Scammers love to bank on the good name of legitimate companies to gain the trust of their intended targets. Recently, it came to our attention that a cybercriminal is using fake websites for security products to spread malware. One of those websites was impersonating the Malwarebytes brand.

The download from the fake website was an information stealer with a filename that resembled that of the actual Malwarebytes installer.

Besides some common system information, this stealer goes after:

• Account tokens
• Steam tokens
• Saved card details
• System profiles
• Telegram logins
• List of running process names
• Installed browser lists and their version
• Credentials from the browser “User Data” folder, Local DB an autofill
• Cookies from the browser
• List of folders on the C drive

This is just one scam, but there are always others using our name to target people. We regularly see tech support scammers pretending to be Malwarebytes to defraud their victims.

Some scammers sell—sometimes illegal—copies of Malwarebytes for prices that are boldly exaggerated.

Others will try and phish you by sending you a confirmation mail of your subscription to Malwarebytes.

And sometimes when you search for Malwarebytes you will find imposters in between legitimate re-sellers. Some even use our logo.

In this case, Google warned us that there was danger up ahead.

The site itself was not as convincing as the advert, and some poking around in the source code told us the website was likely built by a Russian speaking individual.

How to avoid brand scams

It’s easy to see how people can fall for fake brand notices. Here are some things that can help you avoid scams that use our name:

• Download software directly from our sites if you are not sure of the legitimacy of the ones offered to you.
• Check that any emails that appear to come from Malwarebytes are sent from a malwarebytes.com address.
• If you have any questions or doubts as to the legitimacy of something, you can contact our Support team.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Group wants big tech social media firms to pay up to £40m a year to reimburse customers after years of shouldering cost of fraud

A leading City lobby group is calling on the next government to bring in scams legislation that forces big tech and social media companies to cough up up to £40m a year to reimburse customers and fight fraud on their platforms.

The demand came in a ‘financial services manifesto’ released by UK Finance, which represents banks, payments companies and other financial firms.

Continue reading...

💾

© Photograph: Canadian Press/REX/Shutterstock

💾

© Photograph: Canadian Press/REX/Shutterstock

People who fall for the scheme are told to pay the shipping fee before the piano is sent. If they do, that's the last they hear from the bad actors.

The post Scammers Build Fraud Campaigns Around Free Piano Offers appeared first on Security Boulevard.

Although fraudsters gave one of its account numbers, it was totally uninterested as I was not its customer

I am the treasurer of a small charity, and recently received an email that appeared to come from the chair asking me to send a £780 payment to a supplier.

I immediately realised that it was a scam – it wasn’t written in his style, and, when I looked closely, it hadn’t come from his email address. I replied asking what it was for, and then kept the dialogue going.

Continue reading...

💾

© Photograph: Timon Schneider/Alamy

💾

© Photograph: Timon Schneider/Alamy

Scammers impersonating Microsoft, Publishers Clearing House, Amazon and Apple are at the top of the FTC’s “who’s who” list. Based on consumer reports and complaints to the agency, hundreds of millions of dollars were stolen by bad actors pretending to be brands.

The post ‘Microsoft’ Scammers Steal the Most, the FTC Says appeared first on Security Boulevard.

Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details about how this financially motivated group […]

The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on TuxCare.

The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on Security Boulevard.

Bitdefender has launched the AI scam detector, Scamio, on WhatsApp in Australia. This innovative integration empowered Australians to utilize WhatsApp as a platform for efficiently verifying online scams and fraud instances. Bitdefender Scamio aims to address rising concerns surrounding online scams by providing a highly accessible and user-friendly tool directly within WhatsApp. Users could interact with the chatbot by submitting questionable content and conversationally describing the context. 

Bitdefender’s Scamio is Now Available on WhatsApp in Australia

Bitdefender Scamio is an AI-driven chatbot that analyzes data and provides a verdict within seconds, along with recommendations for further action. Additionally, with this latest integration with WhatsApp, over 7.4M Australian users can use Scamio as their personal scam checker. [caption id="attachment_70308" align="alignnone" width="1200"] Source: Bitdefender[/caption] The integration of Bitdefender’s Scamio with WhatsApp was a strategic response to the increasing use of artificial intelligence by malicious actors. Scammers were exploiting popular messaging apps and online services to steal money, credentials, and personal data. By integrating Scamio into WhatsApp, Bitdefender aimed to disrupt these criminal activities by offering a sophisticated tool capable of keeping pace with online scam tactics. The enhanced accessibility provided by this feature aimed to provide an additional layer of security for Australians, who were disproportionately targeted by online fraudsters. Having Scamio available within WhatsApp streamlined the scam verification process for everyday users, reducing the time and effort required to identify potential scams.

