CINXE.COM

Malwarebytes

<?xml version="1.0"?> <rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:georss="http://www.georss.org/georss" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#"> <channel> <atom:link href="https://www.malwarebytes.com/blog/feed" rel="self" type="application/rss+xml"/> <title>Malwarebytes</title> <link>https://www.malwarebytes.com/</link> <description><![CDATA[Cyber Security Software &amp; Anti-Malware]]></description> <pubDate>Fri, 22 Nov 2024 17:06:48 GMT</pubDate> <lastBuildDate>Fri, 22 Nov 2024 17:06:48 GMT</lastBuildDate> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <language>en</language> <item> <title><![CDATA[ Meta takes down more than 2 million accounts in fight against pig butchering ]]></title> <description><![CDATA[ Meta provided some insight into their fight against pig butchering scammers, who are often victims of organized crime themselves ]]></description> <category>News</category> <category>Scams</category> <category><![CDATA[ Meta ]]></category> <category><![CDATA[ pig butchering ]]></category> <category><![CDATA[ romance scams ]]></category> <content:encoded><![CDATA[ <p>Meta provided<a href="https://about.fb.com/news/2024/11/cracking-down-organized-crime-scam-centers/" target="_blank" rel="noreferrer noopener nofollow"> insight</a> this week into the company&#8217;s efforts in taking down more than 2 million accounts that were connected to <a href="https://www.malwarebytes.com/blog/news/2024/03/pig-butchering-scams-how-they-work-and-how-to-avoid-them">pig butchering</a> scams on their owned platforms, Facebook and Instagram.</p> <p>Pig butchering scams are big business, with hundreds of millions of dollars involved every year. The numbers are not precise because some researchers see these scams as a special kind of <a href="https://www.malwarebytes.com/blog/news/2024/09/romance-scams-costlier-than-ever-10-percent-of-victims-lose-10000-or-more">romance scam</a>, while others classify them as <a href="https://www.malwarebytes.com/blog/news/2024/01/investment-fraud-a-serious-money-maker-for-criminals">investment fraud</a>, muddying the numbers based on which group is counting what type of loss.</p> <p>Still, the general idea is that scammers use elaborate storylines to fatten up victims into believing they are in a romantic or otherwise close personal relationship. Once the victim places enough trust in the scammer, they bring the victim into a cryptocurrency investment scheme. Then comes the &#8220;butchering&#8221;—an attempt to &#8220;bleed&#8221; a target dry of their money.</p> <p>Pig butchering, however, isn&#8217;t always a simple case of cybercriminals preying on unsuspecting victims. As Meta described, sometimes the scammers themselves are victims that work in scam centers, mainly located in Asia.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“These criminal scam hubs lure often unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums, and recruitment platforms to then force them to work as online scammers, often under the threat of physical abuse.”</p> </blockquote> <p>These workers not only work on pig butchering scams. They are also forced to engage in a wide range of malicious activities that can involve cryptocurrency and gambling, or they can be tasked to carry out impersonation scams.</p> <p>Working with expert NGOs and law enforcement partners in the US and Southeast Asia, Meta has focused on investigating and disrupting the activities of the criminal scam centers in Southeast Asia. This has led to the take-down of over two million accounts linked to scam centers in Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines.</p> <p>Despite their location, the targets of the scams can be found all over the globe. The scammers follow playbooks to gain the trust of the targets. Contacting victims initially on social media, dating apps, email, or messaging apps, the scammers later move their interactions to more private channels like scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms. This pushes victims further into a trap and it removes their ability to report their conversations to a platform that takes this type of abuse seriously. </p> <p>From here, scammers will continue the charade that they&#8217;ve set up wise investments for the targets. But once enough trust has been built to seriously rob a victim, scammers will steal what they can and disappear. As Meta said:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“Typical of ‘pig butchering’ schemes, the target may be allowed to withdraw small amounts to build trust, but once they start asking for their ‘investment’ back or it becomes clear that they do not have more funds to send to the scammer, overseas scammers typically disappear with all the money.”</p> </blockquote> <h2 class="wp-block-heading" id="h-how-to-avoid-becoming-the-pig">How to avoid becoming the pig</h2> <p>The good thing about pig butchery scams is that they mostly follow a narrow pattern, with few variations. If you recognize the signs, you stand a very good chance of going about your day with a distinct lack of pig-related issues. The signs are:</p> <ul> <li>Receiving stray messages for “someone else” that appear out of the blue. This can be a message directed to someone who does not have your name.</li> <li>The profile picture of the person you’re talking to looks like someone who is a model.</li> <li>Common scam opening lines may involve: Sports, golfing, travel, fitness.</li> <li>At some point they will ask you about investments and/or cryptocurrency.</li> <li>They will ask you to invest or take some of their money and use that instead.</li> </ul> <p>As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. This is definitely one of those “If it’s too good to be true” moments, and the part where you make your excuses and leave (but not before hitting block and reporting them).</p> <p>Here’s what you can do to keep yourself safe:</p> <ul> <li>Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in. Use tools such as the&nbsp;<a href="https://www.malwarebytes.com/personal-data-remover">Malwarebytes Personal Data Remover</a>&nbsp;to minimize the amount of data accessible through search engine results, spam lists, and people search sites.</li> <li>Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.</li> <li>Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.</li> <li>Never give money to anyone you’ve met online</li> <li>Get a second opinion from someone you trust</li> <li>If in doubt, back away and report the account.</li> </ul> <p>If you’ve been impacted by a romance scam, pig butchering, or crypto investment fraud, you can report the crime to the&nbsp;<a href="https://www.ic3.gov/Home/FileComplaint" target="_blank" rel="noreferrer noopener">Internet Crimes Complaint Center (IC3)</a>, which is run by the FBI, or the FTC on its&nbsp;<a href="https://reportfraud.ftc.gov/#/" target="_blank" rel="noreferrer noopener">reporting and resources page</a>.</p> <p><strong>We don&#8217;t just report on threats &#8211; we help protect your social media</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using <a href="https://www.malwarebytes.com/identity-theft-protection" target="_blank" rel="noreferrer noopener">Malwarebytes Identity Theft Protection</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/meta-takes-down-more-than-2-million-accounts-in-fight-against-pig-butchering</link> <pubDate>Fri, 22 Nov 2024 17:06:48 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/meta-takes-down-more-than-2-million-accounts-in-fight-against-pig-butchering</guid> </item> <item> <title><![CDATA[ “Sad announcement” email implies your friend has died ]]></title> <description><![CDATA[ People are receiving disturbing emails that appear to imply something has happened to their friend or family member. ]]></description> <category>News</category> <category>Threats</category> <category><![CDATA[ sad announcement ]]></category> <category><![CDATA[ tech support scam ]]></category> <content:encoded><![CDATA[ <p>Tech support scammers are again stooping low with their email campaigns. This particular one hints that one of your contacts may have met an untimely end.</p> <p>It all starts with an email titled “Sad announcement” followed by a full name of someone you know. The email may appear to come from the person themselves.</p> <p>A co-worker who received such an email pointed it out to our team. Looking around, I found the first report about such an email in a <a href="https://x.com/juliaioffe/status/1754545974058328199">tweet</a> dating back to February 5, 2024.</p> <p>With some more information about what I was looking for, I managed to find several more.</p> <p>There is a great deal of variation between the emails, but we do have enough samples to show you a pattern which looks like this:</p> <figure class="wp-block-image size-full"><img loading="lazy" width="864" height="288" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/pattern_aaf4fa.jpg" alt="The pattern of the Sad announcement email" class="wp-image-122582" /></figure> <p>Subject: Sad announcement: &lt;First name&gt;&lt;Last name&gt;</p> <p>Sometimes the colon is replaced by the word “from”.</p> <p>Then a short sentence to pique the reader’s curiosity, which often references photos. Here are some examples:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“When you open them you will see why I actually wanted to share them with you today”</p> <p>&#8220;Never thought I would want to share these images with you, anyways here they are&#8221;</p> <p>&#8220;I&#8217;m presuming you should remember these two ladies, in that photo&#8221;</p> <p>&#8220;When I was looking through some old folders I found these 3 pics&#8221;</p> <p>“it wasn&#8217;t initially my plan, but I had to change my mind about it”</p> <p>&#8220;Two pictures that I wanted to share with you. They&#8217;re likely to bring a flood of memories to you, as they did to me&#8230;&#8221;</p> <p>&#8220;Probably should have contacted you a little bit earlier. Anyways just wanted to keep you updated&#8221;</p> </blockquote> <p>This is then immediately followed by a link. These also follow a certain pattern:</p> <div class="wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained"> <p><code>gjsqr.hytsiysx.com</code></p> <p><code>tmdlod.vdicedohf.com</code></p> <p><code>gtfhq.rmldxkff.com</code></p> <p><code>pdbh.ramahteen.com</code></p> <p><code>owwiu.dexfyerd.com</code></p> <p><code>roix.unrgagceso.com</code></p> <p><code>yrlbi.vohdsniuz.com</code></p> <p><code>uqjk.mbafwnds.com</code></p> <p><code>vjdbd.hhesdeh.com</code></p> <p><code>mbjzo.enexoo.com</code></p> </div> <p>These domains are all registered with NameCheap and are only active for a few days.</p> <p>To close the emails off, the scammers end with a quote in the format:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>&#8220;You do not find the happy life. You make it.&#8221; &#8211; &nbsp;Camilla Eyring Kimball</p> </blockquote> <p>The sender addresses are spoofed to look like they were coming from family or friends of the target. The actual sender addresses are compromised accounts from all over the world.</p> <p>The campaign looks to have targeted mainly the US, but I also found some located in Ireland and the UK and some odd ones in India and Italy.</p> <p>So, the question is, what are they after? The short-lived domains really made it hard for me to figure that out. It took me quite a bit to find a domain that was still active, but then I knew soon enough what the end-goal of the spammers was.</p> <p>A short chain of redirects sent me to <a href="https://niceandsafetystore0990.blob.core.windows.net/niceandsafetystore0990/index.html"><code>https://niceandsafetystore0990.blob.core.windows[.]net/niceandsafetystore0990/index.html</code></a> which is now blocked by Malwarebytes Browser Guard.</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="833" height="541" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/Browser_Guard_block.jpg" alt="Malwarebytes Browser Guard blocks trhe Tech Support scammers site" class="wp-image-122462" /></figure> <p>The <code>blob.core.windows.net</code> subdomains are unique identifiers for Azure Blob Storage accounts. They follow this format:</p> <p><code>&lt;storageaccountname&gt;.blob.core.windows.net</code></p> <p>Where&nbsp;<code>&lt;storageaccountname&gt;</code>&nbsp;is the name of the specific Azure Storage account. Spammers like using them because the <code>windows.net</code> part of the domain makes them look trustworthy.</p> <p>The website itself probably looks familiar to a lot of readers: A fake online Windows Defender scan.</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="786" height="580" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/TSS_1.jpg" alt="A website showing a fake Quick Scan of your system showing Threats found" class="wp-image-122464" /></figure> <p>The fake Windows Defender site shows that your system is infected with loads of threats.</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="903" height="663" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/TSS_2.jpg" alt="Fake THreat Scan results using Malwarebytes detection names" class="wp-image-122478" /></figure> <p>Funny enough the site claims to be Windows Defender, but uses Malwarebytes’ detection names. For example: Microsoft does not detect the Potentially Unwanted Program which Malwarebytes detects as PUP.Optional.RelevantKnowledge.</p> <p>Anyway, the website quickly takes up the entire screen, so you have to click or hold (depending on your browser) the ESC button to get back the controls that allow you to close the website.</p> <p>Now that you have seen the patterns in the email, we hope that you will refrain from clicking the links. The redirect chain can be changed and may be different for your location and type of system. So, there may be more serious consequences than an annoying website.</p> <h2 class="wp-block-heading" id="h-how-to-avoid-the-sad-announcement-scam">How to avoid the &#8220;sad announcement&#8221; scam</h2> <ul> <li>Always compare the actual sender address with the email address this person would normally use to send you an email.</li> <li>Never click on link in an unsolicited email before checking with the sender.</li> <li>Don’t call the phone numbers displayed on the website, because they will try to defraud you.</li> <li>If in doubt, contact your friend via another, trusted method</li> </ul> <p>If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely looking at a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible or restart your device if this doesn’t work.