Malware Bytes

Last week on Malwarebytes Labs:

• Text scams grow to steal hundreds of millions of dollars
• Apple patches security vulnerabilities in iOS and iPadOS. Update now!
• Hi, robot: Half of all internet traffic now automated
• “I sent you an email from your email account,” sextortion scam claims
• “Follow me” to this fake crypto exchange to claim $500
• Hertz data breach caused by CL0P ransomware attack on vendor
• Meta slurps up EU user data for AI training
• No, it’s not OK to delete that new inetpub folder
• Malwarebytes named “Best Antivirus Software” and “Best Malware Removal Service”

Last week on ThreatDown:

• Save our CVE! Last minute rescue for critical cybersecurity service
• Has AI changed malicious script obfuscation techniques?
• Celebrating our Partners of the Year: recognizing excellence and innovation
• Living off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This week on the Lock and Code podcast…

If you don’t know about the newly created US Department of Government Efficiency (DOGE), there’s a strong chance they already know about you.

Created on January 20 by US President Donald Trump through Executive Order, DOGE’s broad mandate is “modernizing Federal technology and software to maximize governmental efficiency and productivity.”

To fulfill its mission, though, DOGE has taken great interest in Americans’ data.

On February 1, DOGE team members without the necessary security clearances accessed classified information belonging to the US Agency for International Development. On February 17, multiple outlets reported that DOGE sought access to IRS data that includes names, addresses, social security numbers, income, net worth, bank information for direct deposits, and bankruptcy history. The next day, the commissioner of the Social Security Administration stepped down after DOGE requested access to information stored there, too, which includes records of lifetime wages and earnings, social security and bank account numbers, the type and amount of benefits individuals received, citizenship status, and disability and medical information. And last month, one US resident filed a data breach notification report with his state’s Attorney General alleging that his data was breached by DOGE and the man behind it, Elon Musk.

In speaking with the news outlet Databreaches.net, the man, Kevin Couture, said:

“I filed the report with my state Attorney General against Elon Musk stating my privacy rights were violated as my Social Security Number, banking info was compromised by accessing government systems and downloading the info without my consent or knowledge. What other information did he gather on me or others? This is wrong and illegal. I have no idea who has my information now.”

Today on the Lock and Code podcast with host David Ruiz, we speak with Sydney Saubestre, senior policy analyst at New America’s Open Technology Institute, about what data DOGE has accessed, why the government department is claiming it requires that access, and whether or not it is fair to call some of this access a “data breach.”

“[DOGE] haven’t been able to articulate why they want access to some of these data files other than broad ‘waste, fraud, and abuse.’ That, ethically, to me, points to it being a data breach.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Text scams alone cost US citizens at least $470 million in 2024, according to new data from the US Federal Trade Commission (FTC).

Because many scams go unreported, though, this dollar amount might be considerably more. The FTC illustrated this with a graph comparing the reported losses to the number of reports.

Graph courtesy of FTC

This demonstrates that not only the damage per reported incident went up considerably, but also the total amount of damage. It also implies that a lot of incidents went unreported since we find it hard to believe that the number of scams might have declined—all it takes is a look at any single week in news coverage on Malwarebytes Labs to find stories on new scams, old scams, repeated scams, and the no-good scammers behind them.

Top 5 text scams

While scams reach us in many ways, the FTC focused on text scams in their report. This are the five main culprits:

1. Package delivery problems. These are usually phishing expeditions aimed at the target paying a small amount for a redelivery, but while they are paying, their credit card details or other sensitive data are stolen.
2. Phony job opportunities. These often come in the form of task scams, but the main story line is that a scammer posing as a recruiter gets the victim to pay for something they “need” to get the job done, or to steal the victim’s personal data.
3. Fake fraud alerts. The fake alerts come as texts about so-called suspicious activity or about a big purchase the victim didn’t make. These texts often look like they’re from a bank or large retailer. The scammers offer help and then pressure people into moving money out of their accounts to supposedly keep it safe, when in reality it goes straight to the scammers.
4. Toll fee scams. These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, such as E-ZPass. The texts usually create a sense of urgency by telling you there is only a limited time left to act or there will be dire consequences. Typically the scammers are out to steal personal information and/or payment details.
5. Wrong number scams. An unexpected message that looks innocent enough from someone you don’t know but they act as if they know you. The idea is to get the target to tell them they’ve got a wrong number and with that engage them in a conversation, which may lead to romance scams, pig butchering, or other investment scams.

Let’s work together to bring the numbers down

Malwarebytes Mobile Security offers Text Protection, a feature that alerts users about potentially malicious or scam text messages. This feature works by analyzing incoming messages from unknown senders, checking for signs of scams, phishing links, or other malicious content. If a message is flagged, Android users receive a notification, while iOS users have the message deleted.

iOS

To enable Text Message Filtering on iOS devices, go to the iOS Settings app and explicitly enable it in the under Messages > Unknown & Spam. This is required for iOS to communicate with Malwarebytes about text messages.

Android

• On the Mobile Security dashboard, toggle On Text Protection.
• Tap Go to settings to grant Malwarebytes permission to alert over other apps.
• Tap Give permissions, then tap Allow to allow the app to scan your text messages.
• Once both permissions are granted, the Text Protection feature is active.

It’s also important to report scams. For US Citizens, report to the FTC at ReportFraud.ftc.gov and forward spam messages to 7726 to help your wireless provider spot and block similar messages.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Both vulnerabilities allowed an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Update available Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:

• CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution due to a memory corruption issue which was addressed with improved bounds checking.
• CVE-2025-31201: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. This issue was addressed by removing the vulnerable code.

Given that both vulnerabilities were flagged as used in extremely sophisticated attacks and are patched simultaneously, it stands to reason that they were chained for a successful exploitation.

This deserves a bit of an explanation. Apple’s Pointer Authentication (PA) is a hardware security feature designed to detect and prevent tampering with critical pointers (like function addresses or return addresses) in memory. Computers use memory to store and provide information that software programs use as they run.

When creating a pointer (like a return address), the system adds a cryptographic signature (PAC) using secret keys. Before using the pointer, the system checks if the signature still matches.

A memory corruption issue can give an attacker the option to make a change in the device’s memory, but it’s often limited to a very small portion of the memory.

What could have happened here is that the attacker was able to use that ample space to create a pointer that was able to bypass the Pointer Authentication and use this ability to point from a legitimate application to their malicious code.

In the past researchers have already found bypass scenarios for attackers that already have full memory control.

What exactly happened is unknown, because, as a protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Which is also why it’s important to update before other criminals are using the same exploits in less targeted and more widespread attacks. To help with this, the Malwarebytes iOS app will guide you through “how to fix” and assist with similar cases in the future.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

If you sometimes feel that the internet isn’t the same vibrant place it used to be, you’re not alone. New research suggests that most of the traffic traversing the network isn’t human at all.

Bots (software programs that interact with web sites) have been ubiquitous for years. But in its 2025 Bad Bot Report, application security company Imperva claimed this is the first time traffic from bots became more prevalent than human traffic.

The rise in bots is down to generative artificial intelligence (AI), Imperva said. This is the same technology that now flirts with people online for you and automatically writes heartfelt consolatory emails on behalf of heartless administrators. This tech has made it easier to create bots that do your bidding online. While some of those bots are benign, not all have your best interests at heart.

The rise of bad bots

Traffic from “bad bots”—those created with malicious intent—first surpassed good bot traffic in 2016, Imperva’s research said, and it’s been getting worse. Bad bots comprised 37% of internet traffic in 2024, up from 32% the year prior. Good bots accounted for just 14% of the internet’s traffic.

Bad bots do all kinds of unpleasant things. An increasing number try to hijack peoples’ online accounts, which they often do by “credential stuffing.” This is where a bot takes a password and email address that has been stolen and leaked online, and then tries those credentials across a myriad of services in the hope that its owner will have reused the password elsewhere.

These account takeover attacks have skyrocketed lately. December 2024 saw around 330,000 such incidents, up from around 190,000 in December 2023. That could be down to a flood of data breaches that flooded the market with more stolen credentials to try, Imperva said.

Other attacks include scraping data from websites, which is a problem for businesses that don’t want their intellectual property stolen, and also for the individuals who own that data.

Cyber criminals use bots to commit payment fraud by exploiting vulnerabilities in checkout systems. There’s also a thriving business in scalping bots that buy everything from event tickets to new sneakers for high-value resale, denying legitimate customers the opportunity to buy these items for themselves.

The report also found bots targeting specific sectors. The travel industry accounted for 27% of bad bot traffic (the highest by industry) in 2024, up from 21% in 2023. These bots pull tricks such as pretending to book airline seats online and abandoning the purchase at the last minute, which skews seat pricing.

Retail was the second hardest-hit industry in 2024, accounting for 15% of bot traffic, followed by education at 11%.

Stealthy bots stay hidden

Bots are also getting better at evading detection. Faking a browser identity (effectively wearing a digital mask that makes them look like Chrome or Firefox) has been a common tactic for years, but now bots are also using other techniques. These include using IP addresses owned by residential users, which are difficult for web site administrators to spot. Bots are also using virtual private networks to cloak their origin.

AI-enabled bots are also getting far better at cracking CAPTCHAs—the tests that help you to pass as a human when accessing a web site. And malicious software developers are now coding bots that learn about the environment they’re up against and change how they approach it to fly under the radar.

Another change is in the method that these bots use to communicate with their targets. Traditionally, bots would often browse a web page directly, interacting with it in the same way that a human would. That’s changing as newer bots communicate directly with the servers running the web application behind the scenes in their own language. They do this using application programming interfaces (APIs), which are communication channels that programs can use to retrieve information from a web application.

As the bots get smarter and more ubiquitous, what can you do? Sadly, fighting bad bots is largely the job of the companies operating the web applications that serve you and use your data. However, there are a couple of things you can do as an individual to protect yourself and the community at large.

• Don’t reuse passwords. Use a different password for every service you use to stop the credential stuffing bots, and make those passwords complex to avoid brute-force attacks. Use a trusted password manager to keep those passwords safe and easily accessible.
• Protect your PC. Install anti-malware software and follow basic cyber hygiene measures. This will help to prevent attackers from compromising your machine and using it for their own online purposes.
• Don’t become a proxy. Attackers might be able to use your IP address as a proxy for their bots if you don’t protect it. Avoid using untrusted VPNs from suspicious sources, as these have been known to sell your IP address on for others to use. Similarly, take a minute to update the hardware on your home router, or ensure that your telecommunications provider does it if the router came from them. Attackers will often compromise vulnerable routers and use them for bot attacks.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In a new version of the old “Hello pervert”  emails, scammers are relying on classic email spoofing techniques to try and convince victims that they have lost control of their email account and computer systems.

Email spoofing basically comes down to sending emails with a false sender address, a method in use in various ways by scammers. Obviously, pretending to be someone else can have its advantages, especially if that someone else holds a position of power or trust with regards to the receiver.

But sending a message to the victim’s from their own email address might convince the victim that they have lost access over their own account.

The text of the email roughly looks like this:

“As you may have noticed, I sent you an email from your email account

This means I have full access to your account

I’ve been watching you for a few months

The thing is, you got infected with a njrat through an adult site you visited

If you don’t know about this, let me explain

The njrat gives me full access and control over your device.

This means I can see everything on your screen, turn on the camera and microphone, but you don’t know it

I also have access to all your contacts and all your correspondence.

On the left half of the screen, I made a video showing how you satisfied yourself, on the right half you see the video you watched.

With a click of a mouse I can send this video to all your emails and contacts on social networks

I can also see access to all your communications and messaging programs that you use.

If you want to avoid this,

Transfer the amount of 1200 USD to my bitcoin address (“write buy bitcoin or find for bitcoin exchange if you don’t know”)

My Bitcoin address (BTC wallet): 1FJg6nuRLLv4iQLNFPTpGwZfKjHJQnmwFs

After payment is received, I will delete the video and you will not hear from me again

I’m giving you 48 hours to pay

Do not forget that I will see you when you open the message, the counter will start

If I see you’ve shared this message with someone else, the video will be posted immediately”

If the victim decides to search for “njrat” they’ll find that it’s a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, upload/download files, view the victim’s desktop, and more.

Scary stuff, and it supports the claims the scammer makes.

But, as with all sextortion scams, this threat is an entirely empty one. There is more than likely no lurid video, no “njrat,” no list of contacts. Instead, there is just a threat which is meant to drive panic which is meant to drive payment.

When we checked, we were happy to see that the scammers’ Bitcoin wallet is empty, although they could have set up a separate one for each victim.

How to recognize sextortion emails

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

• The emails often look as if they came from one of your own email addresses.
• The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
• In the email, the scammer claims to have used “Pegasus” or some Trojan to spy on you through your own computer.
• The scammer says they know “your password” or compromised your account.
• You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
• The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

What to do when you receive an email like this

First of all, even if it’s only to reassure yourself, scan your computer with an anti-malware solution that can detect and remove njRAT (if present).

Second, if your computer is clean, check if your email account has not been compromised. Change the password and enable 2FA if possible.

Don’t respond to the scammer, since that will confirm that the email address is in use and the mail is read. This could invoke more emails from scammers.

Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.

Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.

For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

A type of crypto scam that we reported about in 2024 has ported over to a new platform and changed tactics—a bit.

Where the old scams mostly reached me on WhatsApp, the same group of scammers is now using Direct Messages on X. However, the same old trick of “accidentally” sending you login details to a supposedly well-funded financial account is still being used by at least one cybercriminal gang.

Oops, I’m not Sean

“Sean, your financial management account has been opened. {account details}. Please keep your accoount password safe and do not share it with anyone.”

What’s interesting is that this tactic, which we reported on previously, is coming from a different group than the one included in previous coverage from last year. That earlier gang has now changed their messaging, including references to “follow” a person through cyberspace.

Follow me

“Follow me to unlock a lucky prize! Click the link below to claim $500!

No conditions, just follow me! “

In this version, the scammers will also send you the login details for a fake crypto exchange with access to a healthy wallet.

2,685,012.00 USDT sounds amazing

The idea is to give the targets of the scam the impression that they can move that wealth to a wallet of their own. After all, they have the login details for this account. But many others might have those too, since the message was sent to 148 other people. So, you’ll have to hurry and not overthink things too much, right?

Wrong! At some point you’ll find out that you will have to buy a VIP account to transfer the funds to your own account. And that’s what this scam is all about.

Don’t fall for scammers

• Any unsolicited Direct Messages from an unknown person are suspect. No matter how harmless or friendly it may seem. Remember, most pig butchering scams start with what seems a misdirected message.
• Don’t follow links that reach you in any unexpected way, and certainly not from an untrusted source.
• If it’s too good to be true, then it probably is.
• Scammers bank on the fact that the more time and money you have invested, the more determined you will become to get to the desired end result.
• Use a web filtering app to shield you from known malicious websites, such as Malwarebytes Premium or Malwarebytes Browser Guard.

In light of these campaigns, Malwarebytes products block these domains:

oxlop[.]com

bjscx[].com

bjtlm[.]com

bmstw[.]com

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Hertz Corporation, on behalf of Hertz, Dollar, and Thrifty brands, is sending breach notifications to customers who may have had their name, contact information, driver’s license, and—in rare cases—Social Security Number exposed in a data breach.

The car rental giant’s data was stolen in a ransomware attack leveraging a vulnerability in Cleo file sharing products.

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits in file sharing software like MOVEit Transfer and GoAnywhere MFT.

In 2024, CL0P repeated this method using a zero-day exploit against Cleo, a business-to-business (B2B) tech platform provider that specializes in managed file transfer (MFT) solutions, like Cleo Harmony, VLTrader, and LexiCom.

Hertz acknowledged that it was one of the victims:

“On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zeroday vulnerabilities within Cleo’s platform in October 2024 and December 2024.”

We were already aware of the fact, since CL0P posted about it on their leak site.

A screenshot of some of CL0P’s list of victims (other victims’ names obscured)

This leak site is also where the stolen data is available for download. Malwarebytes Labs was unable to figure out how many people were affected, but the number of available archives for download is in the tenfolds.

A small portion of the downloads list

After a full data analysis, Hertz is sending notifications to affected customers. The type of stolen data varies per customer, but could include:

• Name
• Contact information
• Driver’s license
• Social Security Number (in rare cases according to Hertz)

“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event.”

While Hertz says it’s not aware of any misuse of stolen personal information for fraudulent purposes, it offers affected customers two years of identity monitoring services by Kroll for free.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

SCAN NOW

European Facebook users have so far avoided having their public posts used to train parent company Meta’s AI model. That’s about to change, the company has warned. In a blog post today, it said that EU residents’ data was fair game and it would be slurping up public posts for training soon.

Facebook, which launched its AI service for EU users last month, said that it needs that user data to make its AI service more relevant to Europeans.

“That means everything from dialects and colloquialisms, to hyper-local knowledge and the distinct ways different countries use humor and sarcasm on our products,” the company said. It continued:

“This is particularly important as AI models become more advanced with multi-modal functionality, which spans text, voice, video, and imagery.”

Meta originally planned to start training its AI on user posts in the EU in June last year, but it pressed pause after pushback from the Irish Data Protection Commission (DPC) and the UK’s Information Commissioner’s Office (ICO). This came after European privacy advocacy group NOYB (which informally stands for “none of your business”) complained about the move to several regulators in the region.

Meta had claimed that the data collection was in its legitimate interest, stating that it would allow users to opt out of the AI training. NOYB responded that the company should ask users before using their data to train its AI models (which would make it an opt-in arrangement).

The EU handballs the issue back to national regulators

The DPC’s delay was apparently just a speed bump. The Irish DPC asked the European Data Protection Board (EDPB) to mull the issue further, specifically asking several questions. When can an AI model be considered anonymous, it asked? And how can a company demonstrate legitimate interest when collecting data to develop and deploy such a model?

On December 17 of last year, the Board issued a ruling, Opinion 28/2024, that answered those questions by passing them back to regulators. They would have to look at anonymity on a per-case basis, the ruling said. It advised them to consider whether it would be possible to extract personal information from the model, and to look at what the company did during development to prevent personal data from being used in the training or to make it less identifiable.

To determine whether an interest is legitimate, a regulator should decide whether the company’s interest is lawful and with real-world application, rather than just being speculative. Developing an AI model would likely pass that test, it added. Then, they should evaluate whether the data collected is necessary to fulfill it, and then see whether that collection overrides the users’ fundamental rights.

Finally, the DPC asked the Board what the effect on an AI model’s operation would be if a company was found to have used personal data unlawfully to train it. The Board once again handed that to the regulators on a per-case basis.

Onward and downward

Meta felt that this opinion was enough.

“We welcome the opinion provided by the EDPB in December, which affirmed that our original approach met our legal obligations,” the company said in the blog post about the forthcoming reintroduction of AI training. “Since then, we have engaged constructively with the IDPC and look forward to continuing to bring the full benefits of generative AI to people in Europe.”

The social media giant appears to have dodged NOYB’s opt-out vs opt-in question. It said that notifications about the AI training—which will arrive via email or via the platform—will include a link to an objection form.

“We have made this objection form easy to find, read, and use, and we’ll honor all objection forms we have already received, as well as newly submitted ones,” Meta said. In short, it’s still an opt-out arrangement.

But objection forms were a concern for NOYB in its original complaint.

“Meta makes it extremely complicated to object, even requiring personal reasons,” NOYB warned last June. “A technical analysis of the opt-out links even showed that Meta requires a login to view an otherwise public page. In total, Meta requires some 400 million European users to ‘object’, instead of asking for their consent.”

It remains to be seen whether the objection forms will be different this time around. Perhaps the real worry here is that we’re about to get an EU AI model trained on traditional Facebook fodder: food pictures, obvious political opinions, an endless stream of vacuous fortune-cookie life lessons, and your cousins’ ongoing feud over what Julie said about Brian’s egg salad at the family barbecue last March.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

In a new update for the guide concerning CVE-2025-21204 Microsoft told users they need the new inetpub folder for protection.

As part of April’s patch Tuesday updates, Microsoft released a patch to a link following flaw in the Windows Update Stack. Applying the patch creates a new %systemdrive%\inetpub folder on the device.

Users who noticed the new folder asked questions because they were concerned about its origin and purpose. Since the empty folder is generally associated with an Internet Information Services (IIS) feature that most users will not be running, this called for an explanation.

Internet Information Services (IIS) is a web server platform created by Microsoft to host websites, web applications, and services on Windows systems. The platform is not installed by default but can be enabled through the Windows Features dialog.

Microsoft states in the update:

“This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”

CVE-2025-21204, when successfully exploited, allows an authorized attacker to elevate privileges locally.

Per Microsoft:

“An authenticated attacker who successfully exploits this vulnerability gains the ability to perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITY\SYSTEM account.”

The “link following flaw” means that the product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

As a resolution, denying access to a file can prevent an attacker from replacing that file with a link to a malicious file. Denying access can be done by assigning file/folder permissions. When you set permissions while creating a folder, you specify what users are allowed to do within that folder, such as limiting their ability to “Read-only” which means it allows the user to open and read files within the folder, but not add or edit existing files in the folder.

Read-only inetpub folder

Short answer: the inetpub folder is there to protect you from an attacker exploiting a vulnerability, and it’s hardly taking up any space, so best leave it alone.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Horn tooting time: We’re excited to say we’ve earned a coveted spot in PCMag’s “Best Antivirus Software for 2025” list, and been recognized as the “Best Malware Removal Service 2025” by CNET.   

PCMag’s rigorous evaluation process takes into account a range of factors, including real-world, hands-on testing, independent lab tests, and decades of experience in the field. 

Malwarebytes Premium proved highly effective in malware protection and defending against malicious and fraudulent web pages.  

PCMag recognized Malwarebytes Premium for its speed and effectiveness, stating:

“Anyone who’s used Malwarebytes Free to remedy another antivirus tool’s slip-up will appreciate the full-powered Malwarebytes Premium. Even if you never needed that kind of rescue, this app’s speedy scan and excellent hands-on test results are a big draw.”  

Reprinted with permission. (c) 2025 Ziff Davis, LLC. All Rights Reserved. 

PCMag awarded Malwarebytes: 

• 2025 Best Antivirus 

• 2025 Best Malware Removal 

• 2025 Best Protection Software 

In our second recent award, CNET awarded Malwarebytes “Best Malware Removal Service 2025” after researching and testing antivirus software on setup, features, look and feel, and performance.  

CNET highlighted several standout features, including: 

• Top-tier malware removal   

• Comprehensive Browser Guard web protection   

• An easy-to-use, customizable interface 

We are super grateful to receive these awards and thank the teams of experts at PCMag and CNET for their thorough testing and valuable insights. 

Download Malwarebytes Premium today to get the “best” protection.

Last week on Malwarebytes Labs:

• The Pall Mall Pact and why it matters
• Child predators are lurking on dating apps, warns report
• Your 23andMe genetic data could be bought by China, senator warns
• WhatsApp for Windows vulnerable to attacks. Update now!
• Man accused of using keylogger to spy on colleagues, log in to their personal accounts and watch them at home
• 72% of people are worried their data is being misused by the government, and that’s not all…
• Tax deadline threat: QuickBooks phishing scam exploits Google Ads
• Google AI taken for a ride by April Fools’ Day joke
• Google fixes two actively exploited zero-day vulnerabilities in Android
• Is your phone listening to you? (Lock and Code S06E07)
• Toll fee scams are back and heading your way

Last week on ThreatDown:

• April 2025 Patch Tuesday includes one zero-day
• One in five Fortune 500 companies had leaked credentials in the past 30 days

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The US State Department reportedly plans to sign an international agreement designed to govern the use of commercial spyware known as the Pall Mall Pact.

The Pall Mall Pact, formally known as the Pall Mall Process, was initiated by France and the United Kingdom in February 2024. The goal of the Pall Mall Pact is to regulate Commercial Cyber Intrusion Capabilities (CCICs), or what we usually refer to as spyware and surveillance tools.

Signed by France, the UK, Japan, and 18 other EU member states, the Code of Practice is a voluntary non-binding agreement establishing “best practices” among governments in relation to the development, facilitation, purchase, transfer, and use of commercial cyber intrusion tools and services.

Primarily, it aims to tackle the misuse of powerful cybertools sold on the open market. These tools, often developed by private companies like the NSO Group and Paragon Solutions, have been exploited by state and non-state actors to surveil journalists, human rights defenders, activists, and even government officials. The misuse of spyware has raised concerns about its impact on democracy, human rights, and national security.

By promoting international collaboration among governments, combined with industry players like Google and Microsoft, civil society organizations, and academics, the pact represents a collective effort to regulate an industry that has operated almost without reins.

The ongoing proliferation of spyware poses existential risks to privacy and civil liberties. Commercial hacking tools have enabled intrusive surveillance practices that undermine fundamental freedom and human rights. For example, spyware can infiltrate smartphones and computers, granting unauthorized access to sensitive data such as messages, emails, and location information.

Initially, countries like the United States opted not to sign the Pall Mall Pact but to pursue similar initiatives independently. However, this fragmentation could dilute global efforts to regulate spyware effectively. Not ideal, since its voluntary nature already raises questions about its effectiveness.

While not legally binding, the Code offers building blocks for the future and builds momentum for further development. It also offers the participating states a framework for further discussion and national implementation into laws.

In an increasingly digital world, privacy is a growing concern. As our recent research showed, a majority of people feel isolated in securing their sensitive information from companies, governments, AI models, and scammers.

Privacy is more than a personal concern. It’s a cornerstone of democracy and human rights. The Pall Mall Pact offers a roadmap for protecting these values against the misuse of powerful surveillance technologies. No one should be subject to arbitrary or unlawful interference with their privacy, as set out in the International Covenant on Civil and Political Rights and other applicable international and regional treaties.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Using a dating app? Beware of your potential partner’s motives. A report from Edinburgh University warns that child abusers are using these apps to find single parents with vulnerable children.

The Searchlight 2025 report, from the University’s Childlight Global Child Safety Institute, analyses the tools and techniques that child abusers use to reach their prey. It found that more than one in five (22%) of male abusers use dating apps daily, compared to 8.1% of other men.

With this in mind, the report suggests increasing safeguards such as ID verification on dating apps, along with developing tools such as automated recognition of grooming language and more reporting of suspicious behavior by the app companies.

A network of child abusers

While child abuse is often purely for the abuser’s own gratification, the Institute also documented how abusers frequently profit from their crimes by producing child sexual abuse material (CSAM).

“They groom single parents via dating apps to access their children. They target displaced children in conflict zones like Ukraine. And they trade images using sophisticated payment methods, including cryptocurrencies, to evade detection,” warned Paul Stanfield, CEO of Childlight, in the report.

Alongside the use of dating apps, the report also points to the growing humanitarian crisis around the world as an opportunity for abusers. As millions of children are displaced, it cites growing searches for content involving displaced women and children, along with increased trafficker activity targeting displaced victims in Ukraine and Turkey, which hosts Syrian refugees.

The path to illicit profit

One way that abusers profit is by sharing images and video of the abuse. Networks for the exchange and sale of these materials are rife, and abusers have taken to producing specific CSAM content on demand to fit a buyer’s requirements. Files of this type can fetch up to $1,200, the report found. Abusers will also often livestream their abuse sessions for money.

Some organizations that create CSAM are often relatively small, with individuals in single figures, according to the report. They operate on a traditional corporate model, dividing responsibilities between specific people. Individuals will specialize in recruitment, control of the children, finding locations for the abuse, marketing the material, and financial management.

Children producing CSAM

Children themselves are now becoming more involved in the provision of CSAM. In some cases, they will gather images and video of their peers for sale, the report said. In others, children are recruited to provide images of themselves – sometimes willingly for money, and sometimes via sextortion.

Late last month the UK’s National Crime Agency warned about a surge in online networks of mostly teenaged boys that are procuring and sharing CSAM. Reports of these networks, often known collectively as the Com, increased sixfold between 2022 and 2024, the NCA said. They often groom their peers online and then extort them after persuading them to send compromising images of themselves.

While the Com’s members will sell such material, the abuses are also often for their own gratification. Members have been arrested for encouraging victims to commit suicide.

Teenaged boys themselves can also be victims of sextortion, alongside girls. The NCA launched an awareness campaign last month for boys between 15 and 17, whom it says are frequently targeted. It warned that sextortion is often perpetrated by gangs in West Africa or South East Asia, and are purely money-motivated.

The NCA’s CEOP Safety Centre received 380 reports of sextortion in 2024, while the the US National Centre for Missing & Exploited Children (NCMEC) has documented 28,000 global cases per year.

What can you do?

Parents can take action to help protect their children.

Vet potential dates. While the majority of online dating app users are legitimate, it pays to be extra vigilant when forming a relationship – especially when introducing new romantic partners to your family.

Talk to your children. You might think your children understand sextortion, but they might not. The NCA found that 74% of boys did not fully understand what sextortion was, and didn’t see requests for nude images as a warning sign. Educating both girls and boys on the risks is crucial. That in turn takes a relationship built on trust. Explain that if they are in trouble they can tell you anything and they are not to blame.

Get help. The NCA operates a site offering more resources and education for parents, children, and professionals.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Senator Cassidy, the chair of the US Senate Health, Education, Labor, and Pensions Committee has expressed concerns about foreign adversaries, including the Chinese Communist Party, acquiring the sensitive genetic data of millions of Americans through 23andMe. 

The risk is considered real because of the impending takeover of the genetic database that belongs to 23andMe. Since the DNA testing company 23andMe filed for bankruptcy it has been looking for a new owner, and views its genetic data as an asset in the possible sale.

An asset that Senator Cassidy fears could do a lot of harm in the wrong hands, as he wrote in a letter to Treasury Secretary Scott Bessent:

“The recent bankruptcy filing by 23andMe raises questions about potential buyers of its genetic database that contains the information of approximately 15 million customers. Chinese companies have already taken steps to collect genetic data across the world that could be used for adverse purposes.”

The Department of the Treasury, through the Committee on Foreign Investment in the United States (CFIUS), has broad authority to review transactions that may impact the national security of the United States.

23andMe tried to reassure customers that:

“Any buyer of 23andMe will be required to agree to comply with our privacy policy and with all applicable law with respect to the treatment of customer data.”

However, the senator fears that the company and its assets will be sold to the highest bidder which will put the information of its approximately 15 million customers at risk of falling into the wrong hands. For this reason he has asked 23andMe to answer a number of questions about the sales process, the supervision of the transfer, the ability of customers to delete their data, and the effect of the bankruptcy on 23andMe’s cybersecurity infrastructure.

For those that missed our tips the last time, I’ll repeat them here.

How to delete your 23andMe data

For 23andMe customers who want to delete their data from 23andMe:

• Log into your account and navigate to Settings.
• Under Settings, scroll to the section titled 23andMe data. Select View.
• You will be asked to enter your date of birth for extra security. 
• In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (onto a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
• You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account. 

Check if your 23andMe data was part of the 2023 breach

In 2023, 23andMe suffered a data breach that impacted up to seven million people. Found being sold on the dark web, the data reportedly included “profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23AndMe’s health data.”

With the data, cybercriminals could learn about a person’s genealogy and potentially use some of the information to aid them in committing identity fraud.

There is no meaningful way to remove this data from the dark web. Instead, we recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the 2023 breach, and then to take additional steps to protect yourself.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In a security advisory, Meta has disclosed a vulnerability that allowed an attacker to run arbitrary code on a user’s system that existed in all WhatsApp versions before 2.2450.6.

WhatsApp offers a desktop application for Windows and macOS, which users can synchronize with their mobile devices. Desktop versions of WhatsApp are generally used as extensions of mobile apps rather than primary platforms. So, while wide usage of these apps exists, their adoption rate lies likely significantly lower when compared to mobile platforms.

WhatsApp has over 3.14 billion monthly active users as of January 2025, with 73% using Android and 22% using iOS. Using WhatsApp on your desktop offers some advantages that users might appreciate. My excuse is that I can type faster on my laptop and I can make better screenshots of my conversations.

If you use WhatsApp for Windows, you should update as soon as you can.

How to update WhatsApp for Windows

You can find the current version of your WhatsApp for Windows by clicking on the Settings (gear symbol) > Help.

If your version number is lower than 2.2450.6, install a new version by following these steps:

1. Click the Start menu and search for Microsoft Store to open it.
2. In the Microsoft Store, click on Library located at the bottom left corner.
3. Scroll through the list or use the search bar to find WhatsApp Desktop.
4. Click on Get Updates or look for an Update button next to WhatsApp Desktop. If an update is available, it will appear here.
5. Click the Update button to download and install the latest version of WhatsApp Desktop.
6. Once the update is complete, restart the application to ensure all changes are applied.

My WhatsApp was already up to date because I have automatic updates turned on. This is how Microsoft Store on Windows can automatically install app updates.

1. Select Start, then search for and select Microsoft Store.
2. In the Microsoft Store app, select Profile (your account picture) > Settings.
3. Make sure App updates is turned On.

The vulnerability

The vulnerability tracked as CVE-2025-30401 is described by Meta as:

“A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.”

In other words, it was possible for a sender to disguise the true nature of their attachment by changing the file extension to something harmless, like a jpeg, when in reality it was a malicious file that would be opened with the program the receiver had set as default for such a file.

In the past we’ve seen this used against users that have Python installed on their systems. People were sent a python or php script as an attachment which would get executed without any warning if the receiver opened them.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

When you next type something sensitive on your computer keyboard, be sure that no-one else is watching. A recent case of alleged cyber-voyeurism shows how important it is to secure your computer against unwanted eavesdroppers using malwareware.

In a class action lawsuit, six women have accused pharmacist Matthew Bathula of invading their privacy by spying on them at work and at home.

According to the lawsuit, Bathula is alleged to have planted spyware on at least 400 computers in clinics, treatment rooms, and labs at the University of Maryland Medical Center where he worked. Bathula is said to have installed a keylogger. This software monitors what a user types on a keyboard without their knowledge, relaying it back to the keylogger’s owner.

The lawsuit claims that this gave Bathula login credentials for the victims’ personal accounts and systems, including bank accounts, emails, home surveillance systems, Dropbox accounts, Google Drives, dating applications, Google Nests, and iCloud accounts.

This access enabled Bathula to download the victims’ personal information, including their private photographs and videos, the class action asserts, adding that he also used his access to systems both at home and at work to spy on the victims in real time.

He used webcams installed on work computers for telehealth sessions to spy on new mothers pumping milk at work, and did the same through their home webcams.

Bathula allegedly spied on victims with their children at home, and also watched them undressing and being intimate with partners. He is said to have disabled the cameras’ operating lights so that victims could not see they were being viewed.

How to protect yourself

Bathula has not thus far been charged with a crime. The anonymous women, who first became aware of the issue when the FBI contacted them, are suing their employer, University of Maryland Medical Systems, for “failure to take reasonable, readily available measures to protect its employees.”

But spyware is a threat for people outside the workplace too. What should you do to protect yourself from someone logging your keystrokes? Here are some tips.

Keep your software up to date. Some spies manually install keyloggers on target computers, but others use malware to install it remotely. Malware droppers frequently take advantage of known vulnerabilities in older versions of operating system and application software. They exploit these security holes to install their malware. You can minimize these loopholes by constantly keeping your software up to date.

Install anti-malware protection. Anti-malware protection works at the lowest level of the operating system to check on the software applications that it’s running and watch for suspicious or known malicious activity.

Watch where you download from. Software downloaded from unofficial sites – especially pirated software – often comes with unwelcome additions including keyloggers and other spyware.

Don’t reuse passwords. People often use the same password across multiple accounts for convenience. This is not a good idea. If a keylogger reads one password, its owner can try the same credentials on your other accounts. According to the lawsuit, Bathula harvested passwords from the workplace keylogger and used them to hijack personal accounts that victims hadn’t accessed at work.

Use a password manager. Another way to prevent a keylogger from reading your passwords is not to type them in. Instead, you can use a trusted password manager that will auto-fill password fields on login pages for you.

Use multi-factor authentication. Where online accounts support it, use two authentication methods to log in. Your password is one such method, but many use an authenticator app on their phone that provides an extra code to type in. Because that code changes all the time, an attacker won’t be able to use it to enter your account in future. For even more security against keyloggers, some accounts now support the use of hardware-based passkeys that don’t require you to type in a code at all.

Protect your webcam. Another layer of defense is to protect your webcam and microphone. Some come with security shutters, while for others, a Post-It will do. If Mark Zuckerberg covers up his camera, it’s probably a good sign that we should too, while using a microphone with a physical off switch – or at least covering your laptop one tightly with tape – can protect your audio. If someone does gain access to your webcam, at least it won’t reveal your secrets.

As with all layers of protection, these defensive measures are best used in conjunction with each other. The more difficult you make it for an attacker to spy on you, the less likely they are to succeed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Bad vibes are big news in privacy right now, with the public feeling isolated in securing their sensitive information from companies, governments, AI models, and scammers.

That’s the latest from Malwarebytes research conducted this month, which revealed that the vast majority of people are concerned about wrongful data access from nearly every corner of their lives. For example, 89% of people “agreed” or “strongly agreed” that they are “concerned about my personal data being used inappropriately by corporations,” and another 72% agreed or strongly agreed that they are “concerned about my personal data being accessed and used inappropriately by the government.”

The anxieties are easy to trace.

In just the first three months of 2025, the UK government asked Apple for access to encrypted cloud storage for users across the globe, the US government exposed active Social Security Numbers in releasing files related to the assassination of former President John F. Kennedy, and the announced bankruptcy of genetic testing company 23andMe prompted many customers to delete their data.

Against this backdrop, many users are taking privacy into their own hands. More than 40% of people have stopped using either TikTok, Instagram, or X (formerly Twitter), and 26% stopped using a fertility or period tracking app. A robust 75% said they “opt out of data collection, as possible,” and 23% have gone a step further, using a data removal service to help clean up any personal information that is easily found online.

These findings come from a pulse survey that Malwarebytes conducted of its newsletter readers in March via the Alchemer Survey Platform.

Broadly, Malwarebytes found that:

• 89% of people are “concerned about my data being used by AI tools without my consent.”
• 70% of people “feel resigned that my personal data is already out there, and I can’t get it back.”
• 77% of people said that “many online transactions today, from purchases to downloads to creating new accounts, feel like ploys to take my data.”
• While 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” 60% feel that “we will never have simple, meaningful ways to protect our data.”
• To protect their personal information and that of their family, at least 40% of people have stopped using Instagram, TikTok, and X (formerly Twitter).
• 26% of people stopped using a fertility app or period tracking app.

Institutional distrust

The public believe that the biggest threats to their privacy right now are AI models, companies, governments, and, well, pretty much every single interaction they have with the internet at large.

Aside from the 89% of people concerned about their data being “accessed and used inappropriately by the government,” another 50% said they were concerned about wrongful government access of their “private conversations.”

Elsewhere, an astounding 89% of people said that they are “concerned about my data being used by AI tools without my consent.” It is unclear exactly where these fears lie. People may be concerned that AI tools are scraping public websites for their information—like the facial recognition company ClearView AI does by scouring articles, mugshot websites, and publicly listed social media profiles—or they may fear that tools like ChatGPT and Google’s Gemini are recording “conversations” or questions for future use.

Exacerbating these concerns is, likely, the current murkiness around AI technology and what it requires to function. The New York Times is currently suing OpenAI for allegations that its large language model wrongfully ingested the outlet’s copyrighted articles as training data, human contractors that helped train the AI recognition systems for Roomba vacuums mistakenly leaked sensitive photos on Facebook, and a national mental health support chatline siphoned off some of its users’ conversations to train an AI-powered customer support chatbot in an effort to boost funding.

But it isn’t just AI that the public distrust, it’s also the many ways they’re forced to engage with the internet, overall, as 77% agreed or strongly agreed that “many online transactions today, from purchases to downloads to creating new accounts, feel like ploys to take my data.”

They may have a point. Downloading a mobile game can reveal your location data to countless ad companies, searching for airline tickets on a Mac device can force you into paying higher prices, and buying a car can subject your sex life—seriously—to data collection. And these are the largely legal consequences of everyday life! Real-deal cybercriminal campaigns like “malvertising,” that abuse Google search results to direct victims to malicious websites, only make matters worse.

Amidst this landscape, the public broadly agreed that they wanted privacy protections that, unfortunately, they feel no one is going to grant them.

A full 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” while 70% also believe “we will never have simple, meaningful ways to protect our data.”

So, in the absence of legal or corporate protections, the public are taking matters into their own hands.

Individual action

The dire privacy concerns shared by many respondents have, for the most part, not resulted in privacy nihilism. In fact, a heartening 60% of respondents did not agree that they have “become less vigilant about my data privacy and security because there is little I can do these days.”

Instead, as Malwarebytes found, many people have started disengaging from major online platforms and adding privacy-conscious tools and habits to their daily regimen.

For instance, to protect their and their family’s personal information, 47% of people said they “stopped using TikTok,” 45% said they “stopped using X” (formerly Twitter), 44% said they “stopped using Instagram,” and 37% said they “stopped using Facebook.” Another 26% said they “stopped using a fertility/period tracking app.”

Elsewhere, 69% of people said they “use an ad blocker for online browsing,” and 75% of people “opt out of data collection, as possible.” Another 42% said they use a VPN, which can provide an extra level of comfort by encrypting all web traffic when connecting to public or unknown Wi-Fi networks.

Malwarebytes also found that 69% of respondents said they use “multifactor authentication,” or MFA. MFA is one of the strongest security protections against account takeovers and hacking, requiring that login attempts aren’t approved with just a username and password, but with a separate piece of information, like a one-time passcode that is texted to a user’s device. Though understood as a cybersecurity best practice, MFA also strengthens a user’s privacy. After all, thieves don’t hack into accounts just for fun—they hack into accounts to sometimes steal any sensitive information stored within.

Finally, a smaller percentage of people said they use identity theft protection solutions (43%) and personal data removal services (23%). These are critical tools for catching and stopping identity theft, and for making it harder for scammers to find and target victims.

Malwarebytes understand that privacy isn’t “easy” right now—it never necessarily has been—but that doesn’t mean it’s time to give up. Thankfully, many people responded that, despite their serious concerns, they aren’t about to take corporate and government privacy invasions willingly. That’s the type of attitude that the public needs more than ever, and we’re grateful to see it.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The pressure of the looming tax filing deadline (April 15th in the US) can make anyone rush online tasks. Cybercriminals are acutely aware of this increased activity and are exploiting trusted platforms like Google to target Intuit QuickBooks users.

By purchasing prominent Google Ads, they are creating highly convincing fake login pages designed to pilfer sensitive information, including usernames, passwords, and even one-time passcodes (OTPs) – the keys to someone’s financial data needed for tax compliance.

Understanding this deceptive tactic is the first step in protecting yourself from falling victim.

Brand impersonation: from Google ad to phishing page

Accounting and tax preparation software has traditionally been a common lure for scammers, particularly those related to online support operating out of large call centres in India and surrounding areas.

Late last year, we documented a fraudulent QuickBooks installer that was laced with malware and generated a fake pop up to trick users into calling for assistance.

This time, the attack is even more dangerous as it goes after victims’ login credentials for QuickBooks. It starts from a Google search, showing an ad that impersonates Intuit’s branding for “QuickBooks Online”.

This leads to a fraudulent website that is essentially a lookalike.

Domain Name: QUICCKBOORKS-ACCCOUNTING .COM
Registrar URL: https://www.hostinger.com
Creation Date: 2025-04-07T01:44:46Z

Unbeknownst to victims, the sign-in page is actually a phishing portal that will steal account credentials in real-time and leak them to the criminals behind this scheme.

One-time passcode workaround

Passwords alone offer a limited level of security because they can be easily guessed, stolen through phishing, or compromised in data breaches. It is highly recommended to enhance account protection by enabling a second form of authentication like one-time passcodes sent to your device or utilizing a 2FA app for an extra layer of verification.

Phishing kits have evolved to become increasingly sophisticated, with some now capable of circumventing one-time passcodes and 2FA. These kits often employ “man-in-the-middle” or “adversary-in-the-middle” (AiTM) techniques.

When a victim enters their credentials and the one-time passcode on a fake login page created by the phishing kit, this information is intercepted in real-time and relayed to the attacker. The attacker can then use these stolen credentials and the valid one-time passcode to log in to the victim’s account before the passcode expires.

Conclusion

Cybercriminals often intensify their efforts to target accounting software like QuickBooks during or around tax season, hoping to capitalize on the increased volume of financial transactions and the time-sensitive nature of tax preparations.

Deceptive Google ads can be designed to closely resemble legitimate QuickBooks search results, leading unsuspecting users to fake login pages that harvest their credentials, financial data, or even install malware.

OTP and 2FA still significantly increase security against a vast majority of attacks, especially automated attempts and less sophisticated phishing, making them essential layers of protection when used on authentic platforms.

However, even with the added security of one-time passcodes and 2FA, these measures are rendered ineffective if the initial login occurs through a malicious website reached via a deceptive ad.

Therefore, it is critical to access your QuickBooks account and conduct all sensitive activities directly through the official Intuit QuickBooks website or application, carefully verifying the URL.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Malicious QuickBooks domains quicckboocks-accounting[.]com
quicckbooks-accounting[.]com
quicckrbooks-acccounting[.]com
quicfkbooks-accounting[.]com
quichkbooks-accounting[.]com
quicjkbooks-accounting[.]com
quickboorks-acccounting[.]com
quickboorks-accountings[.]com
quicnkbooks-accounting[.]com
quicrkbookrs-accounting[.]com
quicrkbooks-acccounting[.]com
quicrkbooks-accountting[.]com
quicrkboorks-accounnting[.]com
quicrkboorks-accounting[.]com
quicrkbrooks-online[.]com
quicrkrbooks-accounting[.]com
quictkbooks-accounting[.]com
quicvkbooks-accounting[.]com
quicxkbooks-accounting[.]com
quirckbooks-accounting[.]com

Cwmbran in Wales, a town with a population of just under 50,000, holds the Guinness World Record for the most roundabouts—at least according to Google AI Overviews.

Except that’s not actually true…

Ben Black has been publishing lighthearted fake stories on April Fools’ Day for his community news site Cwmbran Life since 2018. The April Fools include the erection of a Hollywood-style sign on a mountain, and the creation of a nudist cold-water swimming club at a lake.   

In 2020, Black published a fake story saying Cwmbran had been recognized by Guinness World Records for having the highest number of roundabouts per square kilometer.  

He fabricated a random number of roundabouts, added a quote from a fictitious resident, and clearly stated that the “news” was an April Fool’s Day joke several hours later. 

So it came as quite a surprise when Black discovered that Google AI Overviews picked up this story as real news recently.  

The thing about April Fools’ Day is that it is treated very differently to every other day online. Normal news outlets publish deliberately fake news stories and we, as people with knowledge of April Fools Day, can use that to assess if something is true. Google AI obviously didn’t get that memo.

As Black said:

“It’s not a dangerous story, but it shows how fake news can easily spread even if it’s from a trusted news source.” 

Google AI Overviews has been under scrutiny since testing last year after generating false information, including advising people on the minimum required pebbles to eat in a day or using gasoline to cook spaghetti faster.

Black decided not to publish an April Fools’ prank this year due to his busy schedule and his recent experience with Google, which has made him hesitant about future pranks. 

We feel similar about online pranks coming from us, a cybersecurity company that you can trust, so we opted out of April Fools’ Day this year too.