How to use Bitdefender’s Scamio for Scam Detection?

In the USA and other countries, online scams remained a major concern, with the number of internet fraud reports rising in recent years. Phishing and online shopping scams were among the most common types reported. To combat this issue, governments intensified efforts to inform the public and assist in preventing internet fraud and scams. Scamio, Bitdefender's next-gen AI chatbot, combined artificial intelligence with exceptional threat-detection algorithms, machine learning, pattern recognition, and advanced data analysis techniques to identify even the most sophisticated scams. Accessible on any device without requiring installation, Scamio helped users quickly verify suspicious links, text messages, emails, and QR codes—all for free. To use this chatbot, users could access the web app or add it as a contact on WhatsApp or Facebook Messenger. Once logged in, users could describe scam details, copy and paste texts or links, or upload pictures or screenshots of deceptive messages. Scamio then analyzed the material and provided recommendations to ensure users didn't fall victim to cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The post Brand impersonation attacks: How to take responsibility for your customers appeared first on Click Armor.

The post Brand impersonation attacks: How to take responsibility for your customers appeared first on Security Boulevard.

A Georgia man was sentenced to 10 years in prison after being convicted of money laundering and conspiracy in connection with a digital fraud network that included business email compromise (BEC) attacks, romance scams, and healthcare benefits frauds, the U.S. Department of Justice announced. Malachi Mullings, 31, from Sandy Springs scammed over $4.5 million from his victims and laundered the proceeds through 20 bank accounts opened in the name of a shell company, The Mullings Group LLC. The scams relied on a variety of common techniques used in BEC scams and targeted elderly individuals of a health care benefit program, private companies and romance scam victims. “In one instance, Mullings laundered $310,000 that was fraudulently diverted from a state Medicaid program and had been intended as reimbursement for a hospital,” the Justice Department said. In another instance, Mullings was able to get $260,000 from a romance scam, which he used to buy a Ferrari. The sentencing of Mullings comes after he pleaded guilty in January 2023 to one count of conspiracy to commit money laundering and seven counts of various money laundering offenses. Mullings was first charged in February 2022, along with nine others from multiple states across the country. They were all charged in connection with multiple business email compromise, money laundering and wire fraud schemes that targeted Medicare, state Medicaid programs, private health insurers, and numerous other victims, which resulted in more than $11.1 million in total losses. “These defendants defrauded numerous individuals, companies, and federal programs, resulting in millions of dollars in financial losses to vital federal programs meant to provide assistance to those in need,” said U.S. Attorney Ryan Buchanan, at the time. “Millions of American citizens rely on Medicaid, Medicare, and other health care systems for their health care needs. These subjects utilized complex financial schemes, such as BECs and money laundering, to defraud and undermine health care systems across the United States,” said Luis Quesada, who at the time was Assistant Director of the FBI’s Criminal Investigative Division.

“Elder fraud and romance fraud schemes utilized by the subjects often target our most vulnerable citizens and the FBI is committed to pursuing justice for those who were victimized by these schemes.”

Together, the fraud schemes of these 10 scammers deceived five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers, who made payments to them and their co-conspirators instead of depositing the reimbursement payments into bank accounts belonging to the hospitals.

Elder Fraud Growing: FBI Data

Elder fraud complaints increased by 14% in 2023, according to a recently released report by the FBI’s Internet Crime Complaint Center (IC3). The associated losses reported by those over the age of 60 topped at $3.4 billion, an almost 11% increase in reported losses from 2022. While tech support scams were the most widely reported kind of elder fraud, personal data breaches, confidence and romance scams, non-payment or non-delivery scams, and investment scams rounded out the top five most common types of elder fraud reported to IC3 last year. [caption id="attachment_69765" align="aligncenter" width="1400"] Source: IC3[/caption] Investment scams were the costliest elder fraud in 2023 and cost victims more than $1.2 billion in losses last year. Tech support scams, business email compromise scams, confidence and romance scams, government impersonation scams, and personal data breaches, all respectively cost victims hundreds of millions of dollars in 2023. [caption id="attachment_69767" align="aligncenter" width="1400"] Source: IC3[/caption] On the state level, Florida ranked second in the country for the number of complaints and reported losses.

“It’s disturbing to hear the stories of financial hardship these schemes create,” said FBI Tampa Field Special Agent Rodney Crawford.