</p> <p>Despite the occasional arrests and FTC fines for tech support scammers and their henchmen, there are still plenty of cybercriminals active in this field. Scams range from unsolicited calls offering help with your “infected” computer to fully-fledged websites where you can purchase heavily over-priced versions of legitimate security software.</p> <p>Unfortunately for some people these warnings may have come too late. So what should you do if you have fallen victim to a tech support scam? Here are a few pointers:</p> <ul> <li>Have you already paid?&nbsp;Contact your credit card company or bank and let them know what’s happened. You may also need to&nbsp;<a href="http://www.ftc.gov/complaint" target="_blank" rel="noreferrer noopener">file a complaint</a>&nbsp;with the FTC or contact your local law enforcement agency, depending on&nbsp;your region.</li> <li>If you&#8217;ve shared your password with a scammer, change it on every account that uses this password. Consider using a&nbsp;<a href="https://www.malwarebytes.com/what-is-password-manager">password manager</a>&nbsp;and enable&nbsp;<a href="https://www.malwarebytes.com/glossary/multi-factor-authentication-mfa">2FA</a>&nbsp;for important accounts.</li> <li><a href="https://www.malwarebytes.com/for-home" target="_blank" rel="noreferrer noopener">Scan your device</a>. If scammers have had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove backdoors and other software left behind by scammers.</li> <li>Keep an eye out for unexpected payments. Be on the lookout for suspicious charges/payments on your credit cards and bank accounts so you can revert and stop them.</li> </ul> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p><strong>We don’t just report on threats—we remove them</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/sad-announcement-email-leads-to-tech-support-scam</link> <pubDate>Wed, 20 Nov 2024 13:47:34 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/sad-announcement-email-leads-to-tech-support-scam</guid> </item> <item> <title><![CDATA[ Update now! Apple confirms vulnerabilities are already being exploited ]]></title> <description><![CDATA[ Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild. ]]></description> <category>Apple</category> <category>News</category> <category><![CDATA[ Apple ]]></category> <category><![CDATA[ cve-2024-44308 ]]></category> <category><![CDATA[ cve-2024-44309 ]]></category> <category><![CDATA[ Intel-based ]]></category> <content:encoded><![CDATA[ <p>Apple has <a href="https://support.apple.com/en-us/100100">released</a> security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.</p> <p>The updates for iOS and Intel-based Mac systems are especially important, as they tackle vulnerabilities that are being actively exploited by cybercriminals. You should make sure you update as soon as you can.</p> <p>To check if you’re using the latest software version, go to&nbsp;<strong>Settings &gt; General &gt; Software Update</strong>. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.</p> <figure class="wp-block-image aligncenter size-large"><img loading="lazy" width="983" height="1305" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/Update_options.jpg?w=771" alt="Update options" class="wp-image-122562" /></figure> <p>To determine whether your Mac is Intel-based or equipped with Apple silicon, follow these simple steps:</p> <ul> <li>Click the Apple icon in the top-left corner of your screen.</li> <li>Select <strong>About This Mac</strong>.</li> <li>Check the information:<ul><li>If you see an item labeled Chip, your Mac has Apple silicon (like M1, M2, or M3).</li></ul> <ul> <li>If you see an item labeled Processor, it indicates that your Mac is Intel-based, and the specific Intel processor name will be listed next to it.</li> </ul> </li> </ul> <h2 class="wp-block-heading" id="h-technical-details">Technical details</h2> <p>Because Apple does not share details until everyone has had a chance to update, it is hard to figure out what the exact problem is. But there are some things we can deduct from the given information.</p> <p>The vulnerabilities that Apple says may have been actively exploited on Intel-based Mac systems are:</p> <p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44308">CVE-2024-44308</a>: a vulnerability in the JavaScriptCore component. Processing maliciously crafted web content may lead to arbitrary code execution. This means that an attacker will have to trick a victim into opening a malicious file containing web content.</p> <p>JavaScriptCore is the built-in JavaScript engine for WebKit that enables cross-platform development by providing a way to execute JavaScript within native iOS and macOS applications.</p> <p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44309">CVE-2024-44309</a>: a cookie management issue in the WebKit component was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross-site scripting attack.</p> <hr class="wp-block-separator has-alpha-channel-opacity is-style-wide" /> <p><strong>We don&#8217;t just report on macOS security—we provide it. </strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your Mac by&nbsp;downloading <a href="https://www.malwarebytes.com/mac">Malwarebytes for Mac</a>&nbsp;today.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/update-now-apple-confirms-vulnerabilities-are-being-exploited</link> <pubDate>Wed, 20 Nov 2024 13:12:55 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/update-now-apple-confirms-vulnerabilities-are-being-exploited</guid> </item> <item> <title><![CDATA[ AI Granny Daisy takes up scammers’ time so they can’t bother you ]]></title> <description><![CDATA[ An Artificial Intelligence model called Daisy has been deployed to waste phone scammers' time so they can't defraud real people. ]]></description> <category>News</category> <category><![CDATA[ AI ]]></category> <category><![CDATA[ granny daisy ]]></category> <category><![CDATA[ scammers ]]></category> <content:encoded><![CDATA[ <p>A mobile network operator has called in the help of Artificial Intelligence (AI) in the battle against phone scammers.</p> <p>Virgin Media O2 in the UK has built an AI persona called Daisy with the sole purpose of keeping scammers occupied for as long as possible. Basically, until the scammers give up, because Daisy won’t.</p> <p>Daisy uses several AI models that work together listening to what scammers have to say, and then responding in a lifelike manner to give the scammers the idea they are working on an “easy” target. Playing on the scammers&#8217; biases about older people, Daisy usually acts as a chatty granny.</p> <p>According to Virgin Media O2’s <a href="https://news.virginmediao2.co.uk/o2-unveils-daisy-the-ai-granny-wasting-scammers-time/" target="_blank" rel="noreferrer noopener nofollow">press release</a> Daisy has successfully kept numerous fraudsters on calls for 40 minutes at a time. To achieve this “Granny Daisy” will tell the scammers all about her passion for knitting, her cat Fluffy, and provide exasperated callers with false personal information including made up bank details.</p> <p>The idea behind Daisy is two-fold. Not only does it waste the scammers’ time—time they could have spent defrauding real people—but it also raises awareness, through posts such as this one, that the person you are talking to on the phone could be very different from what you imagine.</p> <p>Raising awareness about how AI can be used to deceive people is necessary: We&#8217;ve <a href="https://www.malwarebytes.com/blog/news/2024/01/ai-used-to-fake-voices-of-loved-ones-in-ive-been-in-an-accident-scams">reported</a> about how scammers have used AI used to fake voices of loved ones in a “I’ve been in an accident” scam to warn others about the scam.</p> <p>Virgin Media O2 research learned that 67% of Brits are concerned about being the target of fraud and 22% experience a fraud attempt every single week. The <a href="https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public" target="_blank" rel="noreferrer noopener nofollow">Federal Trade Commission (FTC)</a> received fraud reports from 2.6 million consumers in 2023, with imposter scams the most commonly reported fraud category.</p> <p>The criminals often pretend to work for your bank or a delivery company that needs a payment before they can deliver a package, with the end goal of the victim disclosing their banking details.</p> <p>It’s too bad that Daisy can’t intercept the calls from the scammers. For now, the scammers will have to call one of the phone numbers that Daisy answers, which have cleverly been circulated on contact lists known to be used by scammers.</p> <p>If you&#8217;d like to hear Daisy in action here is a <a href="https://youtu.be/RV_SdCfZ-0s" target="_blank" rel="noreferrer noopener nofollow">video</a> with some actual audio.</p> <p>Daisy was set up with the help of one of YouTube’s best known scam baiters, <a href="https://www.youtube.com/JimBrowning" target="_blank" rel="noreferrer noopener nofollow">Jim Browning</a>. Behind the scenes there are several people that enjoy being a real life time waster, but they can only occupy so many because their time is limited.</p> <p>We asked Tammy Stewart, one of Malwarebytes’ researchers, who has made it a hobby to waste the time of phishers herself, and she was enthusiastic about the idea of having a “Daisy.” In fact, she’d like to have several and she thinks they could be very effective.</p> <hr class="wp-block-separator alignfull has-alpha-channel-opacity is-style-wide" /> <p><strong>We don’t just report on phone security—we provide it</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by <a href="https://www.malwarebytes.com/ios">downloading Malwarebytes for iOS</a>, and <a href="https://www.malwarebytes.com/android">Malwarebytes for Android</a> today.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/ai-granny-daisy-takes-up-scammers-time-so-they-cant-bother-you</link> <pubDate>Wed, 20 Nov 2024 09:31:55 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/ai-granny-daisy-takes-up-scammers-time-so-they-cant-bother-you</guid> </item> <item> <title><![CDATA[ Free AI editor lures in victims, installs information stealer instead on Windows and Mac ]]></title> <description><![CDATA[ A widespread social media campaign for EditProAI turns out to spread information stealers for both Windows and MacOS users. ]]></description> <category>Apple</category> <category>News</category> <category>Threats</category> <category><![CDATA[ amos ]]></category> <category><![CDATA[ Atomic stealer ]]></category> <category><![CDATA[ EditProAI ]]></category> <category><![CDATA[ information stealers ]]></category> <category><![CDATA[ lumma ]]></category> <content:encoded><![CDATA[ <p>A large social media campaign was launched to promote a free Artificial Intelligence (AI) video editor. If the &#8220;free&#8221; part of that campaign sounds too good to be true, then that&#8217;s because it was.</p> <p>Instead of the video editor, users got information stealing malware. Lumma Stealer was installed on Windows machines and Atomic Stealer (AMOS) on Macs.</p> <p>The campaign to promote the AI video editor was active on several social media platforms, like X, Facebook, and YouTube&#8230;</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="420" height="271" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/Facebook_campaign.png" alt="Facebook post promising AI Video Magic in EditProAI" class="wp-image-122045" /></figure> <p>&#8230;and had been active for quite a while. as you can see from this tweet.</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="606" height="871" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/X_campaign.png" alt="Tweet by EditProAi dated September 4" class="wp-image-122046" /></figure> <p>The criminals seem to have used a lot of accounts to promote their “product” as you can see from this search on X.</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="252" height="401" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/X_accounts.png" alt="List of X accounts all promoting EditProAI" class="wp-image-122047" /></figure> <p>Some accounts were expressly created for this purpose, while others look like they may have been compromised accounts.</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="552" height="693" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/YouTube_campaign.png" alt="YouTube video promoting EditProAI" class="wp-image-122048" /></figure> <p>The campaign looks well organized, and looks so legitimate that it took quite a while before a researcher found out and tweeted about the threat.</p> <figure class="wp-block-image aligncenter size-full"><a href="https://x.com/g0njxa/status/1857485682299519034"><img loading="lazy" width="739" height="402" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/gonjxa_tweet.png" alt="Warning Tweet by g0njxa" class="wp-image-122049" /></a></figure> <p>When interested individuals follow the links, they’ll end up on a professional looking website—exactly what you would expect.</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="831" height="575" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/website.png" alt="EditProAI website" class="wp-image-122050" /></figure> <p>But if they click the “GET NOW” button, they&#8217;ll download the information stealer and infect their device. The file is called &#8220;Edit-ProAI-Setup-newest_release.exe&#8221; for Windows, and &#8220;EditProAi_v.4.36.dmg&#8221; for macOS.</p> <p>Lumma is available through a Malware-as-a-Service (MaaS) model, where cybercriminals pay other cybercriminals for access to malicious software and its related infrastructure. Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details. Lumma is often distributed via email campaigns, but nothing stops the cybercriminals from spreading it as a download for an AI editor, as they did here.</p> <p>AMOS makes money for its operators by finding and stealing valuable information on the computers it infects, such as credit card details, authentication cookies, passwords and cryptocurrency. Besides stealing data from the web browsers themselves, AMOS can also steal data from browser extensions (plugins).</p> <h2 class="wp-block-heading" id="h-what-if-you-installed-one-of-these">What if you installed one of these?</h2> <p>Both stealers are after login credentials and financial information, so there are a few things you’ll need to do.</p> <ul> <li>Monitor your accounts. Banking and cryptocurrency information is a prime target for these information stealers, so check your accounts and monitor them closely.