Tycoon 2FA proves that the old promises of “strong MFA” came with fine print all along: when an attacker sits invisibly in the middle, your codes, pushes, and one-time passwords become their codes, pushes, and one-time passwords too. Tycoon 2FA: Industrial-Scale Phishing Comes of Age Tycoon 2FA delivers a phishing-as-a-service kit that hands even modestly..

The post The Death of Legacy MFA and What Must Rise in Its Place appeared first on Security Boulevard.

Last week on Malwarebytes Labs:

• AI teddy bear for kids responds with sexual content and advice about weapons
• Fake calendar invites are spreading. Here’s how to remove them and prevent more
• Budget Samsung phones shipped with unremovable spyware, say researchers
• What the Flock is happening with license plate readers?
• Holiday scams 2025: These common shopping habits make you the easiest target
• [Correction] Gmail can read your emails and attachments to power “smart features”
• Mac users warned about new DigitStealer information stealer
• Attackers are using “Sneaky 2FA” to create fake sign-in windows that look real
• Sharenting: are you leaving your kids’ digital footprints for scammers to find?
• Chrome zero-day under active attack: visiting the wrong site could hijack your browser
• Thieves order a tasty takeout of names and addresses from DoorDash
• Why it matters when your online order is drop-shipped
• The price of ChatGPT’s erotic chat? $20/month and your identity
• Your coworker is tired of AI “workslop” (Lock and Code S06E23)
• Scammers are sending bogus copyright warnings to steal your X login

Stay safe!

---

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Attackers have a new trick to steal your username and password: fake browser pop-ups that look exactly like real sign-in windows. These “Browser-in-the-Browser” attacks can fool almost anyone, but a password manager and a few simple habits can keep you safe.

---

Phishing attacks continue to evolve, and one of the more deceptive tricks in the attacker’s arsenal today is the Browser-in-the-Browser (BitB) attack. At its core, BitB is a social engineering technique that makes users believe they’re interacting with a genuine browser pop-up login window when, in reality, they’re dealing with a convincing fake built right into a web page.

Researchers recently found a Phishing-as-a-Service (PhaaS) kit known as “Sneaky 2FA” that’s making these capabilities available on the criminal marketplace. Customers reportedly receive a licensed, obfuscated version of the source code and can deploy it however they like.

Attackers use this kit to create a fake browser window using HTML and CSS. It’s very deceptive because it includes a perfectly rendered address bar showing the legitimate website’s URL. From a user’s perspective, everything looks normal: the window design, the website address, even the login form. But it’s a carefully crafted illusion designed to steal your username and password the moment you start typing.

Normally we tell people to check whether the URL in the address bar matches your expectations, but in this case that won’t help. The fake URL bar can fool the human eye, it can’t fool a well-designed password manager. Password managers are built to recognize only the legitimate browser login forms, not HTML fakes masquerading as browser windows. This is why using a password manager consistently matters. It not only encourages strong, unique passwords but also helps spot inconsistencies by refusing to autofill on suspicious forms.

Sneaky 2FA uses various tricks to avoid detection and analysis. For example, by preventing security tools from accessing the phishing pages: the phishers redirect unwanted visitors to harmless sites and show the BitB page only to high-value targets. For those targets the pop-up window adapts to match each visitor’s operating system and browser.

The domains the campaigns use are also short-lived. Attackers “burn and replace” them to stay ahead of blocklists. Which makes it hard to block these campaigns based on domain names.

So, what can we do?

In the arms race against phishing schemes, pairing a password manager with multi-factor authentication (MFA) offers the best protection.

As always, you’re the first line of defense. Don’t click on links in unsolicited messages of any type before verifying and confirming they were sent by someone you trust. Staying informed is important as well, because you know what to expect and what to look for.

And remember: it’s not just about trusting what you see on the screen. Layered security stops attackers before they can get anywhere.

Another effective security layer to defend against BitB attacks is Malwarebytes’ free browser extension, Browser Guard, which detects and blocks these attacks heuristically.

