said that Kaiser intends to begin notifying the affected current and former members and patients who accessed its websites and mobile apps in May.

Not so long ago, we reported how mental health company Cerebral failed to protect sensitive personal data, and ended up having to pay $7 million. Also due to tracking pixels, so this is a recurring problem we are likely to see lots more of. Research done by TheMarkup in June of 2022 showed that Meta’s pixel could be found on the websites of 33 of the top 100 hospitals in America.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Last week on Malwarebytes Labs:

• Ring agrees to pay $5.6 million after cameras were used to spy on customers
• TikTok comes one step closer to a US ban
• Google ad for Facebook redirects to scam
• “Substantial proportion” of Americans may have had health and personal data stolen in Change Healthcare breach
• Picking fights and gaining rights, with Justin Brookman: Lock and Code S05E09
• Billions of scraped Discord messages up for sale

Last week on ThreatDown:

• MITRE breached through Ivanti Connect Secure vulnerabilities
• Microsoft warns about actively abused vulnerability in Windows Print Spooler service
• 5 key benefits of the ConnectWise Asio and ThreatDown Integration for MSPs
• Update now! CrushFTP vulnerability allows data theft and possibly server compromise
• Patch now! Cactus exploits Qlik Sense to deliver ransomware
• Decoy Microsoft Word document delivers malware through a RAT

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Amazon’s Ring has settled with the Federal Trade Commission (FTC) over charges that the company allowed employees and contractors to access customers’ private videos, and failed to implement security protections which enabled hackers to take control of customers’ accounts, cameras, and videos.

The FTC is now sending refunds totaling more than $5.6 million to US consumers as a result of the settlement.

Ring LLC, which was purchased by Amazon in February 2018, sells internet-connected, home security cameras and video doorbells.

However, in a shocking lapse of security protection, it turned out that every single person working for Amazon Ring, whether they were an employee or a contractor, was able to access every single customer video, even when it wasn’t necessary for their jobs.

But that wasn’t the only issue. In May 2023, the FTC stated that:

“Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using its customer videos to train algorithms without consent, and failing to implement security safeguards. These practices led to egregious violations of users’ privacy.”

The FTC gave the example of one employee who, over several months, viewed thousands of video recordings belonging to female users of Ring cameras that were pointed at intimate spaces in their homes such as their bathrooms or bedrooms. This didn’t stop until another employee discovered the misconduct.

The FTC is now sending 117,044 PayPal payments to US customers who had certain types of Ring devices, such as indoor cameras, during periods when the FTC alleges unauthorized users may have had access to customer videos. Customers should redeem their PayPal payment within 30 days.

“The FTC identified eligible Ring customers based on data provided by the company,” the agency told BleepingComputer, clarifying that Ring users “were eligible for a payment if their account was vulnerable because of privacy and security problems alleged in the complaint.”

Consumers who have questions about their payment should contact the refund administrator, Rust Consulting, Inc., at 1-833-637-4884, or visit the FTC website to view frequently asked questions about the refund process.

Beware of scammers

As always, you can expect scammers to take advantage of this news. So, it’s important to know that the FTC never asks people to pay money or provide account information to get a refund.

A payment or claim form sent as part of an FTC settlement will include an explanation of, and details about, the case. The case will be listed at ftc.gov/refunds, along with the name of the company issuing payments and a phone number for questions.

The FTC only works with four private companies to handle the refund process:

• Analytics Consulting, LLC
• Epiq Systems
• JND Legal Administration
• Rust Consulting, Inc.

Before sending any PayPal payment, the FTC will send an email from the subscribe@subscribe.ftc.gov address to issue a payment recipient. Once payments have been issued, PayPal will send an email telling recipients about their refund.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

The US Senate has approved a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the immensely popular app.

Social video platform TikTok has experienced explosive growth since it first appeared in 2017, and is now said to have well over 1.5 billion users, with an estimated 170 million of them in the US.

Essentially, the bill says that TikTok has to find a new owner that is not based in a foreign adversarial country within the next 180 days or face a ban until it does comply. President Biden has committed to sign it into law as soon as it reaches his desk.

Since 2020, several governments and organizations have banned, or considered banning, TikTok from their staff’s devices, but a complete ban of an internet app would be a first in the US.

For a long time now, TikTok has been battling to convince politicians that it operates independently of ByteDance, which allegedly has deep ties to the Chinese Communist Party (CCP). For example, TikTok has repeatedly claimed the Chinese government has never demanded access to US data and that TikTok would not comply if it did.