</li> <li>Change all your passwords starting with the important ones, and if you’re not using a password manager already, now might be a good time to get one. It can help you create and store strong passwords.</li> <li>Enable <a href="https://www.malwarebytes.com/glossary/multi-factor-authentication-mfa">multi-factor-authentication (MFA)</a> on all your important accounts.</li> <li>Log out of all your important accounts on infected devices. These information stealers are capable of <a href="https://www.malwarebytes.com/blog/news/2024/11/warning-hackers-could-take-over-your-email-account-by-stealing-cookies-even-if-you-have-mfa">taking over some accounts by stealing cookies</a>, even if you have MFA enabled.</li> </ul> <p><a href="https://www.malwarebytes.com/solutions/free-antivirus">Malwarebytes for Windows</a> and <a href="https://www.malwarebytes.com/mac">Malwarebytes for Mac</a> can detect the information stealers, and they block the EditProAI websites.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/free-ai-editor-lures-in-victims-installs-information-stealer-instead-on-windows-and-mac</link> <pubDate>Tue, 19 Nov 2024 14:51:08 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/free-ai-editor-lures-in-victims-installs-information-stealer-instead-on-windows-and-mac</guid> </item> <item> <title><![CDATA[ AI is everywhere, and Boomers don’t trust it  ]]></title> <description><![CDATA[ ChatGPT, Google Gemini, and Meta AI may be everywhere, but Baby Boomers don't trust the tech or the companies behind it. ]]></description> <category>News</category> <category>Privacy</category> <category><![CDATA[ AI ]]></category> <category><![CDATA[ artificial intelligence ]]></category> <category><![CDATA[ ChatGPT ]]></category> <category><![CDATA[ Claude ]]></category> <category><![CDATA[ Gemini ]]></category> <category><![CDATA[ Generative AI ]]></category> <category><![CDATA[ Google ]]></category> <category><![CDATA[ Meta AI ]]></category> <content:encoded><![CDATA[ <p>Artificial intelligence tools like ChatGPT, Claude, Google Gemini, and Meta AI represent a stronger threat to data privacy than the social media juggernauts that cemented themselves in the past two decades, according to new research on the sentiments of older individuals from Malwarebytes.&nbsp;&nbsp;</p> <p>A combined 54% of people between the ages of 60 and 78 told Malwarebytes that they “agree” or “strongly agree” that ChatGPT and similar generative AI tools “are more of a threat than social media platforms (e.g., Facebook, Twitter/X, etc.) concerning personal data misuse.” And an even larger share of 82% said they “agree” or “strongly agree” that they are “concerned with the security and privacy of my personal data and those I interact with when using AI tools.”&nbsp;&nbsp;</p> <p>The findings arrive at an important time for consumers, as AI developers increasingly integrate their tools into everyday online life—from Meta suggesting that users lean on AI to write direct messages on Instagram to Google forcing users by default to receive “Gemini” results for basic searches. With little choice in the matter, consumers are responding with robust pushback.&nbsp;&nbsp;</p> <p>For this research, Malwarebytes conducted a pulse survey of its newsletter readers in October via the Alchemer Survey Platform. In total, 851 people across the globe responded. Malwarebytes then focused its analysis on survey participants who belong to the Baby Boomer generation.&nbsp;&nbsp;</p> <p>Malwarebytes found that:&nbsp;&nbsp;</p> <ul> <li>35% of Baby Boomers said they know “just the names” of some of the largest generative AI products, such as ChatGPT, Google Gemini, and Meta AI.&nbsp;&nbsp;</li> </ul> <ul> <li>71% of Baby Boomers said they have “never used” any generative AI tools—a seeming impossibility as Google search results, by default, now provide “AI overviews” powered by the company’s Gemini product.&nbsp;</li> </ul> <ul> <li>Only 12% of Baby Boomers believe that “generative AI tools are good for society.”&nbsp;&nbsp;</li> </ul> <ul> <li>More than 80% of Baby Boomers said that they worry about generative AI tools both improperly accessing their data and misusing their personal information. &nbsp;</li> </ul> <ul> <li>While more than 50% of Baby Boomers said they would feel more secure in using generative AI tools if the companies behind them provided regular security audits, a full 23% were unmoved by proposals in transparency or government regulation.&nbsp;</li> </ul> <h2 class="wp-block-heading" id="h-distrust-concern-and-unfamiliarity-with-ai-nbsp-nbsp"><strong>Distrust, concern, and unfamiliarity with AI&nbsp;</strong>&nbsp;</h2> <p>Since San Francisco-based AI developer OpenAI released ChatGPT two years ago to the public, “generative” artificial intelligence has spread into nearly every corner of online life.&nbsp;&nbsp;</p> <p>Countless companies have integrated the technology into their customer support services with the help of AI-powered chatbots (which caused a problem for one California car dealer when its own AI chat bot promised to <a href="https://futurism.com/the-byte/car-dealership-ai" target="_blank" rel="noreferrer noopener">sell a customer a 2024 Chevy Tahoe for just $1</a>). Emotional support and mental health providers have toyed with having their clients speak directly with AI chatbots when experiencing a crisis (<a href="https://open.spotify.com/episode/5jN7VULIZiLroWDkEEytv2?autoplay=true" target="_blank" rel="noreferrer noopener">to middling results</a>). Audio production companies now advertise features to generate spoken text based off samples of recorded podcasts, art-sharing platforms regularly face scandals of AI-generated “<a href="https://www.newyorker.com/culture/infinite-scroll/is-ai-art-stealing-from-artists" target="_blank" rel="noreferrer noopener">stolen</a>” work, and even <a href="https://open.spotify.com/episode/4Ly0nxnsnxbkIrkRYFJOPc" target="_blank" rel="noreferrer noopener">AI “girlfriends”</a>—and their scantily-clad, AI-generated avatars—are on offer today.&nbsp;&nbsp;</p> <p>The public are unconvinced.&nbsp;&nbsp;</p> <p>According to Malwarebytes’ research, Baby Boomers do not trust generative AI, the companies making it, or the tools that implement it.&nbsp;&nbsp;</p> <p>A full 75% of Baby Boomers said they “agree” or “strongly agree” that they are “fearful of what the future will bring with AI.” Those sentiments are reflected in the 47% of Baby Boomers who said they “disagree” or “strongly disagree” that “generative AI tools are good for society.”&nbsp;&nbsp;</p> <p>In particular, Baby Boomers shared a broad concern over how these tools—and the developers behind them—collect and use their data.&nbsp;&nbsp;</p> <p>More than 80% of Baby Boomers agreed that they held the following concerns about generative AI tools:&nbsp;</p> <ul> <li>My data being accessed without my permission (86%)&nbsp;</li> </ul> <ul> <li>My personal information being misused (85%)&nbsp;</li> </ul> <ul> <li>Not having control over my data (84%)&nbsp;</li> </ul> <ul> <li>A lack of transparency into how my data is being used (84%)&nbsp;</li> </ul> <p>The impact on behavior here is immediate, as 71% of Baby Boomers said they “refrain from including certain data/information (e.g., names, metrics) when using generative AI tools due to concerns over security or privacy.” &nbsp;</p> <p>The companies behind these AI tools also have yet to win over Baby Boomers, as 87% said they “disagree” or “strongly disagree” that they “trust generative AI companies to be transparent about potential biases in their systems.”&nbsp;</p> <p>Perhaps this nearly uniform distrust in generative AI—in the technology itself, in its implementation, and in its developers—is at the root of a broad disinterest from Baby Boomers. An enormous share of this population, at 71%, said they had never used these tools before.&nbsp;&nbsp;</p> <p>The statistic is difficult to believe, primarily because Google began powering everyday search requests with its own AI tool back in May 2024. Now, when users ask a simple question on Google, they will receive an “AI overview” at the top of their results. This functionality is <a href="https://blog.google/products/search/generative-ai-google-search-may-2024/" target="_blank" rel="noreferrer noopener">powered by Gemini</a>—Google’s own tool that, much like ChatGPT, can generate images, answer questions, fine-tune recipes, and deliver workout routines.&nbsp;&nbsp;</p> <p>Whether or not users know about this, and whether they consider this “using” generative AI, is unclear. What is clear, however, is that a generative AI tool created by one of the largest companies in the world is being pushed into the daily workstreams of a population that is unconvinced, uncomfortable, and unsold on the entire experiment.&nbsp;&nbsp;</p> <h2 class="wp-block-heading" id="h-few-paths-to-improvement-nbsp-nbsp"><strong>Few paths to improvement&nbsp;</strong>&nbsp;</h2> <p>Coupled with the high levels of distrust that Baby Boomers have for generative AI are widespread feelings that many corrective measures would have little impact.&nbsp;&nbsp;</p> <p>Baby Boomers were asked about a variety of restrictions, regulations, and external controls that would make them “feel more secure about using generative AI tools,” but few of those controls gained mass approval.&nbsp;&nbsp;</p> <p>For instance, “detailed reports on how data is stored and used” only gained the interest of 44% of Baby Boomers, and “government regulation” ranked even lower, with just 35% of survey participants. “Regular security audits by third parties” and “clear information on what data is collected” piqued the interest of 52% and 53% of Baby Boomers, respectively, but perhaps the most revealing answers came from the suggestions that the survey participants wrote in themselves.&nbsp;&nbsp;</p> <p>Several participants specifically asked for the ability to delete any personal data ingested by the AI tools, and other participants tied their distrust to today’s model of online corporate success, believing that any large company will collect and sell their data to stay afloat.&nbsp;</p> <p>But frequently, participants also said they could not be swayed at all to use generative AI. As one respondent wrote: &nbsp;</p> <p>“There is nothing that would make me comfortable with it.”&nbsp;&nbsp;&nbsp;&nbsp;</p> <p>Whether Baby Boomers represent a desirable customer segment for AI developers is unknown, but for many survey participants, that likely doesn’t matter. It’s already too late.&nbsp;</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/ai-is-everywhere-and-boomers-dont-trust-it</link> <pubDate>Tue, 19 Nov 2024 13:54:12 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/ai-is-everywhere-and-boomers-dont-trust-it</guid> </item> <item> <title><![CDATA[ An air fryer, a ring, and a vacuum get brought into a home. What they take out is your data (Lock and Code S05E24) ]]></title> <description><![CDATA[ This week on the Lock and Code podcast, we tell three stories about air fryers, smart rings, and vacuums that want your data. ]]></description> <category>Podcast</category> <category>Uncategorized</category> <category><![CDATA[ air fryers ]]></category> <category><![CDATA[ Internet of Things ]]></category> <category><![CDATA[ Roomba ]]></category> <category><![CDATA[ smart ring ]]></category> <category><![CDATA[ vacuum ]]></category> <content:encoded><![CDATA[ <p><em>This week on the Lock and Code podcast…</em></p> <p>The month, a consumer rights group out of the UK posed a question to the public that they’d likely never considered: <a href="https://www.malwarebytes.com/blog/news/2024/11/air-fryers-are-the-latest-surveillance-threat-you-didnt-consider">Were their air fryers spying on them?</a></p> <p>By analyzing the associated Android apps for three separate air fryer models from three different companies, a group of researchers learned that these kitchen devices didn’t just promise to make crispier mozzarella sticks, crunchier chicken wings, and flakier reheated pastries—they also wanted a lot of user data, from precise location to voice recordings from a user’s phone.</p> <p>“In the air fryer category, as well as knowing customers’ precise location, all three products wanted permission to record audio on the user’s phone, for no specified reason,” the group wrote in its findings.</p> <p>While it may be easy to discount the data collection requests of an air fryer <em>app</em>, it is getting harder to buy any type of product today that doesn’t connect to the internet, request your data, or share that data with unknown companies and contractors across the world.</p> <p>Today, on the Lock and Code pocast, host David Ruiz tells three separate stories about consumer devices that somewhat invisibly collected user data and then spread it in unexpected ways. This includes kitchen utilities that sent data to China, a smart ring maker that published de-identified, aggregate data about the stress levels of its users, and a smart vacuum that recorded a sensitive image of a woman that was later shared on Facebook.</p> <p>These stories aren’t about mass government surveillance, and they’re not about spying, or the targeting of political dissidents. Their intrigue is elsewhere, in how common it is for what we say, where we go, and how we feel, to be collected and analyzed in ways we never anticipated.</p> <p>Tune in today to listen to the full conversation.</p> <figure class="wp-block-embed is-type-rich is-provider-spotify wp-block-embed-spotify wp-embed-aspect-21-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper"> </div></figure> <p><em>Show notes and credits:</em></p> <p>Intro Music: “Spellbound” by Kevin MacLeod (<a href="http://incompetech.com/" target="_blank" rel="noreferrer noopener">incompetech.com</a>)<br>Licensed under Creative Commons: By Attribution 4.0 License<br><a href="http://creativecommons.org/licenses/by/4.0/" target="_blank" rel="noreferrer noopener">http://creativecommons.org/licenses/by/4.0/</a><br>Outro Music: “Good God” by Wowa (unminus.com)</p> <hr class="wp-block-separator has-alpha-channel-opacity is-style-wide" /> <p><strong>Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.