---

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Two-factor authentication (2FA) isn’t foolproof, but it is one of the best ways to protect your accounts from hackers.

It adds a small extra step when logging in, but that extra effort pays off. Instagram’s 2FA requires an additional code whenever you try to log in from an unrecognized device or browser—stopping attackers even if they have your password.

Instagram offers multiple 2FA options: text message (SMS), an authentication app (recommended), or a security key.

Here’s how to enable 2FA on Instagram for Android, iPhone/iPad, and the web.

How to set up 2FA for Instagram on Android

1. Open the Instagram app and log in.
2. Tap your profile picture at the bottom right.
3. Tap the menu icon (three horizontal lines) in the top right.
4. Select Accounts Center at the bottom.
5. Tap Password and security > Two-factor authentication.
6. Choose your Instagram account.
7. Select a verification method: Text message (SMS), Authentication app (recommended), or WhatsApp.
   • SMS: Enter your phone number if you haven’t already. Instagram will send you a six-digit code. Enter it to confirm.
   • Authentication app: Choose an app like Google Authenticator or Duo Mobile. Scan the QR code or copy the setup key, then enter the generated code on Instagram.
   • WhatsApp: Enable text message security first, then link your WhatsApp number.
8. Follow the on-screen instructions to finish setup.

How to set up 2FA for Instagram on iPhone or iPad

1. Open the Instagram app and log in.
2. Tap your profile picture at the bottom right.
3. Tap the menu icon > Settings > Security > Two-factor authentication.
4. Tap Get Started.
5. Choose Authentication app (recommended), Text message, or WhatsApp.
   • Authentication app: Copy the setup key or scan the QR code with your chosen app. Enter the generated code and tap Next.
   • Text message: Turn it on, then enter the six-digit SMS code Instagram sends you.
   • WhatsApp: Enable text message first, then add WhatsApp.
6. Follow on-screen instructions to complete the setup.

How to set up 2FA for Instagram in a web browser

1. Go to instagram.com and log in.
2. Open Accounts Center > Password and security.
3. Click Two-factor authentication, then choose your account.
   • Note: If your accounts are linked, you can enable 2FA for both Instagram and your overall Meta account here.
4. Choose your preferred 2FA method and follow the online prompts.

Enable it today

Even the strongest password isn’t enough on its own. 2FA means a thief must have access to your an additional factor to be able to log in to your account, whether that’s a code on a physical device or a security key. That makes it far harder for criminals to break in.

Turn on 2FA for all your important accounts, especially social media and messaging apps. It only takes a few minutes, but it could save you hours—or even days—of recovery later.It’s currently the best password advice we have.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. That may sound harmless, but imagine if a malicious app on your Android device could glimpse tiny bits of information on your screen—even the parts you thought were secure, like your two-factor authentication (2FA) codes.

That’s the chilling idea behind “Pixnapping” attacks described in the research paper coming from University of California (Berkeley and San Diego), University of Washington, and Carnegie Mellon University.

A pixel is one of the tiny colored dots that make up what you see on your device’s display. The researchers built a pixel-stealing framework that bypasses all browser protections and can even lift secrets from non-browser apps such as Google Maps, Signal, and Venmo—as well as websites like Gmail. It can even steal 2FA codes from Google Authenticator.

Pixnapping is a classic side-channel attack—stealing secrets not by breaking into software, but by observing physical clues that devices give off during normal use. Pixel-stealing ideas date back to 2013, but this research shows new tricks for extracting sensitive data by measuring how specific pixels behave.

The researchers tested their framework on modern Google Pixel phones (6, 7, 8, 9) and a Samsung Galaxy S25 and succeeded in stealing secrets from both browsers and non-browser apps. They disclosed the findings to Google and Samsung in early 2025. As of October 2025, Google has patched part of the vulnerability, but some workarounds remain and both companies are still working on a full fix. Other Android devices may also be vulnerable.

The technical knowledge required to perform such an attack is enormous. This isn’t “script kiddie” territory: Attackers would need deep knowledge of Android internals and graphics hardware. But once developed, a Pixnapping app could be disguised as something harmless and distributed like any other piece of Android malware.

To perform an attack, someone would have to convince or trick the target into installing the malicious app on their device.

This app abuses Android Intents—a fundamental part of how apps communicate and interact with each other on Android devices. You can think of an intent like a message, or request, that one app sends either to another app or to the Android operating system itself, asking for something to happen.

The malicious app’s programming will stack nearly transparent windows over the app it wants to spy on and watch for subtle timing signals that depend on pixel color.

It doesn’t take long—the paper shows it can steal temporary 2FA codes from Google Authenticator in under 30 seconds. Once stolen, the data is sent to a command-and-control (C2) server controlled by the attacker.

How to stay safe

From the steps it takes to perform such an attack we can list some steps that can keep your 2FA codes and other secrets safe.

1. Update regularly: Make sure your device and apps have the latest security updates. Google and Samsung are rolling out fixes; don’t ignore those update prompts. The underlying vulnerability is tracked as CVE-2025-48561.
2. Be cautious installing apps: Only install apps from trusted sources like Google Play and check reviews and permissions before installing. Avoid sideloading unknown APKs and ask yourself if the permissions an app asks for are really needed for what you want it to do.
3. Review permissions: Android improved its permission system, but check regularly what apps can do, and don’t hesitate to remove permissions of the ones you don’t use often.
4. Use app screenshots wisely: Don’t store or display sensitive info (like codes, addresses, or logins) in apps unless needed, and close apps after use.
5. Monitor security news: Look for announcements from Google and Samsung about patches for this vulnerability, and act on them.
6. Enable Play Protect: Keep Play Protect active to help spot malicious apps before they’re installed.
7. Use up-to-date real-time anti-malware protection on your Android device, preferably with a web protection module.

If you’re worried about your 2FA codes getting stolen, consider switching to hardware token 2FA options.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Media streaming platform Plex has warned customers about a data breach, advising them to reset their password.

Plex said an attacker broke into one of its databases, allowing them to access a “limited subset” of customer data. This included email addresses, usernames, hashed passwords, and authentication data.

“Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account… Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.”

Hashing is a way to protect users’ passwords by transforming them into a scrambled and unreadable format before storing them. Think of it like turning a password into a unique “fingerprint” made of random letters and numbers that doesn’t resemble the original password. This scrambled form is called a hash, and it is created using a special mathematical process called a hash function.

The main point about hashing is that it is a one-way process: once a password is hashed, it cannot be reversed or decrypted back into the original password. When you log in, the system hashes the password you enter and compares that to the stored hash. If they match, you get access. This means companies never store your real, plain text password, which helps keep your credentials safe even if their database is hacked.

The downside is that some systems are vulnerable to pass-the-hash attacks where an attacker can sign in by only knowing the hash. But those are mainly a concern in Windows network environments.

In the case of the Plex breach, pass-the-hash attacks are less of a worry for regular users. Plex uses hashed passwords mainly for user login access to its streaming platform, not for network-level authentication. Plex doesn’t directly enable attackers to authenticate anywhere else without cracking those hashes first.

However, as a precaution, Plex users should still follow the instructions from the company, below.

What Plex asks users to do

If you normally log in using a password: Reset your Plex account password immediately by visiting https://plex.tv/reset. During the reset process you’ll see a checkbox to “Sign out connected devices after password change,” which the company recommends you enable. This will sign you out of all your devices (including any Plex Media Server you own). After the reset you’ll need to sign back in with your new password.

If you normally log in using Single Sign-On: Log out of all active sessions by visiting http://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

For further account protection, we also recommend enabling two-factor authentication 2FA on your Plex account if you haven’t already done so.

Look out for any phishing attempts that may try to prey on this incident. Plex has said that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.