“Combatting the financial exploitation of those over 60 years of age continues to be a priority of the FBI,” said FBI Assistant Director Michael Nordwall, who leads the Bureau’s Criminal Investigative Division. “Along with our partners, we continually work to aid victims and to identify and investigate the individuals and criminal organizations that perpetrate these schemes and target the elderly.” The agency regards elderly fraud as a more insidious threat than the report shows. Many of these crimes likely go unreported, as “only about half” of the fraud scam complaints that get through to IC3 include IC3 data, the report said. Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Insurer Allianz says scam by criminals on motorbikes and scooters increased by 6,000% last year

Motorists have been warned to be vigilant after a 60-fold increase in “crash for cash” fraud claims involving motorbike and scooter riders staging accidents so they can blame innocent drivers.

The insurer Allianz said its data showed that claims relating to this scam increased by 6,000% between January and December 2023 – a significant jump from the 50% increase the year before.

Continue reading...

💾

© Photograph: Christopher Thomond/The Guardian

💾

© Photograph: Christopher Thomond/The Guardian

‘Purchase scams’ often pegged to big events, warns UK Finance’s annual fraud report

The clamour to secure tickets for Taylor Swift’s sold-out UK shows is expected to fuel a summer fraud bonanza as figures showed a “staggering” £1.2bn was stolen from unwitting consumers in 2023.

Swift’s Eras tour, which arrives in the UK in June, and the Olympic Games, are contenders for biggest ticketing scam of the year. The warning, from industry group UK Finance, came as its annual fraud report revealed that the number of people succumbing to a “purchase scam” in 2023 soared.

Continue reading...

💾

© Photograph: Christine Olsson/TT/Reuters

💾

© Photograph: Christine Olsson/TT/Reuters

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. That’s a great thing. But as security evolves, so do cybercriminals who are always looking for new ways to scam us.

A type of phishing we’re calling authentication-in-the-middle is showing up in online media. While these techniques, named after man-in-the-middle (MitM) attacks, have existed for a while, they appear to be gaining traction now.

It works like this: A user gets lured to a phishing site masquerading as a site they normally use, such as a bank, email or social media account. Once the user enters their login into the fake site, that information gets redirected by the cybercriminals to the actual site, without the user knowing.

The user is then prompted for their MFA step. They complete this, usually by entering a code or accepting a push notification, and this information is then relayed to the criminals, allowing them to login to the site.

Once the criminals are into an account, they can start changing settings like the account’s email address, phone number, and password, so the user can no longer log in, or they can simply clean out a bank account. This may help you understand why many platforms ask for your PIN or other authentication again when you try to change one of these important settings.

Victims are lured to phishing sites like these via links from social media or emails where it can be hard to identify the real link.  Phishing sites can even show up in sponsored search results, in the same way as we reported about tech support scams.

How to protect yourself from authentication-in-the-middle attacks

• Keep your wits about you. Being aware of how scammers work is the first step to avoiding them. Don’t assume sponsored search results are legit, and trust that if something seems suspicious then it probably is.
• Use security software. Many security programs block known phishing sites, although domains are often short-lived and get rotated quickly. Malwarebytes Browser Guard can help protect you.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.
• Consider passkeys. Multi-factor authentication is still super-important to enable, and will protect you from many types of attacks, so please continue to use it. However, authentication-in-the-middle attacks only work with certain types of MFA, and passkeys won’t allow the cybercriminals to login to your account in this way. Many services have already begun using passkeys and they’re no doubt here to stay.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Chinese crooks are running a global network of more than 75,000 fake online shops to steal credit card data and process fraudulent payments.

The post Massive Online Shopping Scam Racks Up 850,000 Victims appeared first on Security Boulevard.

Ticket scams are very common and apparently hard to stop. When there are not nearly enough tickets for some concerts to accommodate all the fans that desperately want to be there, it makes for ideal hunting grounds for scammers.

With a ticket scam, you pay for a ticket and you either don’t receive anything or what you get doesn’t get you into the venue.

As reported by the BBC, Lloyds Bank estimates that fans have lost an estimated £1m ($1.25 m) in ticket scams ahead of the UK leg of Taylor Swift’s Eras tour. Roughly 90% of these scams were said to have started on Facebook.

Many of these operations work with compromised Facebook accounts and make both the buyer and the owner of the abused account feel bad. These account owners are complaining about the response, or lack thereof, they are getting from Meta (Facebook’s parent company) about their attempts to report the account takeovers.

Victims feel powerless as they see some of their friends and family fall for the ticket scam.

“After I reported it, there were still scams going on for at least two or three weeks afterwards.”

We saw the same last year when “Swifties” from the US filed reports about scammers taking advantage of fans, some of whom lost as much as $2,500 after paying for tickets that didn’t exist or never arrived. The Better Business Bureau reportedly received almost 200 complaints nationally related to the Swift tour, with complaints ranging from refund struggles to outright scams.

Now that the tour has European cities on the schedule the same is happening all over again.

And mind you, it’s not just concerts. Any event that is sold out through the regular, legitimate channels and works with transferable tickets is an opportunity for scammers. Recently we saw a scam working from sponsored search results for the Van Gogh Museum in Amsterdam. People that clicked on the ad were redirected to a fake phishing site where they were asked to fill out their credit card details.

Consider that to be a reminder that it’s easy for scammers to set up a fake website that looks genuine. Some even use a name or website url that is similar to the legitimate website. If you’re unsure or it sounds too good to be true, leave the website immediately.

Equally important to keep in mind is the power of AI which has taken the creation of a photograph of—fake—tickets to a level that it’s child’s play.

How to avoid ticket scams

No matter how desperate you are to visit a particular event, please be careful. When it’s sold out and someone offers you tickets, there are a few precautions you should take.

• Research the ticket seller. Anybody can set up a fake ticket website, and sponsored ads showing at the top of search engines can be rife with bogus sellers. You may also run into issues buying tickets from sites like eBay. Should you decide to use sites other than well-known entities like Ticketmaster, check for reviews of the seller.
• Are the tickets transferable? For some events the tickets are non-transferable which makes it, at least, unwise to try and buy tickets from someone who has decided they “don’t need or want them” after all. You may end up with tickets that you can’t use.
• Use a credit card if possible. You’ll almost certainly have more protection than if you pay using your debit card, or cash. We definitely recommend that you avoid using cash. If someone decides to rip you off, that money is gone forever.
• A “secure” website isn’t all it seems. While sites that use HTTPS (the padlock) ensure your communication is secure, this does not guarantee the site is legitimate. Anyone can set up a HTTPs website, including scammers.
• It’s ticket inspector time. One of the best ways to know for sure that your ticket is genuine is to actually look at it. Is the date and time correct? The location? Are the seat numbers what you were expecting to see? It may well be worth calling the event organizers or the event location and confirming that all is as it should be. Some events will give examples of what a genuine ticket should look like on the official website.
• Use a blocklist. Software like Malwarebytes Browser Guard will block known phishing and scam sites.

This blog post was written based on research carried out by Jérôme Segura.

A campaign using sponsored search results is targeting home users and taking them to tech support scams.

Sponsored search results are the ones that are listed at the top of search results and are labelled “Sponsored”. They’re often ads that are taken out by brands who want to get people to click through to their website. In the case of malicious sponsored ads, scammers tend to outbid the brands in order to be listed as the first search result.

The criminals that buy the ads will go as far as displaying the official brand’s website within the ad snippet, making it hard for an unsuspecting visitor to notice a difference.

Who would, for example, be able to spot that the below ad for CNN is not legitimate. You’ll have to click on the three dots (in front of where we added malicious ad) and look at the advertiser information to see that it’s not the legitimate owner of the brand.

Only then it becomes apparent that the real advertiser is not CNN, but instead a company called Yojoy Network Technology Co., Limited.

Below, you can see another fake advertisement by the same advertiser, this time impersonating Amazon.

In our example, the scammers failed to use the correct CNN or Amazon icons, but in other cases (like another recent discovery by Jerome Segura), scammers have even used the correct icon.

The systems of the people that click one of these links are likely to assessed on what the most profitable follow-up is (using a method called fingerprinting). For systems running Windows, we found visitors are redirected to tech support scam websites such as this one.

Tech Support Scam site telling the visitor to call 1-844-476-5780

You undoubtedly know the type. Endless pop-ups, soundbites, and prompts telling the visitor that they should urgently call the displayed number to free their system of alleged malware.

These tech support scammers will impersonate legitimate software companies (i.e. Microsoft) and charge their victims hundreds or even thousands of dollars for completely bogus malware removal.

Getting help if you have been scammed

Getting scammed is one of the worst feelings to experience. In many ways, you may feel like you have been violated and angry to have let your guard down. Perhaps you are even shocked and scared, and don’t really know what to do now. The following tips will hopefully provide you with some guidance.

If you’ve already let the scammers in

• Revoke any remote access the scammer has (if you are unsure, restart your computer). That should cut the remote session and kick them out of your computer.
• Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes to quickly identify and remove threats.
• Change all your passwords. (Windows password, email, banking, etc.)

If you’ve already paid

• Contact your financial institution/credit card company to reverse the charges and keep an eye out for future unwanted charges.
• If you gave them personal information such as date of birth, Social Security Number, full address, name, and maiden name, you may want to look at some form of identity theft protection.

---

Reporting the scam

File a report

• In the US: File a complaint (FTC)
• In Canada: Contact law enforcement
• In the UK: Report fraud | Report a cold call
• In Australia: Report a scam

Shut down their remote software account

• Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support. They can later use the information you provide to block people/companies.
• LogMeIn: Report abuse

Spread the word

You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although sharing your experience of falling victim to these scams may be embarrassing, educating other people will help someone caught in a similar situation and deter further scam attempts.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Scammers tricked a company into believing they were dealing with a BBC presenter. They faked her voice, and accepted money intended for her.

The FBI has warned of fraudsters targeting users of dating websites and apps with “free” online verification service schemes that turn out to be very costly.

Instead of being free, as advertised, the verification schemes involve steep monthly subscription fees, and will steal personal information on the side.

The scammers collect the information entered by victims at registrations and use it to commit further fraudulent activity such as identity theft or selling the information on the dark web. The stolen information may include email addresses, phone numbers, and even credit card information.

The scam works like this: The scammer initiates contact on a dating website or app, but then quickly asks the victim to move the conversation to a more private, encrypted platform.

Once there, the scammer will recommend a verification link that supposedly provides protection against predators like sex offenders and serial killers. This verification website asks the victim to provide their name, phone number, email address, and credit card number to complete the process.

After completing the registration, the victim is redirected to a shady dating site that charges hefty monthly fees to the victim’s credit card. These charges show up on the credit card statement as a company the victim has never heard of.

The personal information the victim gives the scammers is useful because it allows them to defraud the victims even more. Whether the scammers are the same ones, or others who have bought the information on the dark web makes no difference to the victims.

Avoid falling victim

There are some pointers that may help you to fall victim to scammers such as these:

• Stay on the platform of your choice. If someone contacts you and wants to continue the conversation elsewhere, that should be a red flag. We saw the same when we discussed scams on Airbnb: It is in the scammers’ interest that the fraud takes place on a platform under their control, where they can’t be as easily tracked.
• Don’t click on links, downloads or attachments sent to you by strangers. Even if you have been in contact with someone for some time on the internet, they are still strangers. Sometimes they will get to the point fast, but in pig butchering scams for example, the contact can be ongoing for quite a while.
• If you are contacted by someone and they come across as untrustworthy or suspicious, report them to the platform’s administrators. You may prevent others from falling victim to the scammers.
• Don’t provide someone you have just met with personal details and information.
• Monitor your credit card statements and bank accounts for irregularities and contact your bank if you see payments you don’t recognise.
• Avoid websites that use scare tactics to trick you into registering for a service. At least do a background check to find out if they are legitimate and live up to their promises.
• Consider identity monitoring. This alerts you if your personal information is found being traded illegally online, and helps you recover after.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience.

What is perhaps less known is how it is even possible to impersonate top brands and get away with it. We will try to respond to the ‘how they do it’ and the ‘why is Google allowing this’ questions.

Such malvertising attacks are not new and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive the point home that this needs to be addressed just like other types of fraud or malware.

We have reported the malicious advertiser to Google, but at the time of publishing this campaign was still on.

Malicious ad campaign for Facebook

Justin Poliachik did what many people would do, he opened up a Google search, typed facebook and clicked on the top result. In the video below, he summarizes what happened next:

@j_poli

Never trust a Promoted Link from Google

♬ original sound – Justin Poli

Thanks to Justin for the shoutout to our blog and explaining what went down! Not sure if Justin was joking, but we don’t believe AI is going to fix malvertising, at least not for the next little while. Instead, we are going to look into more details about one particular technique. In our view, this is actually where the abuse happens the most, and where things could be improved.

Two paths make cloaking

As we said, Google seems to have a problem with brand impersonation that may not be easy to solve. We have reported such cases several times before with pretty much the same techniques.

How can Google differentiate a legitimate affiliate from a malicious actor? There are a number of data points about the advertiser via their account: user profile, payment method, budget, etc. We are not privy to those details, but they can certainly help when it comes to fraud.

More importantly, there is the ad itself: vanity URL, display text, tracking template, final URL. What happens when you click on the ad? Are you actually redirected to the URL claimed in the ad? This is a feature that appears to be so easy to abuse, and yet remains unfixed.

In the video below, we walk you through the classic tale of cloaking:

Cloaking is an old technique and in many ways can be used for legitimate purposes. After all, one needs to be able to detect real humans and not bots or crawlers for their hard-earned ad dollars budget.

Threat actors have long identified such services as very helpful tools for their malicious campaigns. True, they, like others don’t want robots, but they also don’t want Google’s scanners or security researchers to expose their malicious schemes.

Under the hood

This part is a little more technical, but integral in understanding how malvertising works. As mentioned in the video above, cloaking allows to deliver two different experiences. Genuine humans can be detected from a number of factors: IP address, browser fingerprinting, etc.

A click tracking service can be used to analyze traffic, collect data, etc. All in all, such services are useful in and of themselves, but they can also easily be abused by bad actors. Within the Google ad ecosystem, advertisers will place their URL as a tracking template, and the rest will be handled outside of Google.

One thing that’s interesting is how scammers will abuse the click tracking service as well! All they have to do is redirect to another “legitimate” domain they control and from there decide on the final destination URL.

We can see in the image below that final redirect, which is either the scam page or the actual Facebook site:

Safeguarding your online experience

We have seen these malicious ads for years and years. It would be unfair to say that no action has ever been taken, but there is room for improvement. Individual reports from victims are not always actioned based on our experience and that of others. This is frustrating because it appears as if those individual experiences do not matter in the grander scheme of things.

Security vendors also struggle with these scams. Chasing infrastructure from one host to the next or having trouble blocking URLs that abuse legitimate providers is a real thing.

As a user you can protect yourself in various ways:

• Beware of sponsored results
• Block ads altogether
• Recognize scam pages as fake

If you want the piece of mind and have all this covered for you, download our Malwarebytes Browser Guard extension available for different browsers.

Europol and its associates have arrested 9 people in conjunction with a cannabis investment scam known as “JuicyFields”.

The suspects used social media to lure investors to their website. There they found information about a “golden opportunity” to invest in the cultivation, harvesting and distribution of cannabis plants to be used for medicinal purposes.

Taken from the JuicyFields website:

Grow cannabis. It’s profitable! Become a potpreneur and benefit from the booming cannabis industry. Be among the first to join the movement.

The scheme looked like a crowdsourcing scheme with a minimal investment of € 50, and played on recent discussions in Europe to liberalize cannabis laws following the example of the United States and Canada. Many European countries such as the Netherlands, Austria, Germany, and Portugal have decriminalized possession of cannabis.

As we often see with these kinds of changes in regulatory frameworks, cybercriminals are the first to spot a window of opportunity and advertise with investment opportunities, promising a high return on low-risk investments.

From a JuicyFields whitepaper:

“21 states in the US have already legalised the adult use of marijuana for recreational purposes and this number continues to grow. Indeed, the U.S., Canada, and the soon-to-be regulated markets of the European Union are spearheading this revolution with unprecedented swiftness. However, the pent-up-demand for such regulationdoesn’t necessarily translate into effective deployment.”

To be one of the first investors in this growth market might have seemed just the thing to invest in for some. The scammers promised to connect investors with producers of medical cannabis. Europol stated:

“Upon the purchase of a cannabis plant, the platform assured investors – also referred to as e-growers – they could soon collect high profits from the sale of marijuana to authorized buyers. While the company pledged annual returns of 100 percent or more, they did not reveal exactly how they would accomplish this, let alone be able to guarantee it.”

The scheme was set up as a Ponzi scheme, which means the scammers paid early investors their return with the money they received from later adaptors.

So, for example, the first-time investor would deposit € 50 and receive a pay-out doubling their money soon after. Motivated by such quick financial gains, many investors would raise the stakes and invest hundreds, thousands, or in many cases even tens of thousands of euros. But that doesn’t mean the scammers forget to pocket the largest part themselves.

During the investigation and on action day, law enforcement seized or froze € 4,700,000 in bank accounts, € 1,515,000 in cryptocurrencies, € 106,000 in cash and € 2,600,000 in real estate assets, which amounts to roughly $ 9.5 Million in total. This came from 186,000 people who transferred funds into the scheme between early 2020 to July 2022.

One of the primary targets in this investigation was a Russian national residing in the Dominican Republic, suspected to be one of the main organizers of the fraudulent scheme.

Don’t fall for scams

Stick with safe investments, it’s easier said than done. But there are a few things you might want to avoid:

• Rushing into an investment. Scammers want you to act urgently, so you spend less time thinking.
• Skipping the fine print. Not knowing what it says in the fine print can turn out to be catastrophic.
• Acting on cold calls. Treat calls, texts, mails, and other advice out the blue with extreme caution.
• Judging a book by its cover. Investment scams are profitable and they can afford to look good.

Still not convinced? I have this piece of land on Venus, that I would be willing to part with for the right price. But you will need to act fast.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Pig butchering scams are big business. There are hundreds of millions of dollars involved every year. The numbers are not very precise because some see them as a special kind of romance scam, while others classify them as investment fraud.

The victims in Pig Butchering schemes are referred to as pigs by the scammers, who use elaborate storylines to fatten up victims into believing they are in a romantic or otherwise close personal relationship. Once the victim places enough trust in the scammer, they bring the victim into a cryptocurrency investment scheme. Then comes the butchering–meaning they’ll be bled dry of their money.

And they usually start by someone sending you a message that looks like it’s intended for someone else.

The accounts sending the messages often use stock photographs of models for their profile pictures. But even though you won’t know these people, a simple reply of “I’m not Steve, but…” is almost exactly what the scammers want—an initial foothold to talk to you a bit more.

After some small talk, the scammer will ask if you’re familiar with investments, or cryptocurrency. They’ll then do one of two things:

• Direct you to a genuine cryptocurrency investment portal, and send you some money to invest or have you do it on your own dime. Eventually you’re asked to transfer all funds and/or profit to a separate account which belongs to the scammer. At that point, your money has gone and the proverbial pig has been butchered after a period of so-called “fattening up” (in other words, gaining your trust and convincing you to go all out where investing is concerned).
• Direct you to a fake cryptocurrency site, often imitating a real portal. The site may well have its numbers tweaked or otherwise deliberately altered to make it look as though your suggested investments are sound bets. The reality is that they are not, and by the time you realize it, your money has gone.

Once you are satisfied with the profit on your investment and decide to cash out, the problems come at you from different directions. A hefty withdrawal fee, a huge tax to be paid, will need to be paid to get your money back. Which you won’t, but this is the last drop the scammers will try to wring out of you.

John Oliver talked at length about Pig Butchering scams in the latest episode of Last Week Tonight with John Oliver (HBO), lifting the lid on some shocking examples of people who got scammed, and the role that organized crime plays behind the scenes. (Note that you’ll need to be in the USA to watch it, or have a good VPN

As John Oliver put it:

“You may have an image of a person who might fall for pig butchering, but unless you are looking in a mirror, you might be wrong.”

So here are some pointers.

How to avoid becoming the pig

The good thing about pig butchery scams is that they mostly follow a narrow pattern, with few variations. If you recognize the signs, you stand a very good chance of going about your day with a distinct lack of pig-related issues. The signs are:

• Stray messages for “someone else” appear out of the blue.
• The profile pic of the person you’re talking to looks like someone who is a model.
• Common scam opening lines may involve: Sports, golfing, travel, fitness.
• At some point they will ask you about investments and/or cryptocurrency.
• They will ask you to invest, or take some of their money and use that instead.

As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. This is definitely one of those “If it’s too good to be true” moments, and the part where you make your excuses and leave (but not before hitting block and reporting them).

Digital Footprint scan

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers.

Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the description the owner asked interested parties to contact them by email.

“The property is listed on several websites so contact me directly by mail to check for availability.”

So Stefan emailed the owner. They replied, asking Stefan to book the property through Tripadvisor because, they said, the Airbnb platform was having some problems and the fees were higher than on Tripadvisor.

“My name is Carla Taddei, I am a co-host of this property, your dates are available.

The nightly rate is €250, also a €500 security deposit is required which will be fully refunded at the check out date (in case of no damages to the property). Cleaning and disinfection are included in the price. FREE CANCELLATION, FULL REFUND WITHIN 48 HOURS PRIOR THE CHECK IN.

Currently , we are encountering technical difficulties with the Airbnb calendar system, so we decided to use tripadvisor.com as our main platform. Because the Airbnb platform has very high fees, I choose to use only tripadvisor.com

If you would like to book our property, I need to know first some information about you, your name, your country and how many persons will stay with you in our property, also I want you to confirm me your email address. I will then make all the arrangements and I will send a tripadvisor invitation through tripadvisor.com in order to complete the reservation.”

Included in the mail were two shortened URLs which the owner claimed linked directly to the same property.

However, the link didn’t point to the real Tripadvisor site, but instead a fake one, which became clear when Malwarebytes Browser Guard popped up a warning advising Stefan not to continue.

Stefan received a mail that claimed to be from Tripadvisor, but more alarm bells were triggered when the sender email showed up as support@mailerfx.com — not exactly the email address you’d expect from Tripadvisor itself.

The owner sent a follow up email, saying the booking request had been sent out and insisting that Stefan had to pay and send confirmation before the booking could be validated.

“Everything was arranged from my side and you should have the booking request by now. My device routed it to my promotion folders so just check all your email folders because you must have it.

Please note, the full payment including the security deposit is required on the same time. The deposit is required for the security of the property, if there are any damages or something else is missing from the property and it is fully refundable on the day when you leave the property.

Please forward and the payment confirmation once done so I can validate your booking.”

The scammer hoped Stefan would click on the booking button on the fake Tripadvisor site. If he had done, he would have seen a prompt to register with ‘Tripadvisor’.

One step further and he’d have been asked to enter his credit card details, at which point he would have been likely to pay a lot more than the agreed €2000 for an apartment he would never see from the inside.

Further research based on the URL to the fake Tripadvisor website showed us that these scammers have probably been active for quite some time.

We found 220 websites related to this particular scam campaign. 26 of them were structured similar to tripadvisor-pre-approved-cdc0-4188-b6e5-0e742976f964.nerioni.cfd, and related sites. And 194 were structured similar to airbnb-pre-approved-0e03cd9c-7f5e.mucolg.buzz, and related sites.

How to recognize and avoid scams

There are several ways in which this procedure should have set your scam spidey senses in action, even if you’re not a professional like Stefan.

• When it’s too good to be true, it’s probably not true. Don’t fall for a ‘good deal’ that turns out to be just the opposite.
• Book directly via the platform you are on. If someone tries to get you to do something that’s not typical behaviour for that service, then they may well be up to no good.
• Check the links in the emails are going to where you expect. Even though the links in the email say tripadvisor.com, in reality they pointed to tinyurl.com. The use of URL shorteners where there is no actual need to shorten a URL is often done to obfuscate the link.
• In the same vein, check the address in your browser’s address bar to check if it is going to where you would expect. The fake Tripadvisor site was hosted at https://tripadvisor-pre-approved-7f18-4bf6-8470-a6d44541e783.tynoli.cfd/d07f/luxury-apartment-for-rent-in-amsterdam/f47fde which has been taken offline now.
• Don’t get rushed into making decisions. Scammers are always trying to create a sense of urgency so you click before you can think.
• Double check the website again before entering personal details or financial information.
• Keep your software updated and use a web filter that will alert you to suspicious sites.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

First-person account of someone who fell for a scam, that started as a fake Amazon service rep and ended with a fake CIA agent, and lost $50,000 cash. And this is not a naive or stupid person.

The details are fascinating. And if you think it couldn’t happen to you, think again. Given the right set of circumstances, it can.

It happened to Cory Doctorow.

EDITED TO ADD (2/23): More scams, these involving timeshares.

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.

Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.

This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.

However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.

This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.

Fraudulent utility scam ads

The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.

We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.

In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.

The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.

The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.

Large scamming infrastructure

The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.

We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.

However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.

In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.

Keep your identity and money safe from scammers

This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.

Here are some additional tips:

• Watch out for a sense of urgency. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
• Never disclose personal details over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
• Beware requests for money transfers or prepaid cards. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
• Contact your bank immediately if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
• Report the scam to the proper authorities, which may be the FTC.

Malwarebytes protection

Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.

Indicators of Compromise

Google advertiser accounts

Advertiser name	Advertiser ID	Number of ads
Telesoft	N/A	1
Digitron	04170244641179828225	4
Syed muhammad Adnan	08157637715521699841	15
Progressix	02149758434478653441	2
Umair Jameel	11899369518209695745	1
Laiba Mazhar	14248337572488019969	1
Syed Shahmeer Hussain	12265272419404480513	6
Snow Tech	N/A	1
Muhammad Pirzada	12480474916866490369	145
Eco Designs (Private) Limited	17013467067027816449	5
Right Path Solutions	11370048952557633537	21
Rehman Munawar	06906645958470139905	1
ANDREW PAUL GUZMAN	09045338907926855681	17
Economical Deals	09045708721790910465	4
Qasim Ahmed	15768816743289454593	20
Summaira	14596269127925497857	3
Citrex Solutions (Private) Limited	16648988995463675905	19
Get Energy Promo	08074609881656590337	6
Brightboost LLC	07744256527850012673	5
AA DIGITAL LABS (SMC-PRIVATE) LIMITED	10871392529253662721	1
Malik Muhammad Shahroz Ibrahim	N/A	1
HongKong AdTiger Media Co., Limited	14567350391567024129	1
Mah Noor	07681945004880691201	12
Usama Ashfaq	06711852389684477953	2
Ali Raza	04534984293432164353	15
Muhammad Usman Tariq	17723433991509377025	5
SHABNUM FATIMA SHAH	02536959185141104641	4
QASMIC L.L.C-FZ	11321807192694194177	1

Phone numbers

Scammer domains

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.