</strong></p> <p>Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our&nbsp;<a href="https://try.malwarebytes.com/lockandcode/">exclusive offer for Malwarebytes Premium for Lock and Code listeners</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/uncategorized/2024/11/an-air-fryer-a-ring-and-a-vacuum-get-brought-into-a-home-what-they-take-out-is-your-data-lock-and-code-s05e24</link> <pubDate>Mon, 18 Nov 2024 16:53:19 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/uncategorized/2024/11/an-air-fryer-a-ring-and-a-vacuum-get-brought-into-a-home-what-they-take-out-is-your-data-lock-and-code-s05e24</guid> </item> <item> <title><![CDATA[ QuickBooks popup scam still being delivered via Google ads ]]></title> <description><![CDATA[ When trying to download QuickBooks via a Google search, users may visit the wrong site and get an installer containing malware. ]]></description> <category>Scams</category> <category><![CDATA[ ads ]]></category> <category><![CDATA[ intuit ]]></category> <category><![CDATA[ malvertising ]]></category> <category><![CDATA[ quickbooks ]]></category> <category><![CDATA[ scams ]]></category> <content:encoded><![CDATA[ <p>Accounting software <a href="https://quickbooks.intuit.com/">QuickBooks</a>, by Intuit, is a popular target for India-based scammers, only rivaled for top spot by the classic Microsoft tech support scams.</p> <p>We&#8217;ve seen two main lures, both via Google ads: the first one is simply a website promoting online support for QuickBooks and shows a phone number, while the latter requires victims to download and install a program that will generate a popup, also showing a phone number. In both instances, that number is fraudulent.</p> <p>The fake QuickBooks popup was previously <a href="https://www.esentire.com/blog/threat-actors-using-fake-quickbooks-software-to-scam-organizations">described</a> in detail by eSentire and reveals how scammers are able to hijack the software functionality by generating bogus alert messages.</p> <p>We ran into an active malvertising campaign recently, indicating that this scheme is still very much alive and well. In this blog post, we review how QuickBooks users that downloaded the program from a malicious ad will be plagued with a popup generated at certain intervals, instilling fear that their data may be corrupt so that they call for assistance.</p> <h2 class="wp-block-heading" id="h-fake-quickbooks-download">Fake QuickBooks download</h2> <p>When searching for &#8216;<em>quickbooks download</em>&#8216; on Google, we see a sponsored result appear at the top. This ad promotes a website where users can supposedly download the latest version of QuickBooks.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_999f87.png"><img loading="lazy" width="1359" height="403" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_999f87.png?w=1024" alt="" class="wp-image-122073" /></a></figure> <p>Here is the website, showing the official logo and even a &#8220;Solution Provider&#8221; seal of approval:</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_f923af.png"><img loading="lazy" width="1420" height="1364" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_f923af.png?w=1024" alt="" class="wp-image-122059" /></a></figure> <p>One thing that may alert users is that the download is hosted on Dropbox:</p> <pre class="wp-block-preformatted">https://www.dropbox.com/scl/fi/ybket868cp7nx5dhj11cu/<strong>QuickBooks_Installer.msi</strong>?rlkey=gp1t0siqr2j089vhgysn4nm33&amp;st=4ajnlxze&amp;dl=1</pre> <h2 class="wp-block-heading" id="h-the-form-zeform">The form (zeform)</h2> <p>This installer serves two purposes: one is to download the real QuickBooks program from Intuit&#8217;s website, and the other is to surreptitiously install a sort of backdoor &#8220;<em>zeform.exe</em>&#8220;. This simple binary was designed to integrate with QuickBooks in such a way that it can generate a fake error message, as seen below:</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_10bd90.png"><img loading="lazy" width="1276" height="1192" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_10bd90.png?w=1024" alt="" class="wp-image-122081" /></a></figure> <p>This type of error may be alarming to people who have spent hours loading data into QuickBooks and aren&#8217;t aware that this popup, although appearing to come from QuickBooks itself, is in fact totally made up.</p> <p>The application that creates it is a program written in Microsoft .NET, which contains two important methods that control when and how the popup appears:</p> <ul> <li><em>MonitorAndShowForm(),</em> which calls <em>CalculateNextDisplayDate</em> and is incremented on week days</li> <li><em>CheckTimeWindow() </em>to make sure it is a weekday and within a certain time window</li> </ul> <figure class="wp-block-image aligncenter size-large"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_044662.png"><img loading="lazy" width="1153" height="599" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_044662.png?w=1024" alt="" class="wp-image-122082" /></a></figure> <p>The text content (fake instructions) can also be seen here, encoded in Base64 presumably to avoid detection from antivirus software:</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_8f9d7b.png"><img loading="lazy" width="921" height="529" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_8f9d7b.png" alt="" class="wp-image-122083" /></a></figure> <h2 class="wp-block-heading" id="h-conclusion">Conclusion</h2> <p>This clever scheme has been going for some time now and every now and again we see some people <a href="https://www.reddit.com/r/QuickBooks/comments/1dldo3e/download_scam_on_google/">reporting</a> it online, seemingly always via Google ads.</p> <p>Scammers will usually ask their victims to download a program to remotely access their computer so that they can take a look at the issue and fix it. This is always dangerous and you should be extremely cautious if you&#8217;ve already let someone access your computer.</p> <p>In addition to demanding to be paid to fix inexistent problems, scammers may also put malware that will give them continued access or even the ability to steal users&#8217; passwords.</p> <h2 class="wp-block-heading" id="h-acknowledgments">Acknowledgments</h2> <p><em>We would like to thank Joe Desimone from Elastic Security for taking a look at the malicious executable and Squiblydoo for checking on the Microsoft certificate used to sign the fraudulent popup executable.</em></p> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p><strong>We don’t just report on threats—we remove them</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p> <h2 class="wp-block-heading" id="h-indicators-of-compromise">Indicators of Compromise</h2> <pre class="wp-block-preformatted">bizzgrowthinc[.]com</pre> <pre class="wp-block-preformatted">QuickBooks_Installer.msi<br>9e0b46194dc1c034422700b02c6aca01290d144735e48c4a83eea34773be5f52</pre> <pre class="wp-block-preformatted">zeform.exe<br>0c3f5f7bed8efbb6b1de3e804d22397a8bdf442b83962444970855fc9606c9f5</pre> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/scams/2024/11/quickbooks-popup-scam-still-being-delivered-via-google-ads</link> <pubDate>Mon, 18 Nov 2024 16:00:47 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/scams/2024/11/quickbooks-popup-scam-still-being-delivered-via-google-ads</guid> </item> <item> <title><![CDATA[ A week in security (November 11 &#8211; November 17) ]]></title> <description><![CDATA[ A list of topics we covered in the week of November 11 to November 17 of 2024 ]]></description> <category>News</category> <category><![CDATA[ DNA testing ]]></category> <category><![CDATA[ QR codes ]]></category> <category><![CDATA[ temu ]]></category> <content:encoded><![CDATA[ <p>Last week on Malwarebytes Labs:</p> <ul> <li><a href="/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware">Malicious QR codes sent in the mail deliver malware</a></li> <li><a href="/blog/news/2024/11/122-million-peoples-business-contact-info-leaked-by-data-broker">122 million people’s business contact info leaked by data broker</a></li> <li><a href="/blog/news/2024/11/advertisers-are-pushing-ad-and-pop-up-blockers-using-old-tricks">Advertisers are pushing ad and pop-up blockers using old tricks</a></li> <li><a href="/blog/news/2024/11/scammer-robs-homebuyers-of-life-savings-in-20-million-theft-spree">Scammer robs homebuyers of life savings in $20 million theft spree</a></li> <li><a href="/blog/news/2024/11/temu-must-respect-consumer-protection-laws-says-eu">Temu must respect consumer protection laws, says EU</a></li> <li><a href="/blog/news/2024/11/warning-online-shopping-threats-to-avoid-this-black-friday-and-cyber-monday">Warning: Online shopping threats to avoid this Black Friday and Cyber Monday</a></li> <li><a href="/blog/news/2024/11/dna-testing-company-vanishes-along-with-its-customers-genetic-data">DNA testing company vanishes along with its customers’ genetic data</a></li> </ul> <p>Last week on ThreatDown:</p> <ul> <li><a href="https://www.threatdown.com/blog/update-now-november-patch-tuesday-tackles-4-zero-days-two-actively-exploited/">Update now! November Patch Tuesday tackles 4 zero-days, two actively exploited</a></li> <li><a href="https://www.threatdown.com/blog/zero-day-vulnerabilities">Zero-day vulnerabilities: Everything you need to know</a></li> </ul> <p>Stay safe!</p> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p>Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.</p> <div class="wp-block-malware-bytes-button mb-button" id="mb-button-371336e6-815b-4134-8818-f944dbc308bb"><div class="mb-button__row u-justify-content-center"><div class="mb-button__item mb-button-item-0"><p class="btn-main"><a href="https://www.malwarebytes.com/business/contact-us/">TRY NOW</a></p></div></div></div> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/a-week-in-security-november-11-november-17</link> <pubDate>Mon, 18 Nov 2024 08:12:58 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/a-week-in-security-november-11-november-17</guid> </item> <item> <title><![CDATA[ Malicious QR codes sent in the mail deliver malware ]]></title> <description><![CDATA[ A QR code in a physical letter is a method of spreading malware that may find its way to your mailbox too. ]]></description> <category>Android</category> <category>News</category> <category>Threats</category> <category><![CDATA[ Coper ]]></category> <category><![CDATA[ Octo2 ]]></category> <category><![CDATA[ QR codes ]]></category> <category><![CDATA[ snail mail ]]></category> <content:encoded><![CDATA[ <p>Physical letters that contain a <a href="https://www.malwarebytes.com/cybersecurity/basics/what-is-a-qr-code">QR code</a> to trick people into downloading malware are being sent through the mail, according to a <a href="https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/2024-meteosuisse.html" target="_blank" rel="noreferrer noopener nofollow">warning</a> issued by The Swiss National Cyber Security Centre (NCSC).</p> <p>The letters are sent as if they come from the official Swiss Federal Office of Meteorology and Climatology (MeteoSwiss) and they urge the recipient to install a new “severe weather app.”</p> <p>This app, however, does not exist, and the letters do not come from MeteoSwiss either.</p> <p>Scanning the QR code in the malicious letters leads to a banking Trojan known as Coper, but also referred to as Octo2. Coper is a Malware-as-a-Service which “customers” can spread as they see fit, but they pay for the use of the malicious software and the underlying infrastructure. These customers are running campaigns targeting Europe, the US, Canada, the Middle East, Singapore, and Australia.</p> <p>Coper is a sophisticated banking Trojan that has several advanced features:</p> <ul> <li>Device Takeover (DTO) capabilities for remote control</li> <li>Advanced obfuscation techniques to avoid detection</li> <li><a href="https://www.malwarebytes.com/blog/news/2024/06/explained-android-overlays-and-how-they-are-used-to-trick-people">Overlay attacks</a> aimed at credential theft</li> </ul> <p>The fake &#8220;meteorology app&#8221; for this malware campaign is disguised under the name “AlertSwiss” when installed on Android devices, but Coper cybercriminals can customize these names for all other campaigns. That adaptability makes for a more convincing lure depending on which country or region is being targeted. For instance, &#8220;AlertSwiss&#8221; is a clear attempt to fake the name of an official app from the Federal Office for Civil Protection which is used by federal and cantonal agencies to inform, warn, and alert the population. That real app&#8217;s name is &#8220;Alertswiss&#8221; (note the tiny difference).</p> <p>Using QR codes in snail mail offers the criminals a few advantages. People may not expect to end up with their device infected by something as non-technical as a physical letter. And QR codes get typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.</p> <p>QR codes are becoming more common, especially after the COVID-19 pandemic which pushed many restaurants into using digital menus instead of physical menus that are shared between customers (in the earliest days of COVID lockdowns, science was still emerging on the risk levels of touching shared objects). Because of so much change in the past few years, seeing a QR code in a letter from an official institution does not trigger any alarm bells anymore.</p> <p>And many Android users suffer from either a “patch gap” or are even using Android versions that are no longer supported, so will never receive another security update. One of the main causes for a patch gap is the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers, which then need to make it available for the users.</p> <h2 class="wp-block-heading" id="h-security-advice">Security advice</h2> <ul> <li>Keeping your device up to date protects you from known vulnerabilities and helps you to stay safe.</li> </ul> <p>We have found that many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.</p> <p>For most phones it works like this: Under&nbsp;<strong>About phone</strong>&nbsp;or&nbsp;<strong>About device</strong>&nbsp;you can tap on&nbsp;<strong>Software updates</strong>&nbsp;to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.</p> <ul> <li>Scan a QR code with the same security mindset as clicking a link</li> </ul> <p>If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link and, if necessary, research to find another, more trustworthy, way to get the information or download you want. Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable such features.</p> <ul> <li>Use anti-malware protection on your devices</li> </ul> <p>Your mobile devices are in need of protection just as much as your computer. Malwarebytes offers customers <a href="https://www.malwarebytes.com/android">Malwarebytes for Android</a> and <a href="https://www.malwarebytes.com/ios">Malwarebytes for iOS</a>. Malwarebytes detects Coper as Android/Trojan.Banker.Ink.a.