More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. That’s a great thing. But as security evolves, so do cybercriminals who are always looking for new ways to scam us.
A type of phishing we’re calling authentication-in-the-middle is showing up in online media. While these techniques, named after man-in-the-middle (MitM) attacks, have existed for a while, they appear to be gaining traction now.
It works like this: A user gets lured to a phishing site masquerading as a site they normally use, such as a bank, email or social media account. Once the user enters their login into the fake site, that information gets redirected by the cybercriminals to the actual site, without the user knowing.
The user is then prompted for their MFA step. They complete this, usually by entering a code or accepting a push notification, and this information is then relayed to the criminals, allowing them to login to the site.
Once the criminals are into an account, they can start changing settings like the account’s email address, phone number, and password, so the user can no longer log in, or they can simply clean out a bank account. This may help you understand why many platforms ask for your PIN or other authentication again when you try to change one of these important settings.
Victims are lured to phishing sites like these via links from social media or emails where it can be hard to identify the real link. Phishing sites can even show up in sponsored search results, in the same way as we reported about tech support scams.
How to protect yourself from authentication-in-the-middle attacks
Keep your wits about you. Being aware of how scammers work is the first step to avoiding them. Don’t assume sponsored search results are legit, and trust that if something seems suspicious then it probably is.
Use security software. Many security programs block known phishing sites, although domains are often short-lived and get rotated quickly. Malwarebytes Browser Guard can help protect you.
Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.
Consider passkeys. Multi-factor authentication is still super-important to enable, and will protect you from many types of attacks, so please continue to use it. However, authentication-in-the-middle attacks only work with certain types of MFA, and passkeys won’t allow the cybercriminals to login to your account in this way. Many services have already begun using passkeys and they’re no doubt here to stay.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Identity theft is a real threat worth worrying about. Not only is someone stealing from you and committing fraud in your name, but the negative impacts of identity theft can take months or even years to recover from.
Worst of all is the sense of helplessness: Not only are most “identity theft protection” services kind of useless, the very nature of the crime means you likely won’t be aware that you’ve been compromised until it starts affecting your finances and reputation—at which point quick action is necessary, including contacting a seemingly endless list of businesses, financial institutions, credit bureaus, and government agencies.
While you can't always prevent identity theft, you can look for the earliest and most subtle signs that it might be happening to you. Sometimes the first ripples can seem like one-off oddities or simple mistakes you can just ignore—but acting promptly when confronted with these subtle signs of identity theft can go a long way towards limiting the damage you’ll suffer.
Unrecognized 2FA logins
Two-factor authentication (2FA) is a powerful security tool, and you’re likely pretty used to having to type in a code you received via email, authenticator app, or text when you access your online accounts. So used to it, in fact, that you might be tempted to ignore a stray 2FA notice, especially if it’s from a service or business you don’t actually use.
The opposite is true: If you start seeing 2FA alerts that you didn’t initiate, it could be a sign that someone is at least partway through the process of stealing your identity. They may have most of the information they need to access your accounts, or they may have taken over some but not others, or simply made a mistake. If you see a 2FA you don’t recognize, check in on your online accounts, change your passwords, and check your credit reports.
Weirdness with your streaming accounts
If you launch Spotify and some strange music that’s 100% not in your wheelhouse starts playing, or if weird shows and films starts showing up in your Netflix queue, it could be a sign that someone is at chipping away at your identity. A hijacked Spotify account doesn’t necessarily mean a criminal has completely stolen your life, but it could be an early warning sign that someone is at least trying to do so, and that at least one of your passwords has been compromised.
Test charges on your credit cards
Similar to unexpected 2FA alerts, unrecognized test charges on your credit cards are a warning sign. Companies sometimes place a tiny charge on your card when you first sign up for a service—often just a penny—to test that you’ve given them a real form of payment; they then quickly refund the charge. If you don’t check your accounts regularly, you might even miss a test charge, because it probably never actually posts to your account. Alternatively, some fraudsters often apply small test charges to accounts to ensure they’re active.
In either case, test charges for accounts you’re unfamiliar with are often a sign that someone has your identity in hand and is setting up a whole separate financial identity, and they should be investigated immediately.
Credit score fluctuations
Do you check your credit score and credit reports regularly? You really ought to. Not only will it give you a general idea of your overall financial health, these tools serve as early warning signs that you’ve been compromised. Checking your credit reports will show the obvious signs, like lines of credit that you never applied for and don’t control that are nonetheless listed under your name.