While ByteDance denies any direct links to the Chinese Communist Party, a former executive at TikTok’s parent company claimed in court documents that the CCP had access to TikTok data, despite US storage of the data. The allegations came up in a wrongful dismissal lawsuit filed in May of 2023 in the San Francisco Superior Court.

The Electronic Frontier Foundation (EFF), an international non-profit digital rights group based in the US, says it opposes this bill, mainly because it is afraid that TikTok will not be the last app to face this type of ban.

TikTok also encouraged its users and creators to express their opposition to the bill. Last week, the social media company said the bill would:

“Trample the free speech rights of 170 million Americans, devastate seven million businesses, and shutter a platform that contributes $24 billion to the US economy, annually.”

Chinese officials reportedly said the government would “firmly oppose” any forced sale of TikTok because it would “seriously undermine the confidence of investors from various countries, including China, to invest in the United States.”

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience.

What is perhaps less known is how it is even possible to impersonate top brands and get away with it. We will try to respond to the ‘how they do it’ and the ‘why is Google allowing this’ questions.

Such malvertising attacks are not new and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive the point home that this needs to be addressed just like other types of fraud or malware.

We have reported the malicious advertiser to Google, but at the time of publishing this campaign was still on.

Malicious ad campaign for Facebook

Justin Poliachik did what many people would do, he opened up a Google search, typed facebook and clicked on the top result. In the video below, he summarizes what happened next:

@j_poli

Never trust a Promoted Link from Google

♬ original sound – Justin Poli

Thanks to Justin for the shoutout to our blog and explaining what went down! Not sure if Justin was joking, but we don’t believe AI is going to fix malvertising, at least not for the next little while. Instead, we are going to look into more details about one particular technique. In our view, this is actually where the abuse happens the most, and where things could be improved.

Two paths make cloaking

As we said, Google seems to have a problem with brand impersonation that may not be easy to solve. We have reported such cases several times before with pretty much the same techniques.

How can Google differentiate a legitimate affiliate from a malicious actor? There are a number of data points about the advertiser via their account: user profile, payment method, budget, etc. We are not privy to those details, but they can certainly help when it comes to fraud.

More importantly, there is the ad itself: vanity URL, display text, tracking template, final URL. What happens when you click on the ad? Are you actually redirected to the URL claimed in the ad? This is a feature that appears to be so easy to abuse, and yet remains unfixed.

In the video below, we walk you through the classic tale of cloaking:

Cloaking is an old technique and in many ways can be used for legitimate purposes. After all, one needs to be able to detect real humans and not bots or crawlers for their hard-earned ad dollars budget.

Threat actors have long identified such services as very helpful tools for their malicious campaigns. True, they, like others don’t want robots, but they also don’t want Google’s scanners or security researchers to expose their malicious schemes.

Under the hood

This part is a little more technical, but integral in understanding how malvertising works. As mentioned in the video above, cloaking allows to deliver two different experiences. Genuine humans can be detected from a number of factors: IP address, browser fingerprinting, etc.

A click tracking service can be used to analyze traffic, collect data, etc. All in all, such services are useful in and of themselves, but they can also easily be abused by bad actors. Within the Google ad ecosystem, advertisers will place their URL as a tracking template, and the rest will be handled outside of Google.

One thing that’s interesting is how scammers will abuse the click tracking service as well! All they have to do is redirect to another “legitimate” domain they control and from there decide on the final destination URL.

We can see in the image below that final redirect, which is either the scam page or the actual Facebook site:

Safeguarding your online experience

We have seen these malicious ads for years and years. It would be unfair to say that no action has ever been taken, but there is room for improvement. Individual reports from victims are not always actioned based on our experience and that of others. This is frustrating because it appears as if those individual experiences do not matter in the grander scheme of things.

Security vendors also struggle with these scams. Chasing infrastructure from one host to the next or having trouble blocking URLs that abuse legitimate providers is a real thing.

As a user you can protect yourself in various ways:

• Beware of sponsored results
• Block ads altogether
• Recognize scam pages as fake

If you want the piece of mind and have all this covered for you, download our Malwarebytes Browser Guard extension available for different browsers.

UnitedHealth Group has given an update on the February cyberattack on Change Healthcare, one of its subsidiaries. In the update, the company revealed the scale of the breach, saying:

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”

UnitedHealth also announced support for affected people.

On Wednesday February 21, 2024, Change Healthcare experienced serious system outages due to the cyberattack. The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States.