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware</link> <pubDate>Fri, 15 Nov 2024 16:25:51 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware</guid> </item> <item> <title><![CDATA[ 122 million people&#8217;s business contact info leaked by data broker ]]></title> <description><![CDATA[ A data broker has confirmed a business contact information database containing 132.8 million records has been leaked online. ]]></description> <category>News</category> <category>Privacy</category> <category><![CDATA[ DemandScience ]]></category> <category><![CDATA[ dfata broker ]]></category> <category><![CDATA[ Pure Incubation ]]></category> <content:encoded><![CDATA[ <p>A data broker has confirmed a business contact information database containing 132.8 million records has been leaked online.</p> <p>In February, 2024, a cybercriminal offered the records for sale on a data breach forum claiming the information came from pureincubation[.]com.</p> <figure class="wp-block-image aligncenter size-large"><img loading="lazy" width="1255" height="759" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/KryptonZombie.jpg?w=1024" alt="Cybercriminal offering to sell Pure Incubation data" class="wp-image-121458" /></figure> <p>Pure Incubation was founded in 2012, and the company later rebranded to DemandScience. DemandScience <a href="https://www.globenewswire.com/news-release/2024/09/03/2939749/0/en/DemandScience-One-of-Only-107-Companies-in-History-to-Be-Named-to-the-Inc-5000-Eleven-Times.html">describes itself</a> as &#8220;a leading global B2B demand generation company accelerating global growth for clients.&#8221;</p> <p>DemandScience says it specializes in lead generation, content marketing, and software development offering data intelligence and marketing solutions for B2B organizations. That&#8217;s a mouthful to describe a <a href="https://www.malwarebytes.com/cybersecurity/basics/data-brokers">data broker</a> that specializes in selling aggregated public data that other companies can use in their marketing campaigns.</p> <p>When contacted by <a href="https://www.bleepingcomputer.com/news/security/leaked-info-of-122-million-linked-to-b2b-data-aggregator-breach/">BleepingComputer</a> about the leak, DemandScience responded by email:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>&#8220;Regarding the matter referenced in your email, we have conducted a thorough internal investigation and conclude that none of our current operational systems were exploited. We also conclude that the leaked data originated from a system that has been decommissioned for approximately two years.&#8221;</p> </blockquote> <p>It might not be a current system, but a third-party count of the data still showed around 122 million unique business email addresses. Although at some point when we all have switched jobs, it will become worthless. Maybe that’s why the cybercriminals offered to sell for $6,000.</p> <p>That the company left a decommissioned system online for a criminal to find and plunder should be grounds for a hefty fine.</p> <p>Despite DemandScience playing it down, the data is valuable. How else is it making money by gathering it from public records?</p> <h2 class="wp-block-heading" id="h-what-can-you-do">What can you do?</h2> <p>Any business that meets the definition of data broker must register with the California Privacy Protection Agency (CPPA) annually. The CPPA defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses.</p> <p>This is good news, because it offers Californians a sort of opt-out opportunity, by filling out this form: <a href="https://demandscience.com/privacy-policy-ccpa/">https://demandscience.com/privacy-policy-ccpa/</a></p> <p>You can check whether your email address was included in this data breach by using Malwarebytes’ free Digital Footprint scan. Fill in the email address you’re curious about and we’ll give you a free report.</p> <div class="wp-block-malware-bytes-button mb-button" id="mb-button-7ba16f0b-04e8-4679-9512-2f21a0971dcf"><div class="mb-button__row u-justify-content-center"><div class="mb-button__item mb-button-item-0"><p class="btn-main"><a href="https://www.malwarebytes.com/digital-footprint?utm_source=blog&amp;utm_medium=social&amp;utm_campaign=b2c_pro_acq_fy25dfplaunch_171269600960&amp;utm_content=V1"></a><a href="https://www.malwarebytes.com/digital-footprint">SCAN NOW</a></p></div></div></div> <p>This leak also shows how important it can be to have your data removed from data brokers sites like these.&nbsp;To help you, Malwarebytes offers a <a href="https://www.malwarebytes.com/personal-data-remover">Personal Data Remover service</a> (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/122-million-peoples-business-contact-info-leaked-by-data-broker</link> <pubDate>Thu, 14 Nov 2024 22:13:43 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/122-million-peoples-business-contact-info-leaked-by-data-broker</guid> </item> <item> <title><![CDATA[ Advertisers are pushing ad and pop-up blockers using old tricks ]]></title> <description><![CDATA[ A malvertising campaign using an old school trick was found pushing to different ad blockers. ]]></description> <category>News</category> <category>Threats</category> <category><![CDATA[ ad blockers ]]></category> <category><![CDATA[ adblocker pro ]]></category> <category><![CDATA[ malvertsising ]]></category> <category><![CDATA[ push notifications blocker ]]></category> <content:encoded><![CDATA[ <p>Despite the countermeasures some services are <a href="https://www.malwarebytes.com/blog/news/2023/11/chrome-pushes-forward-with-plans-to-limit-ad-blockers-in-the-future">taking against well-known ad blockers</a>, lots of people now use one. This is no doubt due to increased privacy concerns around online tracking, along with the growing number of ads per site.</p> <p>And where there is money to be made, you’ll find social engineering and affiliates.</p> <p>In a campaign predominantly used on media websites, we found a misleading ad that promised visitors some content they might be interested in.</p> <p>When we followed the link, we ran into one of the oldest tricks in a malvertiser&#8217;s playbook—the website told us we needed something extra in order to be able to view the content.</p> <p>In the olden days, that something extra used to be video codecs or specific video players, but now we&#8217;ll be told we need a browser extension to “continue watching in safe mode.”</p> <figure class="wp-block-image aligncenter size-large"><img loading="lazy" width="1050" height="702" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/10/Stefan.png?w=1024" alt="You need to install the Adblock Pro - Browser Extension to continue watching in safe mode" class="wp-image-119404" /></figure> <p>Following the prompt to install Adblock Pro we found that the whole trick was set up to promote another blocker called Push Notifications Blocker.</p> <figure class="wp-block-image aligncenter size-large"><img loading="lazy" width="1113" height="727" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/10/push_notifications_blocker.png?w=1024" alt="Push Notifications Blocker in the Chrome Web Store" class="wp-image-119418" /></figure> <p>This one is a bit demanding when it comes to the permissions it claims to need. This isn&#8217;t always a reason for alarm (we have to ask for certain permissions to enable <a href="https://www.malwarebytes.com/browserguard">Malwarebytes Browser Guard</a> effectively, for example), but is something to keep an eye on.</p> <figure class="wp-block-image aligncenter size-full is-resized"><img loading="lazy" width="466" height="292" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/10/permissions2.png" alt="Push Notifications Blocker permissions" class="wp-image-119420" style="width:466px;height:auto" /></figure> <p>The prompt shown below demonstrates what the extension is supposed to do.</p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="357" height="186" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/10/choices.png" alt="Notificatiosn for this site are currently blocked. Do you wnat to allow them? Allow or Keep Blocking?" class="wp-image-119422" /></figure> <p>The extension provides information about the current status of the notifications permission of the website and gives the user control to change it or keep the current setting.</p> <p>But using this extension soon shows some side effects. The browser becomes extremely slow, and other users have reported redirects happening at unexpected moments, and search results that looked off because they weren’t done with the intended search engine.</p> <p>A further investigation convinced us that this extension should be classified as adware. What puzzled us is that the exact same trick on the same domain was used to promote other Chrome extensions that promised to block ads, and those extensions have earned the trust of many users.</p> <p>To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate&#8217;s efforts, the affiliate earns a commission.</p> <p>Certainly the irony of an ad blocker being promoted in a malvertising campaign was not lost on us.</p> <p>Malwarebytes detects Push Notifications Blocker as Adware.Redirector.</p> <p><a href="https://www.malwarebytes.com/premium">Malwarebytes Premium Security</a> and <a href="https://www.malwarebytes.com/browserguard">Malwarebytes Browser Guard</a> block recommendedchain[.]com.</p> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p><strong>We don’t just report on threats—we remove them</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-and-pop-up-blockers-using-old-tricks</link> <pubDate>Thu, 14 Nov 2024 13:17:20 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-and-pop-up-blockers-using-old-tricks</guid> </item> <item> <title><![CDATA[ Scammer robs homebuyers of life savings in $20 million theft spree ]]></title> <description><![CDATA[ A scammer was caught after they defrauded some 400 people for almost $20 million in real estate. ]]></description> <category>News</category> <category>Scams</category> <category><![CDATA[ bec ]]></category> <category><![CDATA[ real estate ]]></category> <content:encoded><![CDATA[ <p>A 33-year-old Nigerian man living in the UK and his co-conspirators defrauded over 400 would-be home buyers in the US.</p> <p>In the initial phase, Babatunde Francis Ayeni and his criminal gang targeted US title companies, real estate agents, and real estate attorneys. Employees of these companies were tricked into clicking malicious attachments and links and filling in their email account login information on fake sites. The entered information went straight to the phishers and allowed the criminals to monitor the emails of those employees.</p> <p>As soon as the scammers spotted an email where someone was asked to make a payment as part of a real estate transaction, they would change the wiring instructions and let the victims deposit their payments into bank accounts associated with the criminals instead of the legitimate real estate transaction.</p> <p>Some 400 people fell victim to this sophisticated business email compromise (BEC) scheme. 231 of these victims were unable to reverse the wire transactions in time and lost their entire transaction—often their life savings.</p> <p>The total losses amount to nearly $20 million. To cover their tracks, the gang would buy Bitcoin with the stolen funds and divide it over three different addresses.</p> <p>Last year, the FBI <a href="https://www.ic3.gov/PSA/2023/PSA230609" target="_blank" rel="noreferrer noopener nofollow">warned</a> BEC focused on the real estate sector was on the rise.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“From calendar years 2020 to 2022, there was a 27% increase in victim reports to the Internet Crime Complaint Center (IC3) of BECs with a real estate nexus. In this same time frame, there was a 72% increase in victim loss of BECs with a real estate nexus.”</p> </blockquote> <p>Ayeni was <a href="https://www.justice.gov/usao-sdal/pr/nigerian-national-sentenced-ten-years-20-million-cyber-fraud-scheme" target="_blank" rel="noreferrer noopener nofollow">sentenced to ten years</a> in federal prison for his role in the massive cyber fraud conspiracy.</p> <p>During the multi-day sentencing hearing, numerous victims provided victim impact statements about how the crime affected them. They noted that in addition to losing all of the money they saved for the purchase of a new home, they felt significant shame, despair, and depression due to being victimized the way they were.</p> <p>United States Attorney Sean P. Costello said:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“Cyber-enabled crimes can cause substantial and lasting harm to victims in an instant. Criminals across the world may believe that they are causing no harm to their victims and that they are safe behind their keyboards, but this case proves otherwise. With our law enforcement partners, we will continue to aggressively investigate, pursue, and hold accountable the crooks who perpetrate frauds online, wherever they are.”</p> </blockquote> <h2 class="wp-block-heading" id="h-better-to-double-check">Better to double-check</h2> <p>When transferring large sums of money, it’s advisable to double check whether the account details mentioned in any email correspond with those of the expected receiver of the funds.</p> <ul> <li>Use trusted contact information: always verify account details using contact information from a trusted source, and check whether it matches the information provided in the suspicious email or invoice.</li> <li>Call the company directly: Use a known, verified phone number to call the company and confirm any changes to payment instructions or account details.</li> <li>Use secure verification methods: If available, use secure portals or platforms provided by legitimate vendors to verify account information.</li> <li>If possible, follow up whether the payment came through at the legitimate receiver’s end while you still have the option to reverse the transaction.</li> </ul> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p><strong>We don’t just report on threats—we remove them</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/scammer-robs-homebuyers-of-life-savings-in-20-million-theft-spree</link> <pubDate>Thu, 14 Nov 2024 12:34:56 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/scammer-robs-homebuyers-of-life-savings-in-20-million-theft-spree</guid> </item> <item> <title><![CDATA[ Temu must respect consumer protection laws, says EU ]]></title> <description><![CDATA[ Temu is under investigation for a variety of misleading practices. ]]></description> <category>News</category> <category><![CDATA[ CPC ]]></category> <category><![CDATA[ misleading ]]></category> <category><![CDATA[ temu ]]></category> <content:encoded><![CDATA[ <p>Temu has been accused of a number of infringements on its platform against European Union (EU) consumer law.