But your credit score can be an even better tool, because it’s easier to track. Your credit score will naturally fluctuate a little over time, but dramatic changes are often a sign that a third party is monkeying with your credit. Even if your credit score temporarily goes up, it could be a sign that someone is opening new lines of credit, because they’re unintentionally improving your debt ratio—which makes your score jump. Then, of course, they tank your credit score when they max out those credit lines and fail to make payments.
Weird junk mail
If you have started to receive advertisements for stuff that’s far from your usual interests—or way out of your financial league—be wary. If folks are spending money you don’t have in your name, you can land on purchased mailing lists that send out all that glorious junk mail. If you’re suddenly being asked about your recent interest in luxury furniture, it’s time to do a little investigating.
The other sign someone’s playing fast and loose with your identity, oddly, is receiving mail in someone else’s name. If you start getting mail with your address but someone else’s name, it could be a sign of what’s known as “synthetic identity theft.” This is when thieves mix your personal data with other pieces of information (some real, some invented) to create a wholly artificial identity. This can still be a huge problem for you, so it’s a good idea to review those credit reports.
Missing bank and credit card statements
Another way your mail can warn you that you’re the victim of identity theft? A lack of mail (and email). If you suddenly stop receiving statements, bills, and other correspondence from your banks or credit card issuers, it could be because someone has taken over the accounts and switched all your mailing info to hide it from you.
If you realize you haven’t seen a statement or bill in the physical mail or your email inbox in a while, take the following steps:
Log into your account. Make sure you still have access. If you do, change your passwords and add any security layers you can, like 2FA.
Review payments and charges. See if you’ve missed any payments or if there are any charges you don’t recognize. If so, notify the business’ fraud department.
Check the address. See if your mail address and email preferences are correct. If so, the glitch might be with the post office. Also check that you’re supposed to get paper statements—this might have been switched to digital statements. If the address on file is not your address, assume your identity has been stolen and take all the steps.
Credit card problems
One of the most subtle signs of identity theft is the sudden onset of problems using your credit cards. If you get unexpected denials when trying to buy things with your cards, it may be because your bank or financial institution has placed a hold on them. If the card starts working again some time later, that doesn’t necessarily mean it was just a random glitch—you should contact the card issuer and get to the bottom of the problem. Your card could be physically damaged, or it could just be a weird coincidence—but why take the chance?
Tax issues
Identity theft usually conjured up an image of criminals running up big credit card bills or taking out huge loans in your name, but one common strategy no one thinks about is tax fraud: Criminals steal your identity and actually file your taxes, claiming a much higher income in order to get a plump refund. Some signs this is happening include:
Rejected filing. If you try to file your taxes and the IRS tells you that you’ve already filed, take action immediately.
Unexpected refund. You got a refund check in the mail and you didn’t even file your taxes yet? Don’t assume it’s just the federal government being weirdly efficient for once. It may be the result of identity chicanery.
Any unexpected records from the IRS. Fraudsters sometimes mess up when trying to steal your tax identity, and the IRS suddenly sends you information you “requested,” like tax transcripts. If you get something like that in the mail you didn’t ask for, contact the IRS immediately.
For years, Dell customers have been on the receiving end of scam calls from people claiming to be part of the computer maker’s support team. The scammers call from a valid Dell phone number, know the customer's name and address, and use information that should be known only to Dell and the customer, including the service tag number, computer model, and serial number associated with a past purchase. Then the callers attempt to scam the customer into making a payment, installing questionable software, or taking some other potentially harmful action.
Recently, according to numerous social media posts such as this one, Dell notified an unspecified number of customers that names, physical addresses, and hardware and order information associated with previous purchases was somehow connected to an “incident involving a Dell portal, which contains a database with limited types of customer information.” The vague wording, which Dell is declining to elaborate on, appears to confirm an April 29 post by Daily Dark Web reporting the offer to sell purported personal information of 49 million people who bought Dell gear from 2017 to 2024.
The customer information affected is identical in both the Dell notification and the for-sale ad, which was posted to, and later removed from, Breach Forums, an online bazaar for people looking to buy or sell stolen data. The customer information stolen, according to both Dell and the ad, included:
As the cost of water, power, and internet services rise, it's understandable to want to find a way to get them for less, or even free—but that doesn't mean you have to excuse a neighbor or other nefarious individual leeching off of your utilities to their benefit.
The most challenging aspect of utilities theft is how easy it is to not even notice that it’s happening, as most of us have only a fuzzy idea of how much utilities cost in the first place, let alone what our normal usage looks like. Whether you have reason to suspect you're funding someone else's lifestyle or not, here's how to tell if someone is stealing your utilities.