The attack on Change Healthcare, which processes about 50% of US medical claims, was one of the worst ransomware attacks against American healthcare and caused widespread disruption in payments to doctors and health facilities.

Despite the ongoing investigation, which expectedly will take several more months of detailed analysis, UnitedHealth said it had decided to immediately provide support. The company says it continues to monitor the regular web and the dark web for any published data.

The chief executive of UnitedHealth Group, Andrew Witty, is expected to testify in Congress in May about the matter. Meanwhile the company says it has made strong progress restoring services impacted by the event and is prioritizing the restoration of services that impact patient access to care or medication.

Affected people can visit a dedicated website at changecybersupport.com to get more information, or call 1-866-262-5342 to set up free credit monitoring and identity theft protection.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

This week on the Lock and Code podcast…

Our Lock and Code host, David Ruiz, has a bit of an apology to make:

“Sorry for all the depressing episodes.”

When the Lock and Code podcast explored online harassment and abuse this year, our guest provided several guidelines and tips for individuals to lock down their accounts and remove their sensitive information from the internet, but larger problems remained. Content moderation is failing nearly everywhere, and data protection laws are unequal across the world.

When we told the true tale of a virtual kidnapping scam in Utah, though the teenaged victim at the center of the scam was eventually found, his family still lost nearly $80,000.

And when we asked Mozilla’s Privacy Not Included team about what types of information modern cars can collect about their owners, we were entirely blindsided by the policies from Nissan and Kia, which claimed the companies can collect data about their customers’ “sexual activity” and “sex life.”

(Let’s also not forget about that Roomba that took a photo of someone on a toilet and how that photo ended up on Facebook.)

In looking at these stories collectively, it can feel like the everyday consumer is hopelessly outmatched against modern companies. What good does it do to utilize personal cybersecurity best practices, when the companies we rely on can still leak our most sensitive information and suffer few consequences? What’s the point of using a privacy-forward browser to better obscure my online behavior from advertisers when the machinery that powers the internet finds new ways to surveil our every move?

These are entirely relatable, if fatalistic, feelings. But we are here to tell you that nihilism is not the answer.

Today, on the Lock and Code podcast, we speak with Justin Brookman, director of technology policy at Consumer Reports, about some of the most recent, major consumer wins in the tech world, what it took to achieve those wins, and what levers consumers can pull on today to have their voices heard.

Brookman also speaks candidly about the shifting priorities in today’s legislative landscape.

“One thing we did make the decision about is to focus less on Congress because, man, I’ll meet with those folks so we can work on bills, [and] there’ll be a big hearing, but they’ve just failed to do so much.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Four billions public Discord messages are for sale on an internet scraping service called Spy.pet.

At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard some laws: more on that later.

To get this amount of data the platform gathered information from 14,201 servers about 627,914,396 users.

The way in which Spy.pet organized the information could turn out to be problematic for certain users. It built a database based on user profiles which contains all known aliases, pronouns, connected accounts (such as Steam and GitHub), Discord servers joined, and public messages.

The buyers don’t need to descend into the dark dungeons of the dark web to buy this information. It’s available for anyone on the regular web.

For a search of information about a specific user, all you need is their Discord User-ID and some cryptocurrency.

To look up profiles, you’ll first have to buy credits. A credit costs $0.01 and you’ll have to buy a minimum of 500 credits.

A new search for a profile will put you back 10 credits (7 for a cached profile).

Interestingly the platform also offers an enterprise version for which interested parties are invited to contact the administrator.

Breaking a few laws

Scraping data is a common practice nowadays, but there are a few rules that, when broken, will cost a lot more than a few dollars. Scraping and selling data about minors, especially without consent, is illegal in most parts of the world, including the US.

And when you are gathering data about European Union (EU) citizens, you’ll need to have a method in place for those citizens to have their information removed. Spy.pet does have a “Request Removal” button, but clicking it will show you an annoying snippet of a Spiderman movie where the news editor laughs at Peter Parker.

Discord told the Register it is probing Spy.pet to see if any action needs to be taken against the chat-harvesting service.

“Discord is committed to protecting the privacy and data of our users. We are currently investigating this matter. If we determine that violations of our Terms of Service and Community Guidelines have occurred, we will take appropriate steps to enforce our policies. We cannot provide further comments as this is an ongoing investigation.”