</p> <p>The Consumer Protection Cooperation (CPC) Network of national consumer authorities and the European Commission teamed up for a coordinated ongoing investigation into Temu and its practices. The investigation covers a range of misleading and “unduly influences” on consumers&#8217; purchasing decisions, and looks at the information obligations that need to be met by an online marketplace.</p> <p>The CPC Network is made up of the national consumer authorities of the 27 EU Member States, Norway, and Iceland.</p> <p>The problems the investigation found cover almost every aspect of misleading advertising one can think of:</p> <ul> <li><strong>Fake discounts</strong>. Telling buyers that items are offered with a discount when in reality the price is the same or even higher than before.</li> <li><strong>Pressure selling</strong>. Claiming that items are in short supply or need to be purchased before a deadline.</li> <li><strong>Forced gamification</strong>. Forcing consumers to play “spin the fortune wheel” before accessing the platform without making them aware of the conditions attached to the use of claiming the rewards in the game.</li> <li><strong>Missing and misleading information</strong>. Giving incomplete and even incorrect information about consumers&#8217; legal rights to return goods and receive refunds. Temu also fails to tell customers up front that they need to reach a minimum value before they can complete their purchase.</li> <li><strong>Fake reviews</strong>. Hosting suspected unauthentic reviews, and providing inadequate information about how Temu ensures the authenticity of reviews published on its website.</li> <li><strong>Hidden contact details</strong>. Deliberately making it hard for customers to contact Temu for questions and complaints.</li> </ul> <p>The CPC Network made objections to the fact that Temu does not provide information on whether the seller is a trader or not, and would also like to ensure that any environmental claims are accurate and substantiated.</p> <p>Temu has one month to reply with a proposal to address the identified issues. Should the company fail to do so, national authorities can take enforcement measures to ensure compliance. These measures can be fines based on Temu&#8217;s annual turnover in the Member States concerned.</p> <p>Temu responded:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“Although we have gained popularity with many consumers in a relatively short time, we are still a very young platform — less than two years in the EU — and are actively learning and adapting to local requirements.”</p> </blockquote> <p>This is not the only problem Temu is facing at the moment. In June, we <a href="https://www.malwarebytes.com/blog/news/2024/06/temu-sued-for-being-dangerous-malware-by-arkansas-attorney-general">reported</a> that the Chinese online shopping giant is facing a lawsuit filed by the State of Arkansas Attorney General, alleging that the retailer’s mobile app spies on users.</p> <p>In September, a cybercriminal claimed to be selling a stolen database containing 87 million records of customer information. <a href="https://www.bleepingcomputer.com/news/security/temu-denies-breach-after-hacker-claims-theft-of-87-million-data-records/">Temu denied it suffered a data breach</a>, a statement supported by other circumstances, but these claims have a tendency to linger on.</p> <p>And back in February, the trade association Toy Industries of Europe released a <a href="https://www.toyindustries.eu/95-of-toys-bought-from-new-online-platform-break-eu-safety-rules/">report</a> warning that none of the 19 toys it bought on Temu.com complied with EU legislation. After sending the toys to a laboratory for testing, the organization claimed that many of them posed significant risks for children.</p> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p><strong>We don’t just report on threats—we remove them</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/temu-must-respect-consumer-protection-laws-says-eu</link> <pubDate>Wed, 13 Nov 2024 22:10:11 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/temu-must-respect-consumer-protection-laws-says-eu</guid> </item> <item> <title><![CDATA[ Warning: Online shopping threats to avoid this Black Friday and Cyber Monday  ]]></title> <description><![CDATA[ Where there’s a gift to be bought, there’s also a scammer out to make money. Here's how to stay safe this shopping season. ]]></description> <category>News</category> <category>Personal</category> <category><![CDATA[ black friday ]]></category> <category><![CDATA[ cyber monday ]]></category> <category><![CDATA[ online shopping ]]></category> <category><![CDATA[ scams ]]></category> <content:encoded><![CDATA[ <p>It’s that time of year again. Thanksgiving will pass just as quickly as it arrived, and the festive season will soon hit full swing as countless people go online for some gift shopping. But where there’s a gift to be bought, there’s also a scammer out to make money.</p> <p>And make money they do. In the last five years, the <a href="https://www.ic3.gov/AnnualReport/Reports/2023_IC3Report.pdf" target="_blank" rel="noreferrer noopener">Internet Crime Complaint Center (IC3)</a> said it has received 3.79 million complaints for a wide range of internet scams, resulting in $37.4 billion in losses. </p> <p>Today, we’re warning of several online threats that could target you over the next few weeks and months: brand impersonation and fakes, credit card skimming, and malvertising.&nbsp;</p> <h2 class="wp-block-heading" id="h-1-brand-impersonation-scams-nbsp">1. <strong>Brand impersonation scams</strong>&nbsp;</h2> <p>This Black Friday and beyond, you’re likely to see scammers ripping off big name brands. Here are a few fakes you should look out for.&nbsp;</p> <h3 class="wp-block-heading" id="h-temu-ads-offer-discounted-ps5s-nbsp"><strong>Temu ads offer discounted PS5s</strong>&nbsp;</h3> <p>Scrolling through Facebook, we were presented with a couple of posts advertising discounted PS5s.&nbsp;</p> <figure class="wp-block-image size-large"><img loading="lazy" width="1200" height="904" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/Temu-ads.png?w=1024" alt="Ads on Temu showing PS5" class="wp-image-120767" style="object-fit:cover" /></figure> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“Quit overspending on PS5! This one I got off TEMU is AWESOME and is much cheaper. I’d highly recommend picking this up!”&nbsp;</p> </blockquote> <p>Of course, it’s tempting to get a discount on high-value items like a PlayStation 5, but Temu doesn’t actually sell PS5s.</p> <p>If you click the play button on the “video,” you are instead redirected to a Temu page selling various PlayStation accessories that are not official or in any way approved by Sony.  </p> <h3 class="wp-block-heading" id="h-fake-amazon-offers-you-great-deals-this-black-friday-nbsp"><strong>Fake Amazon offers you great deals this Black Friday</strong>&nbsp;</h3> <p>Amazon is relatively low cost, it’s convenient, and you can look at someone’s wish list on there. Except in this scam we caught online, the website isn’t really Amazon—check out the URL.&nbsp;</p> <figure class="wp-block-image size-large"><img loading="lazy" width="932" height="824" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/Amazon-watermark.png?w=932" alt="Screenshot of a fake Amazon site showing goods to buy" class="wp-image-120754" style="object-fit:cover" /></figure> <p>Fake online stores like this use Amazon’s branding to sell counterfeit products. Even if you take the risk and buy a knock off product (which we think is a bad idea), you have no guarantee of receiving the merchandise, and definitely no buyer protection.&nbsp;</p> <h3 class="wp-block-heading" id="h-walmart-makes-it-easy-for-you-to-buy-gift-cards-nbsp"><strong>Walmart makes it easy for you to buy gift cards</strong>&nbsp;</h3> <p>Nothing says “I saw this and thought of you” like a Walmart gift card on Christmas day. But make sure you are buying from the right website.&nbsp;&nbsp;</p> <p>Again, in this example, check out the URL—this website might look Walmart, but it’s a fake that will happily take your money in exchange for nothing. </p> <figure class="wp-block-image size-large"><img loading="lazy" width="928" height="823" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/Walmart-watermark.png?w=928" alt="Screenshot of a fake Walmart site advertising gift cards" class="wp-image-120771" style="object-fit:cover" /></figure> <h3 class="wp-block-heading" id="h-usps-now-delivers-you-fraud-nbsp"><strong>“USPS” now delivers you fraud</strong>&nbsp;</h3> <p>If you’re taking advantage of Black Friday sales and buying many things at once, it can be tricky to keep track of what you’ve ordered. Even if you do know what&#8217;s coming, you often don’t know which package service will deliver it to your door. Scammers take advantage of this and will send fake delivery notice emails that encourage you to click on them. </p> <p>With this fake USPS site, you are asked to pay a small fee to have your delivery processed. However, once you hand over your card details the scammers can take whatever amount they like and sell your details to other criminals.&nbsp;</p> <figure class="wp-block-image size-large"><img loading="lazy" width="1600" height="1200" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/USPS-watermark.png?w=1024" alt="Screenshot of fake USPS site" class="wp-image-120760" style="object-fit:cover" /></figure> <p>These scams are very common. In fact, when we looked, we saw 50 fake USPS sites set up in only a day:&nbsp;</p> <figure class="wp-block-image size-large is-resized"><img loading="lazy" width="1485" height="1202" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/USPS-sites-watermark.png?w=1024" alt="Diagram showing many fake USPS domains" class="wp-image-120759" style="width:1000px" /></figure> <h2 class="wp-block-heading" id="h-2-credit-card-skimmers-nbsp">2. <strong>Credit card skimmers</strong>&nbsp;</h2> <p>We’re seeing a lot of online stores <a href="https://www.malwarebytes.com/blog/news/2024/08/hundreds-of-online-stores-hacked-in-new-campaign" target="_blank" rel="noreferrer noopener">hosting credit card skimmers,</a> especially smaller retailers.&nbsp;&nbsp;</p> <p>A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses.&nbsp;</p> <p>When visiting a site that has a card skimmer on it, you’ll likely have no idea it’s even there. However, a single script injection is enough to steal your credit card data.&nbsp;</p> <figure class="wp-block-image size-large is-resized"><img loading="lazy" width="1223" height="651" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/code-watermark.png?w=1024" alt="Screenshot of code being inserted into a website" class="wp-image-120755" style="width:1000px" /></figure> <p>Last year, we saw a <a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/11/credit-card-skimming-on-the-rise-for-the-holiday-shopping-season" target="_blank" rel="noreferrer noopener">large uptick in card skimmers</a> just before the holiday season. One particular campaign that we tracked peaked in April 2023, but then really slowed down during the summer months. Across months, cybercriminals had infected multiple websites and built custom templates to trick victims into handing over their credit card details. By October, the same campaign had increased to its highest volume yet, and it is highly likely that this year will be the same. </p> <p>When looking at compromised websites, it can be hard to tell what—if anything—is wrong. However, if a site looks like it hasn’t been maintained in a while (for example, it displays outdated information, such as ‘Copyright 2022′) you should avoid entering in your card details. Most compromises happen because a website’s CMS and its plugins are outdated and vulnerable. </p> <p>Our free browser extension <a href="https://www.malwarebytes.com/browserguard" target="_blank" rel="noreferrer noopener">Malwarebytes Browser Guard</a> blocks credit card skimmers by default. If you visit a compromised store you’ll be shown a warning like this: </p> <figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="607" height="347" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_e05f85.png" alt="" class="wp-image-120741" /></figure> <p>Access to the store isn’t blocked, we just block the skimmer code so it can’t load. And while you could in theory still shop safely, we’d still advise you to avoid buying anything from there.&nbsp;</p> <h2 class="wp-block-heading" id="h-3-malvertising-increases-in-line-with-gift-shopping-nbsp">3. <strong>Malvertising increases in line with gift shopping</strong>&nbsp;</h2> <p>Malvertising—or malicious advertising—is a favorite of scammers, who use online ads and sponsored search results to deliver malware to their unsuspecting victims.&nbsp;&nbsp;</p> <p>Malvertising doesn’t require that criminals know a victim’s email address, login credentials, or personal information to deliver them malware. All the scammers need to do is <a href="https://www.malwarebytes.com/blog/news/2024/02/malvertising-this-cyberthreat-isnt-on-the-dark-web-its-on-google" target="_blank" rel="noreferrer noopener">fool someone into clicking on an ad</a> that looks legitimate.&nbsp;&nbsp;</p> <p>Last fall, Malwarebytes tracked a 42% increase month-over-month in malvertising incidents in the US. This year we’re seeing a similar uptick, with a 41% increase from July to September as we head into the holiday shopping season.&nbsp;</p> <p>In terms of the actual advertiser accounts that are used in malvertising campaigns, most are based in the US and are set up using a combination of fake identities or hijacked accounts. However, according to our research findings, ads originating in Pakistan and Vietnam account for 90% of the fraud.&nbsp;</p> <figure class="wp-block-image aligncenter size-large"><img loading="lazy" width="604" height="372" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/Advertiser-origin-watermark.png?w=604" alt="Pie chart showing the countries of origin of attacks" class="wp-image-120753" /></figure> <p>Most (77%) of the accounts are used once only—created quickly and then burned. Once that account is dead, cybercriminals spin up the next one and on it goes.&nbsp;&nbsp;</p> <p>No brand is safe from malvertisers. We’ve tracked campaigns that spoof <a href="https://www.malwarebytes.com/blog/scams/2024/08/dozens-of-google-products-targeted-by-scammers-via-malicious-search-ads" target="_blank" rel="noreferrer noopener">Google</a>, <a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-its-a-jungle-out-there" target="_blank" rel="noreferrer noopener">Amazon</a>, <a href="https://www.malwarebytes.com/blog/scams/2024/11/large-ebay-malvertising-campaign-leads-to-scams" target="_blank" rel="noreferrer noopener">eBay,</a> <a href="https://www.malwarebytes.com/blog/scams/2024/09/walmart-customers-scammed-via-fake-shopping-lists-threatened-with-arrest" target="_blank" rel="noreferrer noopener">Walmart</a>, <a href="https://www.malwarebytes.com/blog/news/2024/09/lowes-employees-phished-via-google-ads" target="_blank" rel="noreferrer noopener">Lowe’s</a>—and even <a href="https://www.malwarebytes.com/blog/news/2020/04/copycat-criminals-abuse-malwarebytes-brand-in-malvertising-campaign" target="_blank" rel="noreferrer noopener">Malwarebytes</a>.&nbsp;&nbsp;</p> <p>Our advice: It’s not always easy to tell a real ad from a scam, so it’s best to avoid clicking on sponsored ads at all. Use genuine search results or navigate directly to the site yourself.&nbsp;</p> <h2 class="wp-block-heading" id="h-how-to-shop-safely-this-holiday-season-nbsp-nbsp"><strong>How to shop safely this holiday season&nbsp;</strong>&nbsp;</h2> <ul> <li><strong>Remember: If it’s too good to be true then it probably is.</strong> Discounted items are tempting—especially at a time of year when lots of spending takes place—but these offers often amount to nothing. Instead, research the best deal at reputable retailers. </li> </ul> <ul> <li><strong>Don’t get rushed into making decisions.</strong> Scammers will use a sense of urgency to pressure you into performing quick actions before you can properly think things through. Take your time before doing anything like clicking links or entering card details.&nbsp;</li> </ul> <ul> <li><strong>Get an ad and malicious content blocker like </strong><a href="https://www.malwarebytes.com/browserguard" target="_blank" rel="noreferrer noopener"><strong>Malwarebytes Browser Guard.</strong></a><strong> </strong>If you’re blocking ads then you can’t be tricked into clicking on them. Browser Guard (which is free!) also protects against credit card skimming and other online threats.&nbsp;</li> </ul> <ul> <li><strong>Keep an eye on your financial statements: </strong>An uptick in online shopping deserves an uptick in vigilance with checking online bank accounts, credit card statements, investment portfolios—in fact, any financial account data. Flag anything that seems suspicious with your provider.&nbsp;</li> </ul> <ul> <li><strong>Protect your online accounts. </strong>Use a different password for every account (a password manager is super helpful in generating and storing all your passwords), and set up multi-factor authentication (MFA) wherever you can.&nbsp;&nbsp;</li> </ul> <ul> <li><strong>Protect your devices:</strong> Most security products offer some kind of web protection that detects malicious domains and IP addresses, including <a href="https://www.malwarebytes.com/premium" target="_blank" rel="noreferrer noopener">Malwarebytes Premium</a> which offers web and phishing protection.&nbsp;</li> </ul> <ul> <li><strong>Clean up your personal data online: </strong>Cybercriminals use publicly available information in their scams, so check what information is available about you online using our free <a href="https://www.malwarebytes.com/digital-footprint" target="_blank" rel="noreferrer noopener">Digital Footprint scan.</a> You can also take the first step in removing your personal information from the network of data brokers online with our <a href="https://www.malwarebytes.com/personal-data-remover" target="_blank" rel="noreferrer noopener">Personal Data Remover</a>. </li> </ul> <p><em>Thanks to Jerome Segura for his research on this piece.</em></p> <p></p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/warning-online-shopping-threats-to-avoid-this-black-friday-and-cyber-monday</link> <pubDate>Wed, 13 Nov 2024 13:55:33 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/warning-online-shopping-threats-to-avoid-this-black-friday-and-cyber-monday</guid> </item> <item> <title><![CDATA[ DNA testing company vanishes along with its customers&#8217; genetic data ]]></title> <description><![CDATA[ Atlas Biomed, a DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared. ]]></description> <category>News</category> <category>Privacy</category> <category><![CDATA[ 23andMe ]]></category> <category><![CDATA[ Ancestry ]]></category> <category><![CDATA[ Atlas Biomed ]]></category> <category><![CDATA[ genetic testing ]]></category> <category><![CDATA[ MyHeritage ]]></category> <content:encoded><![CDATA[ <p>A DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared. The BBC <a href="https://www.bbc.com/news/articles/cz7wl7rpndjo">reports</a> it tried several methods to reach the company but failed in this effort.</p> <p>London offices are closed, nobody answers the phone, and clients are no longer capable of accessing their online records. All the company&#8217;s social media accounts haven&#8217;t been updated since 2023 at the latest.</p> <p>The atlasbiomed.com domain appears to be inactive. Customers were only able to look at their test results online, these were not downloadable, so now they are not only unable to see them, but they also have no idea what has happened to that data.</p> <p>Although there is no evidence that any of the data has been misused, it is worrying to not know who now has access to the data, especially now that the investigation shows that there might be ties to Russia.</p> <p>While four out of eight company officers have resigned, two of those that remain are listed at the same address in Moscow. That happens to be the same address as that of a Russian billionaire, who is described as a now resigned director.</p> <p>DNA testing has become so commonplace that many people have blindly participated without truly understanding the implications. It has always been a problem to figure out who you could trust with your genetic data. For some people it’s their cheapest chance of finding out whether they are affected by some genetic disorder.</p> <p>Since those early days, we&#8217;ve had several warnings about how submitting your genetic data can go sideways.</p> <p>In 2018, MyHeritage suffered <a href="https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/" target="_blank" rel="noreferrer noopener nofollow">a security incident</a> which exposed the email addresses and hashed passwords of 92 million users.</p> <p>In 2020, <a href="https://www.blackstone.com/news/press/blackstone-completes-acquisition-of-ancestry-leading-online-family-history-business-for-4-7-billion/">Ancestry was acquired by investment firm Blackstone</a> for $4.7 billion, which raised questions about the potential commercialization of genetic data and its transfer to new owners.</p> <p>And the <a href="https://www.malwarebytes.com/blog/news/2024/10/23andme-will-retain-your-genetic-information-even-if-you-delete-the-account">ongoing saga</a> of what happened at 23andMe is the clearest example of why people would be hesitant to submit genetic data. In 2023, cybercriminals put up information belonging to as many as <a href="https://www.malwarebytes.com/blog/news/2023/10/23andme">seven million 23andMe customers</a> for sale on criminal forums following a credential stuffing attack against the genomics company.</p> <p>Since then all board members have resigned, except for CEO Anne Wojcicki who has stood by her plans to take the company private, raising again the subject of what happens to customer genetic data when a company is sold.</p> <p>Data breaches happen to the best companies. So, even if a company has good intentions, there is still a risk of your genetic data being linked to your personally identifiable information (PII). This makes the information a treasure trove for advertisers, insurance companies, and Big Pharma.</p> <p>All of this makes it very understandable that customers of Atlas Biomed are worried about where their data might end up.</p> <h2 class="wp-block-heading" id="h-words-of-warning">Words of warning</h2> <p>The UK regulator, the Information Commissioner&#8217;s Office (ICO) has confirmed it has received a complaint about Atlas Biomed, saying in a statement:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>&#8220;People have the right to expect that organizations will handle their personal information securely and responsibly.&#8221;</p> </blockquote> <p>Unfortunately, we know that not all organizations will meet that expectation, so there are a few things you should keep in mind.</p> <p>If you submit genetic material, research the company you want to trust with it thoroughly.</p> <p>Only share the personal information you absolutely have to provide with the genetic testing company. Lie if you must and create a separate free email account so the information can’t be tied to your main account.</p> <p>Make sure to familiarize yourself with the company&#8217;s privacy policy and opt out of sharing information where possible. Make sure to stay informed about any policy updates or changes from the company.</p> <p>As a wise lady and one of my former editors once <a href="https://www.rsaconference.com/library/blog/consumer-dna-testing-kits-are-a-privacy-risk-now-and-in-the-future">wrote</a>:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“Many a friend and family member have scoffed at my warnings to stay away from consumer DNA testing kits, remarking that they have nothing to hide or that there’s no harm in releasing their DNA into the hands of researchers. I honestly hope they’re right.</p> <p>I hope they never have to fear having their health insurance ripped away because of pre-existing conditions or an increased risk of developing certain diseases. I hope they aren’t inundated with marketing emails about cancer-preventative nutrition or the best new medicines to prolong the onset of Alzheimer’s. I sincerely hope they’re never targeted by racial-profiling police officers, denied a job by a prejudiced employer or buried in paperwork after having their identity stolen by a hacker. And I fervently hope they’ll never have to hide their genetic profile from a government hell-bent on ridding its country of a certain ethnicity or race.”</p> </blockquote> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p><strong>We don’t just report on threats—we remove them</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/dna-testing-company-vanishes-along-with-its-customers-genetic-data</link> <pubDate>Tue, 12 Nov 2024 12:42:25 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/dna-testing-company-vanishes-along-with-its-customers-genetic-data</guid> </item> <item> <title><![CDATA[ A week in security (November 4 &#8211; November 10) ]]></title> <description><![CDATA[ A list of topics we covered in the week of November 4 to November 10 of 2024 ]]></description> <category>News</category> <category><![CDATA[ AzireVPN ]]></category> <category><![CDATA[ fakebat ]]></category> <category><![CDATA[ tiktok ]]></category> <content:encoded><![CDATA[ <p>Last week on Malwarebytes Labs:</p> <ul> <li><a href="/blog/news/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus">Hello again, FakeBat: popular loader returns after months-long hiatus</a></li> <li><a href="/blog/news/2024/11/tiktok-ordered-to-close-canada-offices-following-national-security-review">TikTok ordered to close Canada offices following &#8220;national security review&#8221;</a></li> <li><a href="/blog/news/2024/11/air-fryers-are-the-latest-surveillance-threat-you-didnt-consider">Air fryers are the latest surveillance threat you didn’t consider</a></li> <li><a href="/blog/personal/2024/11/malwarebytes-acquires-azirevpn-to-fuel-additional-vpn-features-and-functionalities">Malwarebytes acquires AzireVPN to fuel additional VPN features and functionalities</a></li> <li><a href="/blog/scams/2024/11/large-ebay-malvertising-campaign-leads-to-scams">Large eBay malvertising campaign leads to scams</a></li> <li><a href="/blog/podcast/2024/11/8-security-tips-for-small-businesses-2">8 security tips for small businesses</a></li> <li><a href="/blog/news/2024/11/update-your-android-google-patches-two-zero-day-vulnerabilities">Update your Android: Google patches two zero-day vulnerabilities</a></li> <li><a href="/blog/news/2024/11/warning-hackers-could-take-over-your-email-account-by-stealing-cookies-even-if-you-have-mfa">Warning: Hackers could take over your email account by stealing cookies, even if you have MFA</a></li> <li><a href="/blog/podcast/2024/11/why-your-vote-cant-be-hacked-with-cait-conley-of-cisa-lock-and-code-s05e23">Why your vote can’t be &#8220;hacked,&#8221; with Cait Conley of CISA (Lock and Code S05E23)</a></li> <li><a href="/blog/news/2024/11/city-of-columbus-breach-affects-around-half-a-million-citizens">City of Columbus breach affects around half a million citizens</a></li> <li><a href="/blog/scams/2024/11/crooks-bank-on-microsofts-search-engine-to-phish-customers">Crooks bank on Microsoft’s search engine to phish customers</a></li> </ul> <p>Last week on ThreatDown:</p> <ul> <li><a href="https://www.threatdown.com/blog/how-black-basta-used-powershell-to-set-up-a-cobalt-strike-beacon/">How the Black Basta ransomware gang hides Cobalt Strike beacons with PowerShell</a></li> </ul> <p>Stay safe!</p> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p>Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.</p> <div class="wp-block-malware-bytes-button mb-button" id="mb-button-371336e6-815b-4134-8818-f944dbc308bb"><div class="mb-button__row u-justify-content-center"><div class="mb-button__item mb-button-item-0"><p class="btn-main"><a href="https://www.malwarebytes.com/business/contact-us/">TRY NOW</a></p></div></div></div> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/a-week-in-security-november-4-november-10-2</link> <pubDate>Mon, 11 Nov 2024 08:30:32 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/a-week-in-security-november-4-november-10-2</guid> </item> <item> <title><![CDATA[ Hello again, FakeBat: popular loader returns after months-long hiatus ]]></title> <description><![CDATA[ The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While... ]]></description> <category>Cybercrime</category> <category><![CDATA[ fakebat ]]></category> <category><![CDATA[ Google Ads ]]></category> <category><![CDATA[ lumma ]]></category> <category><![CDATA[ lummaC2 ]]></category> <category><![CDATA[ malvertising ]]></category> <category><![CDATA[ malware ]]></category> <content:encoded><![CDATA[ <p>The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While we noted a decrease in loaders distributed via malvertising for the past 3 months, today&#8217;s example is a reminder that threat actors can quickly switch back to tried and tested methods.</p> <p>After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer.</p> <p>In this blog post, we detail how criminals are targeting their victims and what final malware payload they are delivering post initial infection. The incident was found and reported to Google on the same day as this publication.</p> <h2 class="wp-block-heading" id="h-google-ads-distribution">Google Ads distribution</h2> <p>Last time we saw FakeBat was on July 25 2024, via a malicious ad for Calendly, a popular online scheduling application. In that instance, FakeBat&#8217;s command and control infrastructure ran from <em>utd-gochisu[.]com</em>.</p> <p>Fast forward to November 8, 2024, and we have an ad appearing at the top of a Google search for &#8216;notion&#8217;. That sponsored result looks entirely authentic, with an official logo and website. We already know that criminals are able to impersonate any brand of their liking by simply using a click tracker — or tracking template — in order to bypass detection.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_00e479.png"><img loading="lazy" width="862" height="1028" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_00e479.png?w=859" alt="" class="wp-image-120555" /></a></figure> <p>According to Google&#8217;s Ads Transparency Center , the Notion ad was shown in the following geographic locations:</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_b7f9c2.png"><img loading="lazy" width="725" height="624" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_b7f9c2.png" alt="" class="wp-image-120588" /></a></figure> <p>Below is the network traffic from the ad URL to the payload. We can see the use of the tracking template (<em>smart.link</em>), followed by a cloaking domain (<em>solomonegbe[.]com</em>), before landing on the decoy site (<em>notion[.]ramchhaya.com</em>):</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_c03d18.png"><img loading="lazy" width="781" height="310" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_c03d18.png" alt="" class="wp-image-120553" /></a></figure> <p>Why does this work and bypasses Google? Likely because if the user is not an intended victim, the tracking template would redirect them to the legitimate <em>notion.so</em> website.</p> <h2 class="wp-block-heading" id="h-fakebat-drops-lummac2-stealer">FakeBat drops LummaC2 stealer</h2> <p>After extracting the payload, we recognize the classic first stage FakeBat PowerShell:</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_07f473.png"><img loading="lazy" width="669" height="607" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_07f473.png" alt="" class="wp-image-120558" /></a></figure> <p>Security researcher and long time FakeBat enthusiast <a href="https://russianpanda.com/">RussianPanda</a> was kind enough to give us a hand by looking at this installer in closer detail.</p> <p>After some fingerprinting to avoid sandboxes, we get this second stage PowerShell:</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_f1c809.png"><img loading="lazy" width="711" height="904" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_f1c809.png" alt="" class="wp-image-120565" /></a></figure> <p>Of note, the threat actors are still using the same old RastaMouse AMSI bypass script from April 2024:</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_e5a808.png"><img loading="lazy" width="1161" height="939" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_e5a808.png?w=1024" alt="" class="wp-image-120566" /></a></figure> <p>The loader is obfuscated with .NET Reactor, where it decrypts the embedded resource with AES and then injects it into <em>MSBuild.exe</em> via process hollowing:</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_e1b48c.png"><img loading="lazy" width="1333" height="646" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/11/image_e1b48c.png?w=1024" alt="" class="wp-image-120567" /></a></figure> <p>The decrypted payload is LummaC2 Stealer with user ID: 9zXsP2.</p> <h2 class="wp-block-heading" id="h-conclusion">Conclusion</h2> <p>While malicious ads delivering malware payloads have been a little more rare for the past several weeks, today&#8217;s example shows that threat actors can and will make a comeback whenever the time is right.</p> <p>Brand impersonation via Google ads remains problematic, as anyone can leverage built-in features to appear legitimate and trick users into downloading malware.</p> <p>We appreciate and would like to thanks <a href="https://russianpanda.com/">RussianPanda</a>&#8216;s quick analysis on the payload, as well as security researcher <a href="https://squiblydoo.blog/">Sqiiblydoo</a> for reporting the malicious certificate used to sign the installer.</p> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p><strong>We don’t just report on threats—we remove them</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p> <h2 class="wp-block-heading" id="h-indicators-of-compromise">Indicators of Compromise</h2> <p>Malvertising chain</p> <pre class="wp-block-preformatted">solomonegbe[.]com<br>notion[.]ramchhaya.com</pre> <p>Malicious Notion URL</p> <pre class="wp-block-preformatted">furnotilioin[.]site/Notion[.]appx</pre> <p>Malicious Notion installer</p> <pre class="wp-block-preformatted">34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de</pre> <p>FakeBat C2</p> <pre class="wp-block-preformatted">ghf-gopp1rip[.]com</pre> <p>1.jar (PaykRunPE)</p> <pre class="wp-block-preformatted">2de8a18814cd66704edec08ae4b37e466c9986540da94cd61b2ca512d495b91a</pre> <p>LummaC2 (decrypted payload)</p> <pre class="wp-block-preformatted">de64c6a881be736aeecbf665709baa89e92acf48c34f9071b8a29a5e53802019</pre> <p>JwefqUQWCg (encrypted resource)</p> <pre class="wp-block-preformatted">6341d1b4858830ad691344a7b88316c49445754a98e7fd4a39a190c590e8a4db</pre> <p>Malicious URLs</p> <pre class="wp-block-preformatted">furliumalerer[.]site/1.jar<br>pastebin[.]pl/view/raw/a58044c5</pre> <p>LummaC2 Stealer C2s:</p> <pre class="wp-block-preformatted">rottieud[.]sbs<br>relalingj[.]sbs<br>repostebhu[.]sbs<br>thinkyyokej[.]sbs<br>tamedgeesy[.]sbs<br>explainvees[.]sbs<br>brownieyuz[.]sbs<br>slippyhost[.]cfd<br>ducksringjk[.]sbs</pre> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/cybercrime/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus</link> <pubDate>Fri, 08 Nov 2024 23:25:28 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/cybercrime/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus</guid> </item> <item> <title><![CDATA[ TikTok ordered to close Canada offices following &#8220;national security review&#8221; ]]></title> <description><![CDATA[ Canada wants TikTok to dissolve its business in the country. TikTok plans to challenge the decision in court ]]></description> <category>News</category> <content:encoded><![CDATA[ <p>The Government of Canada <a href="https://www.canada.ca/en/innovation-science-economic-development/news/2024/11/government-of-canada-orders-the-wind-up-of-tiktok-technology-canada-inc-following-a-national-security-review-under-the-investment-canada-act.html">ordered</a> the TikTok Technology Canada Inc. to close its offices in the country following a national security review.</p> <p>This decision was made in accordance with the Investment Canada Act, which allows for the review of foreign investments that may be injurious to Canada’s national security. Canada’s Minister of Innovation, Science and Industry stated:</p> <p>“As a result of a multi-step national security review process, which involves rigorous scrutiny by Canada’s national security and intelligence community, the Government of Canada has ordered the wind up of the Canadian business carried on by TikTok Technology Canada, Inc. The government is taking action to address the specific national security risks related to ByteDance Ltd.’s operations in Canada through the establishment of TikTok Technology Canada, Inc. The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners.”</p> <p>This does not mean Canadians will no longer have access to the popular social media platform. It just means the Chinese owned company will have to close its Canadian operations located in Toronto and Vancouver.</p> <p>Canada says the decision whether citizens want to use the social media platform is a personal choice but it does encourage Canadians to consult&nbsp;<a href="https://cyber.gc.ca/en/guidance/protect-how-you-connect">the&nbsp;guidance</a>&nbsp;issued by Communications Security Establishment Canada’s Canadian Centre for Cyber Security to help them assess these risks.</p> <p>One of the key points of their guidance is the “security over convenience” guideline, which says:</p> <p>“It may be convenient to have an app always know your location or be able to fetch your photos without approval, but this isn’t the most secure option. Be aware of the features and elements of your device that can be accessed by an app, and make sure you limit permissions.”</p> <p>Another one that is important in this case is the “consider where your data is being stored” guideline which reminds people to think about which nation’s laws will apply to your information and your activity on the platform.</p> <p>TikTok <a href="https://newsroom.tiktok.com/en-ca/our-response-to-canadas-order-to-shut-down-tiktok-canada-ca">responded</a> that:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“Shutting down TikTok’s Canadian offices and destroying hundreds of well-paying local jobs is not in anyone&#8217;s best interest, and today&#8217;s shutdown order will do just that. We will challenge this order in court.”</p> </blockquote> <p>TikTok&#8217;s Chinese ownership has brought problems in other countries, as well. In April 2024, Malwarebytes Labs <a href="https://www.malwarebytes.com/blog/news/2024/04/tiktok-comes-one-step-closer-to-a-us-ban">reported</a> on how the US Senate approved a bill that would effectively ban TikTok from the country unless Chinese owner ByteDance gives up its share of the immensely popular app. That law is <a href="https://www.npr.org/2024/09/16/g-s1-23194/tiktok-us-ban-appeals-court">currently being challenged in court</a> by the popular social media platform. </p> <p><strong>We don&#8217;t just report on threats &#8211; we help protect your social media</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using <a href="https://www.malwarebytes.com/identity-theft-protection" target="_blank" rel="noreferrer noopener">Malwarebytes Identity Theft Protection</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/tiktok-ordered-to-close-canada-offices-following-national-security-review</link> <pubDate>Fri, 08 Nov 2024 17:03:09 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/tiktok-ordered-to-close-canada-offices-following-national-security-review</guid> </item> <item> <title><![CDATA[ Air fryers are the latest surveillance threat you didn&#8217;t consider ]]></title> <description><![CDATA[ Consumer group Which? found privacy issues in connected air fryers. How smart do we want and need our appliances to be? ]]></description> <category>News</category> <category>Privacy</category> <category><![CDATA[ air fryers ]]></category> <category><![CDATA[ app ]]></category> <category><![CDATA[ privacy ]]></category> <content:encoded><![CDATA[ <p>Consumer group Which? has <a href="https://www.which.co.uk/policy-and-insight/article/why-is-my-air-fryer-spying-on-me-which-reveals-the-smart-devices-gathering-your-data-and-where-they-send-it-a9Fa24K6gY1c">warned</a> shoppers to be selective when it comes to buying smart air fryers from Xiaomi, Cosori, and Aigostar.</p> <p>We&#8217;ve learned to expect that “smart” appliances come with privacy risks—<a href="https://www.malwarebytes.com/blog/awareness/2024/02/how-to-tell-if-your-toothbrush-is-being-used-in-a-ddos-attack">toothbrushes aside</a>—but I really hadn’t given my air fryer any thought. Now things are about to change.</p> <p>You don’t need to worry about the air fryers sending reports about your eating habits to your healthcare provider just yet. But according to Which?, the air fryers&#8217; associated phone apps wanted to know customers’ precise locations, as well as permission to record audio on the user’s phone.</p> <p>The researchers also found evidence that the Aigostar and Xiaomi fryers both sent people’s personal data to servers in China. This was specified in the privacy notice, but we know not everyone reads a privacy notice.</p> <p>When buying any kind of smart device, it&#8217;s worth doing these things:</p> <ul> <li><strong>Question the permissions an app asks for on your phone</strong>. Does it serve a purpose for you, the user, or is it just some vendor being nosy?</li> <li><strong>Read the privacy policy</strong>. The vendors are counting on it that you won’t but there are times that privacy policies are very revealing.</li> <li><strong>Ask yourself if the appliance needs to be smart</strong>. What’s in it for you, and what’s the price you&#8217;re going to pay?</li> </ul> <p>An easy solution is not to install the app, and don’t provide manufacturers with personal data they do not need to know. They may need your name for the warranty, but your gender, age, and—most of the time—your address isn&#8217;t needed.</p> <p>You shouldn’t be surprised to find out that appliances that are activated by voice commands are listening to you. How else do you expect them to know you are giving them an order?</p> <p>It’s what they <a href="https://www.malwarebytes.com/blog/news/2024/07/us-senators-ask-ftc-to-investigate-car-makers-privacy-practices">do with the information</a> and how well they are <a href="https://www.malwarebytes.com/blog/news/2024/10/robot-vacuum-cleaners-hacked-to-spy-on-insult-owners">secured against abuse</a> by third parties that we should be concerned with.</p> <hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" /> <p><strong>We don’t just report on threats—we remove them</strong></p> <p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p> ]]></content:encoded> <link>https://www.malwarebytes.com/blog/news/2024/11/air-fryers-are-the-latest-surveillance-threat-you-didnt-consider</link> <pubDate>Thu, 07 Nov 2024 16:45:30 GMT</pubDate> <guid>https://www.malwarebytes.com/blog/news/2024/11/air-fryers-are-the-latest-surveillance-threat-you-didnt-consider</guid> </item> </channel> </rss>

Pages: 1 2 3 4 5 6 7 8 9 10