Check your billing history
The easiest and most obvious sign that someone is stealing any utility is a sudden, inexplicable spike in your bill. If your behavior hasn’t changed and your power or water bill is suddenly much higher than usual, you either have a problem with the infrastructure (such as a leaking pipe) or an unscrupulous neighbor tapping into your supply. Always pay close attention to your bills, especially if you have automatic payments set up.
While water and power spikes show up as increased volume, internet bills won’t be very useful in detecting a freeloader unless they’re sucking up so much data that you blow past your Internet Service Provider’s (ISP) data cap.
Otherwise, look for these signs, specific to each resource:
How to tell if someone is stealing your electricity
Electricity is actually pretty easy to steal—it’s estimated that close to $100 billion worth of electricity theft occurs worldwide every year. If you see a spike in your electricity bill that you can’t explain based on your own usage (for example, you haven’t started a crypto mining operation in your basement), inspect your home for some obvious signs of power theft:
Exterior outlets. The simplest, dumbest way people can steal your power is to just plug an extension cord into an exterior outlet and run it to their home.
Splices. Take a look at the spot where the power runs from the street into your home. Any odd-looking splices, clamps, or amateurish wiring is a potential sign of theft, especially if that janky connection then runs into a neighbor’s home. Don’t touch anything during your inspection, as electricity can 100% kill you. If you see something that looks off, call your utility provider.
Check your meter. A final check you can safely perform yourself is to go to your meter and turn off all the circuit breakers. Then watch the meter—if it continues to go up, something is still pulling power from your connection.
If someone’s using your exterior outlets, consider installing a locking outlet cover to stop it, or figure out which circuit breaker controls those outlets and cut the power until you need it yourself. For any other suspected power theft, call your utility—and consider notifying the police as well, as documenting the problem will help you dispute any overbilling.
How to tell if someone is stealing your water
You don't think much about the miracle of having potable water piped into your home...until your bill is suddenly twice as much as it was last month—or you come home from vacation to find your neighbors have filled their pool and your water bill has mysteriously tripled.
Even if the theft is less dramatic, there are a few hints to look for to spot water theft:
Low pressure. If your formerly robust water pressure suddenly becomes anemic, you should have a plumbing professional check your pipes. If they can’t find any cause, it’s time to get suspicious.
Unexplained digging. Have you noticed mysterious signs of digging on your property? It’s time to investigate those spots and see if someone has tied into a water line.
Sprinklers and hoses. If you have a sprinkler system or an outdoor hose spigot, take a close look to see if someone has patched into the hose or the sprinkler line.
As with electricity, the easiest way to steal someone’s water is to hook up a hose to an outdoor spigot. Turning off the outdoor water supply unless you’re actively using it and/or installing a spigot lock can help defend against those tactics. For more sophisticated thefts, call your utility.
How to tell if someone is stealing your internet
The Federal Communications Commission recently reclassified internet service as a public utility (again), which makes sense: These days you can’t function well in society without a usable internet connection. Of course, your wifi network is just, you know, out there, in the air, and that means people can glom onto your signal and steal the internet you’re paying for.
There are some signs to look for that can hint that someone is stealing your connection:
Slow speeds. You know the internet speeds you’re paying for. If there’s been a recent, noticeable drop in speeds (lots of buffering, stuttering video, or lag), confirm this with a speed test, then contact your provider. If there’s nothing wrong on their end, it could be your router or modem—or it could be a thief soaking up your bandwidth.
Exceeded data cap. If your ISP has a data cap on your account and you receive a notice that you’ve exceeded it for the first time ever, this could be a sign that someone is leeching off your connection. Change your wifi password (or set one up) to keep them off your network.
Unknown devices on your network. You can see all the devices connected to your WiFi network either by logging into your router’s administration panel or by using an app like Fing or WiFi Guard. First, count up all the devices that you use—computers, phones, laptops, tablets, smart devices—and match them to the list on your router. If you find any that you don’t recognize, boot them off—and change your password, pronto.
How to tell if someone is stealing your streaming services
A related form of theft involves your streaming services. While this is getting harder to do as the age of password sharing ends, it’s still possible—especially if the thief has infiltrated your wifi and is watching your streamers on your network. There are a few subtle signs that this might be happening:
The algorithm. If you start seeing unfamiliar titles under “continue watching” or your recommended titles list starts to include stuff you’d never watch in a million years, it’s time to check the account.
Unknown profiles. It’s easy to get into the habit of blowing through the “who’s watching” page on your streaming service, but it’s a good practice to track the profiles you see. If there are any you don’t remember creating, it’s time to investigate.
Bill changes. If you have your streamer set to autopay, you might not even notice if someone has gone in and upgraded your account in order to allow multiple profiles or to eliminate advertising on your dime.
If you find someone piggybacking on your hard-earned streaming money, you’ll obviously need to log out of all devices, change your password, delete those profiles, and then log back in everywhere.
Ticket scams are very common and apparently hard to stop. When there are not nearly enough tickets for some concerts to accommodate all the fans that desperately want to be there, it makes for ideal hunting grounds for scammers.
With a ticket scam, you pay for a ticket and you either don’t receive anything or what you get doesn’t get you into the venue.
As reported by the BBC, Lloyds Bank estimates that fans have lost an estimated £1m ($1.25 m) in ticket scams ahead of the UK leg of Taylor Swift’s Eras tour. Roughly 90% of these scams were said to have started on Facebook.
Many of these operations work with compromised Facebook accounts and make both the buyer and the owner of the abused account feel bad. These account owners are complaining about the response, or lack thereof, they are getting from Meta (Facebook’s parent company) about their attempts to report the account takeovers.
Victims feel powerless as they see some of their friends and family fall for the ticket scam.
“After I reported it, there were still scams going on for at least two or three weeks afterwards.”
We saw the same last year when “Swifties” from the US filed reports about scammers taking advantage of fans, some of whom lost as much as $2,500 after paying for tickets that didn’t exist or never arrived. The Better Business Bureau reportedly received almost 200 complaints nationally related to the Swift tour, with complaints ranging from refund struggles to outright scams.
Now that the tour has European cities on the schedule the same is happening all over again.
And mind you, it’s not just concerts. Any event that is sold out through the regular, legitimate channels and works with transferable tickets is an opportunity for scammers. Recently we saw a scam working from sponsored search results for the Van Gogh Museum in Amsterdam. People that clicked on the ad were redirected to a fake phishing site where they were asked to fill out their credit card details.
Consider that to be a reminder that it’s easy for scammers to set up a fake website that looks genuine. Some even use a name or website url that is similar to the legitimate website. If you’re unsure or it sounds too good to be true, leave the website immediately.
Equally important to keep in mind is the power of AI which has taken the creation of a photograph of—fake—tickets to a level that it’s child’s play.
How to avoid ticket scams
No matter how desperate you are to visit a particular event, please be careful. When it’s sold out and someone offers you tickets, there are a few precautions you should take.
Research the ticket seller. Anybody can set up a fake ticket website, and sponsored ads showing at the top of search engines can be rife with bogus sellers. You may also run into issues buying tickets from sites like eBay. Should you decide to use sites other than well-known entities like Ticketmaster, check for reviews of the seller.
Are the tickets transferable? For some events the tickets are non-transferable which makes it, at least, unwise to try and buy tickets from someone who has decided they “don’t need or want them” after all. You may end up with tickets that you can’t use.
Use a credit card if possible. You’ll almost certainly have more protection than if you pay using your debit card, or cash. We definitely recommend that you avoid using cash. If someone decides to rip you off, that money is gone forever.
A “secure” website isn’t all it seems. While sites that use HTTPS (the padlock) ensure your communication is secure, this does not guarantee the site is legitimate. Anyone can set up a HTTPs website, including scammers.
It’s ticket inspector time. One of the best ways to know for sure that your ticket is genuine is to actually look at it. Is the date and time correct? The location? Are the seat numbers what you were expecting to see? It may well be worth calling the event organizers or the event location and confirming that all is as it should be. Some events will give examples of what a genuine ticket should look like on the official website.
As the US moves toward criminalizing deepfakes—deceptive AI-generated audio, images, and videos that are increasingly hard to discern from authentic content online—tech companies have rushed to roll out tools to help everyone better detect AI content.
But efforts so far have been imperfect, and experts fear that social media platforms may not be ready to handle the ensuing AI chaos during major global elections in 2024—despite tech giants committing to making tools specifically to combat AI-fueled election disinformation. The best AI detection remains observant humans, who, by paying close attention to deepfakes, can pick up on flaws like AI-generated people with extra fingers or AI voices that speak without pausing for a breath.
Among the splashiest tools announced this week, OpenAI shared details today about a new AI image detection classifier that it claims can detect about 98 percent of AI outputs from its own sophisticated image generator, DALL-E 3. It also "currently flags approximately 5 to 10 percent of images generated by other AI models," OpenAI's blog said.
This blog post was written based on research carried out by Jérôme Segura.
A campaign using sponsored search results is targeting home users and taking them to tech support scams.
Sponsored search results are the ones that are listed at the top of search results and are labelled “Sponsored”. They’re often ads that are taken out by brands who want to get people to click through to their website. In the case of malicious sponsored ads, scammers tend to outbid the brands in order to be listed as the first search result.
The criminals that buy the ads will go as far as displaying the official brand’s website within the ad snippet, making it hard for an unsuspecting visitor to notice a difference.
Who would, for example, be able to spot that the below ad for CNN is not legitimate. You’ll have to click on the three dots (in front of where we added malicious ad) and look at the advertiser information to see that it’s not the legitimate owner of the brand.
Only then it becomes apparent that the real advertiser is not CNN, but instead a company called Yojoy Network Technology Co., Limited.
Below, you can see another fake advertisement by the same advertiser, this time impersonating Amazon.
In our example, the scammers failed to use the correct CNN or Amazon icons, but in other cases (like another recent discovery by Jerome Segura), scammers have even used the correct icon.
The systems of the people that click one of these links are likely to assessed on what the most profitable follow-up is (using a method called fingerprinting). For systems running Windows, we found visitors are redirected to tech support scam websites such as this one.
Tech Support Scam site telling the visitor to call 1-844-476-5780
You undoubtedly know the type. Endless pop-ups, soundbites, and prompts telling the visitor that they should urgently call the displayed number to free their system of alleged malware.
These tech support scammers will impersonate legitimate software companies (i.e. Microsoft) and charge their victims hundreds or even thousands of dollars for completely bogus malware removal.
Getting help if you have been scammed
Getting scammed is one of the worst feelings to experience. In many ways, you may feel like you have been violated and angry to have let your guard down. Perhaps you are even shocked and scared, and don’t really know what to do now. The following tips will hopefully provide you with some guidance.
If you’ve already let the scammers in
Revoke any remote access the scammer has (if you are unsure, restart your computer). That should cut the remote session and kick them out of your computer.
Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes to quickly identify and remove threats.
Change all your passwords. (Windows password, email, banking, etc.)
If you’ve already paid
Contact your financial institution/credit card company to reverse the charges and keep an eye out for future unwanted charges.
If you gave them personal information such as date of birth, Social Security Number, full address, name, and maiden name, you may want to look at some form of identity theft protection.
Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support. They can later use the information you provide to block people/companies.
You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although sharing your experience of falling victim to these scams may be embarrassing, educating other people will help someone caught in a similar situation and deter further scam attempts.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection
The FBI has warned of fraudsters targeting users of dating websites and apps with “free” online verification service schemes that turn out to be very costly.
Instead of being free, as advertised, the verification schemes involve steep monthly subscription fees, and will steal personal information on the side.
The scammers collect the information entered by victims at registrations and use it to commit further fraudulent activity such as identity theft or selling the information on the dark web. The stolen information may include email addresses, phone numbers, and even credit card information.
The scam works like this: The scammer initiates contact on a dating website or app, but then quickly asks the victim to move the conversation to a more private, encrypted platform.
Once there, the scammer will recommend a verification link that supposedly provides protection against predators like sex offenders and serial killers. This verification website asks the victim to provide their name, phone number, email address, and credit card number to complete the process.
After completing the registration, the victim is redirected to a shady dating site that charges hefty monthly fees to the victim’s credit card. These charges show up on the credit card statement as a company the victim has never heard of.
The personal information the victim gives the scammers is useful because it allows them to defraud the victims even more. Whether the scammers are the same ones, or others who have bought the information on the dark web makes no difference to the victims.
Avoid falling victim
There are some pointers that may help you to fall victim to scammers such as these:
Stay on the platform of your choice. If someone contacts you and wants to continue the conversation elsewhere, that should be a red flag. We saw the same when we discussed scams on Airbnb: It is in the scammers’ interest that the fraud takes place on a platform under their control, where they can’t be as easily tracked.
Don’t click on links, downloads or attachments sent to you by strangers. Even if you have been in contact with someone for some time on the internet, they are still strangers. Sometimes they will get to the point fast, but in pig butchering scams for example, the contact can be ongoing for quite a while.
If you are contacted by someone and they come across as untrustworthy or suspicious, report them to the platform’s administrators. You may prevent others from falling victim to the scammers.
Don’t provide someone you have just met with personal details and information.
Monitor your credit card statements and bank accounts for irregularities and contact your bank if you see payments you don’t recognise.
Avoid websites that use scare tactics to trick you into registering for a service. At least do a background check to find out if they are legitimate and live up to their promises.
Consider identity monitoring. This alerts you if your personal information is found being traded illegally online, and helps you recover after.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection
Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience.
What is perhaps less known is how it is even possible to impersonate top brands and get away with it. We will try to respond to the ‘how they do it’ and the ‘why is Google allowing this’ questions.
Such malvertising attacks are not new and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive the point home that this needs to be addressed just like other types of fraud or malware.
We have reported the malicious advertiser to Google, but at the time of publishing this campaign was still on.
Malicious ad campaign for Facebook
Justin Poliachik did what many people would do, he opened up a Google search, typed facebook and clicked on the top result. In the video below, he summarizes what happened next:
Thanks to Justin for the shoutout to our blog and explaining what went down! Not sure if Justin was joking, but we don’t believe AI is going to fix malvertising, at least not for the next little while. Instead, we are going to look into more details about one particular technique. In our view, this is actually where the abuse happens the most, and where things could be improved.
Two paths make cloaking
As we said, Google seems to have a problem with brand impersonation that may not be easy to solve. We have reported such cases several times before with pretty much the same techniques.
How can Google differentiate a legitimate affiliate from a malicious actor? There are a number of data points about the advertiser via their account: user profile, payment method, budget, etc. We are not privy to those details, but they can certainly help when it comes to fraud.
More importantly, there is the ad itself: vanity URL, display text, tracking template, final URL. What happens when you click on the ad? Are you actually redirected to the URL claimed in the ad? This is a feature that appears to be so easy to abuse, and yet remains unfixed.
In the video below, we walk you through the classic tale of cloaking:
Cloaking is an old technique and in many ways can be used for legitimate purposes. After all, one needs to be able to detect real humans and not bots or crawlers for their hard-earned ad dollars budget.
Threat actors have long identified such services as very helpful tools for their malicious campaigns. True, they, like others don’t want robots, but they also don’t want Google’s scanners or security researchers to expose their malicious schemes.
Under the hood
This part is a little more technical, but integral in understanding how malvertising works. As mentioned in the video above, cloaking allows to deliver two different experiences. Genuine humans can be detected from a number of factors: IP address, browser fingerprinting, etc.
A click tracking service can be used to analyze traffic, collect data, etc. All in all, such services are useful in and of themselves, but they can also easily be abused by bad actors. Within the Google ad ecosystem, advertisers will place their URL as a tracking template, and the rest will be handled outside of Google.
One thing that’s interesting is how scammers will abuse the click tracking service as well! All they have to do is redirect to another “legitimate” domain they control and from there decide on the final destination URL.
We can see in the image below that final redirect, which is either the scam page or the actual Facebook site:
Safeguarding your online experience
We have seen these malicious ads for years and years. It would be unfair to say that no action has ever been taken, but there is room for improvement. Individual reports from victims are not always actioned based on our experience and that of others. This is frustrating because it appears as if those individual experiences do not matter in the grander scheme of things.
Security vendors also struggle with these scams. Chasing infrastructure from one host to the next or having trouble blocking URLs that abuse legitimate providers is a real thing.
As a user you can protect yourself in various ways:
Beware of sponsored results
Block ads altogether
Recognize scam pages as fake
If you want the piece of mind and have all this covered for you, download our Malwarebytes Browser Guard extension available for different browsers.
Europol and its associates have arrested 9 people in conjunction with a cannabis investment scam known as “JuicyFields”.
The suspects used social media to lure investors to their website. There they found information about a “golden opportunity” to invest in the cultivation, harvesting and distribution of cannabis plants to be used for medicinal purposes.
Taken from the JuicyFields website:
Grow cannabis. It’s profitable! Become a potpreneur and benefit from the booming cannabis industry. Be among the first to join the movement.
The scheme looked like a crowdsourcing scheme with a minimal investment of € 50, and played on recent discussions in Europe to liberalize cannabis laws following the example of the United States and Canada. Many European countries such as the Netherlands, Austria, Germany, and Portugal have decriminalized possession of cannabis.
As we often see with these kinds of changes in regulatory frameworks, cybercriminals are the first to spot a window of opportunity and advertise with investment opportunities, promising a high return on low-risk investments.
From a JuicyFields whitepaper:
“21 states in the US have already legalised the adult use of marijuana for recreational purposes and this number continues to grow. Indeed, the U.S., Canada, and the soon-to-be regulated markets of the European Union are spearheading this revolution with unprecedented swiftness. However, the pent-up-demand for such regulationdoesn’t necessarily translate into effective deployment.”
To be one of the first investors in this growth market might have seemed just the thing to invest in for some. The scammers promised to connect investors with producers of medical cannabis. Europol stated:
“Upon the purchase of a cannabis plant, the platform assured investors – also referred to as e-growers – they could soon collect high profits from the sale of marijuana to authorized buyers. While the company pledged annual returns of 100 percent or more, they did not reveal exactly how they would accomplish this, let alone be able to guarantee it.”
The scheme was set up as a Ponzi scheme, which means the scammers paid early investors their return with the money they received from later adaptors.
So, for example, the first-time investor would deposit € 50 and receive a pay-out doubling their money soon after. Motivated by such quick financial gains, many investors would raise the stakes and invest hundreds, thousands, or in many cases even tens of thousands of euros. But that doesn’t mean the scammers forget to pocket the largest part themselves.
During the investigation and on action day, law enforcement seized or froze € 4,700,000 in bank accounts, € 1,515,000 in cryptocurrencies, € 106,000 in cash and € 2,600,000 in real estate assets, which amounts to roughly $ 9.5 Million in total. This came from 186,000 people who transferred funds into the scheme between early 2020 to July 2022.
One of the primary targets in this investigation was a Russian national residing in the Dominican Republic, suspected to be one of the main organizers of the fraudulent scheme.
Don’t fall for scams
Stick with safe investments, it’s easier said than done. But there are a few things you might want to avoid:
Rushing into an investment. Scammers want you to act urgently, so you spend less time thinking.
Skipping the fine print. Not knowing what it says in the fine print can turn out to be catastrophic.
Acting on cold calls. Treat calls, texts, mails, and other advice out the blue with extreme caution.
Judging a book by its cover. Investment scams are profitable and they can afford to look good.
Still not convinced? I have this piece of land on Venus, that I would be willing to part with for the right price. But you will need to act fast.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Pig butchering scams are big business. There are hundreds of millions of dollars involved every year. The numbers are not very precise because some see them as a special kind of romance scam, while others classify them as investment fraud.
The victims in Pig Butchering schemes are referred to as pigs by the scammers, who use elaborate storylines to fatten up victims into believing they are in a romantic or otherwise close personal relationship. Once the victim places enough trust in the scammer, they bring the victim into a cryptocurrency investment scheme. Then comes the butchering–meaning they’ll be bled dry of their money.
And they usually start by someone sending you a message that looks like it’s intended for someone else.
Scammers trying to initiate pig butchering scams
The accounts sending the messages often use stock photographs of models for their profile pictures. But even though you won’t know these people, a simple reply of “I’m not Steve, but…” is almost exactly what the scammers want—an initial foothold to talk to you a bit more.
After some small talk, the scammer will ask if you’re familiar with investments, or cryptocurrency. They’ll then do one of two things:
Direct you to a genuine cryptocurrency investment portal, and send you some money to invest or have you do it on your own dime. Eventually you’re asked to transfer all funds and/or profit to a separate account which belongs to the scammer. At that point, your money has gone and the proverbial pig has been butchered after a period of so-called “fattening up” (in other words, gaining your trust and convincing you to go all out where investing is concerned).
Direct you to a fake cryptocurrency site, often imitating a real portal. The site may well have its numbers tweaked or otherwise deliberately altered to make it look as though your suggested investments are sound bets. The reality is that they are not, and by the time you realize it, your money has gone.
Once you are satisfied with the profit on your investment and decide to cash out, the problems come at you from different directions. A hefty withdrawal fee, a huge tax to be paid, will need to be paid to get your money back. Which you won’t, but this is the last drop the scammers will try to wring out of you.
John Oliver talked at length about Pig Butchering scams in the latest episode of Last Week Tonight with John Oliver (HBO), lifting the lid on some shocking examples of people who got scammed, and the role that organized crime plays behind the scenes. (Note that you’ll need to be in the USA to watch it, or have a good VPN
As John Oliver put it:
“You may have an image of a person who might fall for pig butchering, but unless you are looking in a mirror, you might be wrong.”
So here are some pointers.
How to avoid becoming the pig
The good thing about pig butchery scams is that they mostly follow a narrow pattern, with few variations. If you recognize the signs, you stand a very good chance of going about your day with a distinct lack of pig-related issues. The signs are:
Stray messages for “someone else” appear out of the blue.
The profile pic of the person you’re talking to looks like someone who is a model.
Common scam opening lines may involve: Sports, golfing, travel, fitness.
At some point they will ask you about investments and/or cryptocurrency.
They will ask you to invest, or take some of their money and use that instead.
As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. This is definitely one of those “If it’s too good to be true” moments, and the part where you make your excuses and leave (but not before hitting block and reporting them).
Digital Footprint scan
If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.
One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers.
Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the description the owner asked interested parties to contact them by email.
“The property is listed on several websites so contact me directly by mail to check for availability.”
So Stefan emailed the owner. They replied, asking Stefan to book the property through Tripadvisor because, they said, the Airbnb platform was having some problems and the fees were higher than on Tripadvisor.
“My name is Carla Taddei, I am a co-host of this property, your dates are available.
The nightly rate is €250, also a €500 security deposit is required which will be fully refunded at the check out date (in case of no damages to the property). Cleaning and disinfection are included in the price. FREE CANCELLATION, FULL REFUND WITHIN 48 HOURS PRIOR THE CHECK IN.
Currently , we are encountering technical difficulties with the Airbnb calendar system, so we decided to use tripadvisor.com as our main platform. Because the Airbnb platform has very high fees, I choose to use only tripadvisor.com
If you would like to book our property, I need to know first some information about you, your name, your country and how many persons will stay with you in our property, also I want you to confirm me your email address. I will then make all the arrangements and I will send a tripadvisor invitation through tripadvisor.com in order to complete the reservation.”
Included in the mail were two shortened URLs which the owner claimed linked directly to the same property.
However, the link didn’t point to the real Tripadvisor site, but instead a fake one, which became clear when Malwarebytes Browser Guard popped up a warning advising Stefan not to continue.
Stefan received a mail that claimed to be from Tripadvisor, but more alarm bells were triggered when the sender email showed up as support@mailerfx.com — not exactly the email address you’d expect from Tripadvisor itself.
The owner sent a follow up email, saying the booking request had been sent out and insisting that Stefan had to pay and send confirmation before the booking could be validated.
“Everything was arranged from my side and you should have the booking request by now. My device routed it to my promotion folders so just check all your email folders because you must have it.
Please note, the full payment including the security deposit is required on the same time. The deposit is required for the security of the property, if there are any damages or something else is missing from the property and it is fully refundable on the day when you leave the property.
Please forward and the payment confirmation once done so I can validate your booking.”
The scammer hoped Stefan would click on the booking button on the fake Tripadvisor site. If he had done, he would have seen a prompt to register with ‘Tripadvisor’.
One step further and he’d have been asked to enter his credit card details, at which point he would have been likely to pay a lot more than the agreed €2000 for an apartment he would never see from the inside.
Further research based on the URL to the fake Tripadvisor website showed us that these scammers have probably been active for quite some time.
We found 220 websites related to this particular scam campaign. 26 of them were structured similar to tripadvisor-pre-approved-cdc0-4188-b6e5-0e742976f964.nerioni.cfd, and related sites. And 194 were structured similar to airbnb-pre-approved-0e03cd9c-7f5e.mucolg.buzz, and related sites.
How to recognize and avoid scams
There are several ways in which this procedure should have set your scam spidey senses in action, even if you’re not a professional like Stefan.
When it’s too good to be true, it’s probably not true. Don’t fall for a ‘good deal’ that turns out to be just the opposite.
Book directly via the platform you are on. If someone tries to get you to do something that’s not typical behaviour for that service, then they may well be up to no good.
Check the links in the emails are going to where you expect. Even though the links in the email say tripadvisor.com, in reality they pointed to tinyurl.com. The use of URL shorteners where there is no actual need to shorten a URL is often done to obfuscate the link.
In the same vein, check the address in your browser’s address bar to check if it is going to where you would expect. The fake Tripadvisor site was hosted at https://tripadvisor-pre-approved-7f18-4bf6-8470-a6d44541e783.tynoli.cfd/d07f/luxury-apartment-for-rent-in-amsterdam/f47fde which has been taken offline now.
Don’t get rushed into making decisions. Scammers are always trying to create a sense of urgency so you click before you can think.
Double check the website again before entering personal details or financial information.
Keep your software updated and use a web filter that will alert you to suspicious sites.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
First-person account of someone who fell for a scam, that started as a fake Amazon service rep and ended with a fake CIA agent, and lost $50,000 cash. And this is not a naive or stupid person.
The details are fascinating. And if you think it couldn’t happen to you, think again. Given the right set of circumstances, it can.
For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.
Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.
This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.
However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.
This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.
Fraudulent utility scam ads
The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.
We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.
In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.
The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.
The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.
Large scamming infrastructure
The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.
We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.
However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.
In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.
Keep your identity and money safe from scammers
This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.
Here are some additional tips:
Watch out for a sense of urgency. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
Never disclose personal details over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
Beware requests for money transfers or prepaid cards. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
Contact your bank immediately if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
Report the scam to the proper authorities, which may be the FTC.
Malwarebytes protection
Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.
Login