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Last week on Malwarebytes Labs:

• Law enforcement reels in phishing-as-a-service whopper
• Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million
• Cannabis investment scam JuicyFields ends in 9 arrests
• Should you share your location with your partner?
• Giant Tiger breach sees 2.8 million records leaked

Last week on ThreatDown:

• What makes some zero-day vulnerabilities more valuable than others?
• Turning back the clock on encryption: How to perform ransomware backups in one-click
• ThreatDown earns highest ratings across EDR and MDR categories in G2 Spring 2024 results
• K-12 district hit with $500k Medusa ransomware attack
• FakeBat campaign continues, now also targeting VMware users

Stay safe!

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A major international law enforcement effort involving agencies from 19 countries has disrupted the notorious LabHost phishing-as-a-service platform.

Europol reports that the organization’s infrastructure has been compromised, its website shut down, and 37 suspects arrested, including four people in the UK linked to the running of the site, which also allegedly included the original developer of the service.

Europol’s announcement also hints that this isn’t the end of the story, and users of the platform should ready themselves for some uncomfortable encounters with law enforcement in the future. As Europol said in its release:

A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

The UK’s Metropolitan Police (“The Met”), which spearheaded the operation, says it has already contacted the criminals who used the site:

Shortly after the platform was disrupted, 800 users received a message telling them we know who they are and what they’ve been doing. We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months.

In a phishing attack, criminals use emails to trick users into entering details like passwords or credit card numbers into fake websites. The emails and websites typically mimic popular brands like UPS, Amazon, or Microsoft, and copy the format of emails sent by those companies, luring victims with things like fake security alerts.

Phishing-as-a-Service (PaaS) provides the tools and infrastructure criminals need to carry out phishing attacks on a subscription basis, so they don’t have to create and run it themselves. This lowers the barrier to entry for these kinds of crimes and puts sophisticated tools in the hands of people who wouldn’t otherwise have access to them.

LabHost was set up in 2021 and grew to become one of the largest PaaS vendors. Europol says that “with a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks.” Those services reportedly included a menu of over 170 fake websites for users to choose from, and a campaign management tool called “LabRat” that could capture two-factor (2FA) authentication codes.

The phishing platform is reported to have had 2,000 registered users and was used to create “more than 40,000 fraudulent sites.” The Met says that around 70,000 individual UK victims have been phished using the service, and that globally, it swallowed up 480,000 card numbers, 64,000 PIN numbers, and more than one million passwords.

Victims in the UK have been contacted by the Met to inform them that some of their data has been compromised. Ironically, thousands of victims being contacted in this way creates an opportunity for copycat phishing emails with Met branding. For that reason, the Met has been careful not to include any links in its communications and warns potential victims that:

…if you receive any contact from the Met with links in, this will be fraudulent so please do not engage with this.

If you’ve been contacted by the Metropolitan Police about the LabHost breach you can find some useful guidance and support on its LabHost Disruption page.

The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive consumer data, as well as require it to provide consumers with a simple way to cancel services.

After a data breach in 2023 Cerebral disclosed that it had been using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 2019.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the combined information of all these pixels potentially provides a company with an almost complete picture of your browsing behavior and a lot of information about you.

The FTC statement claims that by using these tracking pixels, which are invisible to the website visitor unless they look at the underlying code, Cerebral provided the sensitive information of nearly 3.2 million consumers to these third parties.

The complaint points out that to get consumers to sign up for Cerebral’s services and to provide detailed personal data, the company claimed to offer “safe, secure, and discreet” services, saying that users’ data would be kept confidential.

Also, according to the complaint, the company specifically claimed in many instances that it would not share users’ data for marketing purposes without obtaining people’s consent.

Many organizations are unclear about how much information the social media companies behind the tracking pixels can gather. In the Notice of HIPAA Privacy Breach Cerebral disclosed that the following data were potentially exposed:

• Full name
• Phone number
• Email address
• Date of birth
• IP address
• Cerebral client ID number
• Demographic information
• Self-assessment responses and associated health information
• Subscription plan type
• Appointment dates
• Treatment details and other clinical information
• Health insurance/pharmacy benefit information

Among other penalties, Cerebral has to refund $5.1 million to customers who were impacted by deceptive cancellation practices and pay a $10 million civil penalty, limited to $2 million due to Cerebral’s inability to pay the full amount.

The number of breaches concerning health information is shocking. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the US Department of Health and Human Services Office for Civil Rights publishes a list of breaches that reveal unsecured protected health information affecting 500 or more individuals.

We have reported about similar cases that involved tracking pixels. Research done by TheMarkup in June of 2022 showed that Meta’s pixel showed up on the websites of 33 of the top 100 hospitals in America.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection