Malware Bytes

Yesterday, we told you about how millions of pictures from specialized dating apps had been stored online without any kind of password protection.

Now it’s the turn of an AI “nudify” service.

A researcher, famous for finding unprotected cloud storage buckets, has uncovered an unprotected AWS bucket belonging to the nudify service.

The rising popularity of these nudify services apparently has caused a selection of companies without any security awareness to hop on the money train. Millions of people use these services to turn normal pictures into nude images, and it only takes a few minutes.

South Korean AI company GenNomis by AI-NOMIS or somebody acting at their behalf stored 93,485 images and json files with a total size of 47.8 GB in a non-password-protected nor encrypted, but publicly exposed database.

Looking at the service, GenNomis is an AI-powered image generation platform that allows users to transform text descriptions into images, create AI personas, turn images to videos, face-swap images, remove backgrounds, etc., and all that without restrictions. It also provides a marketplace, where users can buy and sell these images as “artwork.”

The researcher saw numerous pornographic images, including what appeared to be disturbing AI-generated portrayals of very young people. Even though the GenNomis guidelines prohibit explicit images of children and any other illegal activities, the researcher found many of them. That doesn’t mean they were available to buy on the platform, but they were at least created.

Some of the deepfakes are hard to discern from real images, and as such may lead to serious privacy, ethical, and legal risks. Not to mention the humiliation for the owners of those images or parts thereof who didn’t consent. Sadly, there are many examples where young people have taken their own lives over sextortion attempts.

The researcher contacted the company about what he had found. He told The Register:

“They took it down immediately with no reply.”

Keep your children safe from nudify services

We’ve seen many cases where social media and other platforms have used the content of their users to train their AI. Some people have a tendency to shrug it off because they don’t see the dangers, but let us explain the possible problems.

In this case, it’s at the extreme end of what the content could be used for.

• Deepfakes: Users of this generative AI could have used the nudify service on publicly available pictures to create explicit deepfakes without consent. AI generated content, like deepfakes, can be used to spread misinformation, damage your reputation or privacy, or defraud people you know.
• Metadata: Users often forget that the images they upload to social media also contain metadata, such as where the photo was taken. This information could potentially be sold to third parties or used in ways the photographer didn’t intend.
• Intellectual property. Never upload anything you didn’t create or own. Artists and photographers may feel their work is being exploited without proper compensation or attribution.
• Bias: AI models trained on biased datasets can perpetuate and amplify societal biases.
• Facial recognition: Although facial recognition is not the hot topic it once used to be, it still exists. And actions or statements done by your images (real or not) may be linked to your persona.
• Memory: Once a picture is online, it is almost impossible to get it completely removed. It may continue to exist in caches, backups, and snapshots.

If you want to continue using social media platforms that is obviously your choice, but consider the above when uploading pictures of you, your loved ones, or even complete strangers.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A researcher found millions of pictures from specialized dating apps for iOS stored online without any kind of password protection.

The pictures, some of which are explicit, stem from dating apps that all have a specific audience. The five platforms, all developed by M.A.D. Mobile are kink sites BDSM People and Chica, and LGBT apps Pink, Brish, and Translove.

As we reported not too long ago, many iOS apps leak at least one hard coded secret. We consider hard coded secrets in the source code of the apps as exposed because they are relatively easy to find and abuse by cybercriminals. And those secrets can have serious consequences for the apps’ users

Cybernews’ Aras Nazarovas found the storage location (a Google Cloud Storage bucket) used by the apps by reverse engineering the code. To his surprise, he could access the unencrypted and otherwise unprotected photos without needing any password.

As soon as he saw the first image, he knew this storage should not have been public. Not only did it contain profile pictures, it also included pictures sent in private messages, including some removed by moderators.

In total, nearly 1.5 million user-uploaded images were available to anyone stumbling over the storage bucket. Although the images are not linked to any user accounts or other private information, it is not unthinkable that cybercriminals could figure out some of the identities by using commonly available face search engines.

Many of these search engines use Artificial Intelligence (AI) for facial recognition combined with reverse image search technology to find other photos of a person published online, based on a picture submitted by the user.

Although officially intended only for self-searches, many of them don’t bother to check whether that’s actually the case.

Coupled to the identity of the person in the picture, these images could expose users to extortion, as well as an increased risk of hostility. As if online dating isn’t nervewracking enough, especially for those looking in special categories, the last we need is to see our explicit images exposed.

M.A.D Mobile was warned about the leak in January, but didn’t take any action to protect the storage until the BBC contacted the company on Friday. The issue has now been fixed.

It’s important to stipulate that the apps are exclusive to iOS and do not have Android or web alternatives.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

SCAN NOW

Tax season is in full force, and with the filing deadline fast approaching on April 15, scammers are happy to use that sense of urgency to coax us into handing them our cash.

In one example, one of our customers recently received an email with an attachment titled “Urgent reminder.” The attachment was a PDF file with a QR code in it.

“Tax Services Department

Important Tax Review and Update Required by

2025-03-16!

Dear receiver,

As part of our ongoing efforts to ensure compliance with the latest tax regulations, we

are conducting a mandatory review and update of your tax records. This update must

be completed by 2025-03-16 to avoid any potential penalties or disruptions to your

account.

To proceed with the update, please scan the QR code below with your mobile device or

click the link provided to access the secure tax portal. Once logged in, follow the

prompts to review and confirm your tax information.

Thank you for your prompt attention to this matter.

Tax Services Team

This is an automated message. Please do not reply to this email.”

If the receiver were to scan the QR code, they would be sent to a phishing site. The destination is hidden through a clever use of doubleclick.net redirects.

Lucky for our customer, Malwarebytes had already blocked the real destination.

Malwarebytes blocks fmhjhctk.ru

When we disabled our protection to see where the QR code led, we first had to pass the bot protection:

And then we were asked for our Microsoft credentials with the email address already filled out.

Entering your password will send your credentials to a Russian receiver, who will decide what the most profitable way to use them is. Perhaps they’ll sell the details on the dark web, or use them for themselves to get access to your Microsoft accounts.

But that’s just one example of a tax scam.

The IRS’s annual Dirty Dozen list of tax scams shows common schemes that threaten your tax and financial information. And, although these scams do appear year-round, tax season is when they reach their peak level.

One of the pitfalls the IRS warns about is bad tax advice provided on social media, as submitting false information to the IRS could land you in serious trouble. An example is the so-called “self-employment tax credit” which does exist in some countries, but the US is not one of them. Last year the misinformation was so rampant that the IRS issued a warning about it.

The other big type of scams are phishing emails, like we saw above. Even though scammers can use Artificial Intelligence to create convincing emails that appear to come from the IRS, there are often some tell-tale signs of social engineering attempts:

• Too good to be true: Huge, unexpected tax returns are usually just an incentive to get you to surrender private information in the hopes of obtaining that sum.
• Urgency is always implied, because the scammers do not want you to think things through.
• The IRS rarely contacts people by email. And when it does, it is only to send general information and in an ongoing case with an assigned IRS employee. So receiving an email should be an immediate pause for thought.

Avoiding scams

These days it has become increasingly difficult to navigate your way online without being exposed to a scam. People have become accustomed to trusting their search engine and naturally follow the different paths laid in front of them.

While some websites look obviously fake to someone, they may fool someone else. At the same time, the tools to build convincing schemes are readily available to anyone for free.

• Before calling a number, ensure that it is legitimate by visiting the official site directly.
• Beware of unsolicited phone calls or emails, especially those that ask you to act immediately.
• Beware of impersonators who may hide behind sponsored results and instead click on organic search results.
• Always check the website you visit by looking at the address bar. If in doubt, close the page and open a new one.
• If a website asks you for a small fee upfront it likely is trying to get your credit card information to sell you more expensive services.
• Never send sensitive personal information such as your bank account, charge card, or Social Security number by email. Instead use a secure method such as your online account or another application on IRS.gov.
• Use security software that blocks phishing domains and other scam sites. Malwarebytes Premium does this, leaving your computer and financial assets protected.

The IRS has a specific page dedicated to helping you identify if it’s really them reaching out to you or a scammer. Study that guide before making any rash decisions.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Vulnerability in most browsers abused in targeted attacks
• “This fraud destroyed my life.” Man ends up with criminal record after ID was stolen
• Moving from WhatsApp to Signal: A good idea?
• Security expert Troy Hunt hit by phishing attack
• Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware
• DeepSeek users targeted with fake sponsored Google ads that deliver malware
• 23andMe bankruptcy: How to delete your data and stay safe from the 2023 breach
• Oops! Google accidentally deletes some users’ Maps Timeline data

Last week on ThreatDown:

• Why YOUR software is the new malware

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The internet is filled with falsehoods. 

We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or who—to trust online.  

There’s the scam that takes advantage of grieving people and tricks them into paying for a funeral live stream. 

There’s the fake CAPTCHA that hijacks clipboards and tricks users into installing malware. 

There’s the many, many, many scams that use Google ads to trick people into granting remote access to their machine, handing over money, or installing malware. 

And we’re being tricked constantly by AI, take the Texan restaurant with its dino croissant and photos of Jeff Bezos at the bar. Or the scam that uses an AI replica of a loved one’s voice to trick a family member into handing over money. 

It’s hard to know what to believe any day of the year online and so, while we used to participate in April Fools, it just hits different these days. 

Especially when things go wrong when it comes to April Fools’ pranks. Last year a burger restaurant sent customers into a spin after sending them a fake order confirmation email, which led to customers fearing that their accounts had been hacked. All in good faith, but it no doubt hit a nerve for the affected customers. 

So go ahead and order your Hot Dog Sparkling Water, eat your crust only pizza, or have a snooze in your banana sleeping bag. We love that. But as a cybersecurity brand we want you to feel like you can trust us—every single day of the year. If we say something is fake, then it’s fake. If we say it’s real, then it’s real. No exceptions. 

How to protect yourself from scams 

• Watch out for a false sense of urgency. Scammers will often use time pressure to get you to click, fill in your personal data, or hand over money. If you feel like you’re being asked to act quickly, take a pause. 

• Is it too good to be true? Offers of big discounts or free stuff can be really tempting, but they’re often used as lures for scammers. The likelihood is that it is, indeed, too good to be true and should be avoided at all costs. 

• Have a family code word. Scammers are known to use an AI-generated voice of a loved one to trick a family member into handing over money. Come up with a code word in person that only you and your loved ones know and keep it a secret so you can ask for it if you receive such a phone call. 

• Check via another way. If your “bank” gives you an unexpected phone call, ring them back on a number you know is theirs. If a Facebook friend DMs you a link, send them a quick text to check it’s really them. Double checking in this way could save you doing something you later regret. 

• Use a different password for every account. If you get your username and password stolen on one account you don’t want scammers to be able to use it on another. Password managers help you create complex passwords, and they remember them for you.  

• Set up multi-factor authentication on every account you can. It’s not foolproof, but it does make it considerably harder for scammers. 

Researchers found a vulnerability in Chrome that was abused in the wild against organizations in Russia.

Google has released an update for its Chrome browser which includes patches for this vulnerability.

The update brings the Stable channel to versions 134.0.6998.178 for Windows. Other operatings sytems are not vulnerable.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Chrome up to date

The vulnerability exists in Windows for all Chromium based browsers, including Edge, Brave, Vivaldi, and Opera. These browsers can all be updated in more or less the same way.

But it doesn’t stop there. After studying the vulnerability, Mozilla concluded that Firefox and the Tor browser are also vulnerable. So, it released updates to patch them.

Technical details

The vulnerability, tracked as CVE-2025-2783 lies in Mojo for Windows. Mojo is a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).

An incorrect handle provided under certain circumstances allows an attacker to escape the browser sandbox. Which means that due to a logical error on the level where the sandbox and the Windows operating system meet it allows an attacker to execute code on the actual operating system just by getting the target to visit a malicious site. This is something that the sandbox is supposed to prevent.

According to the researchers:

“Without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.”

The researchers did mention that there has to be an additional vulnerability to allow the attacker to enable remote code execution, which they have been unable to find.

All in all, it seems imperative that you update your browser(s) at your earliest convenience.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This is a sad story that illustrates how losing your ID can effectively ruin your life and reputation.

19-year-old dual German Tunisian national Rami Battikh travelled to the UK in 2019, bringing both his passport and his German national ID. When he returned to Germany, Rami noticed that his German ID card was missing. He figured he either lost it or someone stole it.

Without giving it much thought, he applied for a new one. This was issued without any problem since he could prove his identity.

Fast forward a few years, and Rami applied for a job after finishing school and a vocational apprenticeship. A routine employer check showed that Rami had a criminal record. In London.

The criminal record contains crimes he allegedly committed in the UK while he was in Tunisia.

“I couldn’t believe it. I told my employers that it was not true that for sure it was not me, that I had proof I wasn’t in the UK at that time as I was in Tunisia at the time and had stamps on my passport to prove it.”

But his would-be employers who were eager to hire him said they couldn’t just take his word over a police record.

Back in London in 2021, a man was jailed by a court in London for 18 months for a series of offences including driving without a license or insurance, fraud by false representation, and possession of a false, improperly obtained identity document belonging to another person. Can you guess whose identity document that was?

Unfortunately, the crimes were actually recorded against Rami’s stolen ID. So, he hired a solicitor to get things sorted.

A judge tried to get London’s Metropolitan Police to rectify the error in 2022, describing it as a “mess” that had stained the German national’s record.

But the false database entry persisted and to make things worse, additional crimes were recorded against his stolen ID in London including possession of a knife in a public place.

Despite having confirmation from a judge, the Metropolitan Police haven’t managed to purge the false record, which has left Rami devastated.

He wrote to the court:

“This fraud destroys my life. I can’t get any jobs. Please if you need I will give you my fingerprints, a hair strand … I can’t live like this any more. I am innocent and I never did any of those criminal acts I beg for help.”

At 24 he has no prospect of a job, has had to sell his car to cover bills, and is now sharing his story because he is desperate and doesn’t know what to do.

The Metropolitan Police said:

“We are aware of this case and we continue to work with other agencies to progress this with a view to having the situation rectified. We understand that the length of time this has taken has added to the concern and upset, but aim to provide an update to the applicant in the near future.”

Sadly, this doesn’t sound too reassuring three years after the judge’s decision.

Not every identity theft story is as life-altering as this. But having your data stolen can still have an impact on your life, your family, and your finances.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This week we learned that the US Government uses Signal for communication, after a journalist was accidentally added to a Signal chat.

Accidental additions of people aside, the news has got regular folks asking if they should, too, be using Signal for private communications.

Probably the largest alternative to Signal, WhatsApp is owned by Meta, and has faced criticism for its data-sharing practices. But is switching to Signal truly an improvement? Let’s explore the differences between these apps and whether the move would be justified.

Bth WhatsApp and Signal offer end-to-end encryption, ensuring that only the sender and recipient can read messages. But the difference is that Signal employs “Sealed Sender,” a feature that hides metadata even from itself, whereas WhatsApp collects metadata such as phone numbers, IP addresses, and device information, which it shares with Meta and third parties.

As president of Signal Meredith Whittaker said in a statement to Dutch website Security.nl:

“WhatsApp collects and shares, when required, large amounts of private information that is not encrypted, like your profile picture, your location, your contacts, when you send a message, when you stop, who’s in your group chats, and so on.”

Signal collects minimal data, but it’s run by the non-profit Signal Foundation, which operates free from commercial interests. Signal’s open-source code allows for public scrutiny of its security claims, which is a transparency WhatsApp lacks.

Where Signal adds privacy-focused features such as call relay (to hide IP addresses), self-destructing messages, and customizable notification settings, WhatsApp provides more social features like status updates.

Switching to Signal is justified if privacy is your top priority. Its minimal data collection, transparency, and advanced security features make it superior to WhatsApp in protecting user information. However, for those who rely on WhatsApp’s massive user base or social features, the transition might be less convenient.

There is no inter-compatibility, so all participants in a conversation need to use the same app. Meaning that one of the few things holding many users back from switching from WhatsApp to Signal is leaving contacts behind that are not willing to move over.

Obviously, the decision is yours and depends on your personal priorities: privacy versus convenience.

Turn on those extra privacy features

To fully benefit from Signal’s privacy capabilities, users should enable the following features:

• Disappearing messages:
  • Open a chat in Signal.
  • Tap the three dots or profile icon to enter chat settings.
  • Select “Disappearing Messages” and set a timer (e.g., five minutes or one week). This ensures messages are automatically deleted after the specified time.
• Screen lock:
  • Go to Signal settings by tapping your profile avatar.
  • Navigate to “Privacy.”
  • Enable “Screen Lock” to require biometric authentication or a PIN to access the app.
• Relay calls:
  • Under “Privacy” settings, activate “Always Relay Calls.” This routes calls through Signal servers to hide your IP address from contacts.
• Incognito keyboard (Android only):
  • In “Privacy” settings, enable “Incognito Keyboard” to prevent your keyboard from sending typing data to third-party servers.
• Screen security:
  • For Android: Enable “Screen Security” to block screenshots within the app.
  • For iPhone: Turn on “Enable Screen Security” to prevent app previews in multitasking mode.
• Registration lock:
  • Activate this feature in “Privacy” settings to require a PIN for re-registering your account on new devices.

By enabling these features, users can ensure their conversations remain private and secure.

Another important tip is to check Group chat members. Before you send messages to a group, check who can read them: Open your group chat and tap on the group name to view chat settings. Scroll to the Members list and tap “View all members” to see the full list of group members.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Internet security expert and educator Troy Hunt disclosed this week that he had been hit by one of the oldest—and most proven—scams in the online world: A phishing attack.

Through an automated attack disguised as a notice from Hunt’s chosen newsletter provider Mailchimp, scammers stole roughly 16,000 records belonging to current and past subscribers of Hunt’s blog. As such, readers should be the lookout for any scams or phishing attempts in the coming weeks.

“I’m enormously frustrated with myself for having fallen for this, and I apologise to anyone on that list,” Hunt wrote.

But Hunt’s immediate disclosure of the attack should be commended. By publishing a transparent blog that detailed the phish just 34 minutes after falling for it, Hunt used himself as the strongest example yet that online scams can hit anyone, and that, while shame and embarrassment are common, no one should ever feel alone in their experience.

What happened?

On March 25, Hunt received a malicious email disguised as a legitimate notice from the company Mailchimp, which he uses to email his blog entries to subscribed readers. The email claimed that Mailchimp was temporarily cutting service to Hunt because his blog had allegedly received a spam complaint.

“Your account has been flagged due to a spam complaint, and as a result, you are temporarily unable to send emails until this issue is resolved,” the email read. To fix the issue, Hunt was asked to sign into his Mailchimp account.

The phishing email was convincingly designed, and it threatened consequences if its recipient failed to act. But, as Hunt said, “I’ve received a gazillion similar phishes before that I’ve identified early,” so another simple factor was at play: Timing.

“You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow?” Hunt wrote. “That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog.”

Hunt also noticed that, when he tried to log into his Mailchimp account by following the phishing email’s link, his password manager did not auto-fill his account details.

While a password manager’s refusal to auto-fill credentials on a website can indicate that the website itself might be illegitimate, it’s far from a guaranteed red flag. As Hunt said, “there are so many services where you’ve registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.”

In the phishing attack, the scammers stole about 16,000 records belonging to people who had both subscribed and unsubscribed to Hunt’s blog. This is because Mailchimp preserves data of users who unsubscribe, a storage practice that Hunt is currently investigating with the company. Of the 16,000 records, 7,535 email addresses were of readers who unsubscribed. All breach victims are being notified over time, Hunt said.

The stolen records included email addresses, subscription statuses, and IP addresses, along with latitude and longitude data, which, as Hunt later learned, “do not pinpoint the location of the subscriber.”

After recognizing his mistake, Hunt changed his password, reached out to Mailchimp to help delete the scammer’s API key, and then verified that the website he was directed to in the phishing attack had been taken offline.

And, importantly, as the owner of the website Have I Been Pwned (HIBP), which helps people search whether they’ve been involved in a data breach, Hunt had one more data breach to add to the website’s collection: His own.

“When I have conversations with breached companies, my messaging is crystal clear: be transparent and expeditious in your reporting of the incident and prioritise communicating with your customers,” Hunt said. “Me doing anything less than that would be hypocritical, including how I then handle the data from the breach, namely adding it to HIBP.”

Best practice

Responsible data breach disclosures are so rare that they deserve some news coverage, and Malwarebytes is happy to see that Hunt used himself as an example during a stressful and difficult incident. Phishing attacks are common because they’re effective, and that includes against new device owners users, longtime web users, and literal security experts.

For readers impacted in the attack, stay mindful for any phishing attempts that might hit your inbox, using your Have I Been Pwned subscription as a lure. There is no shame in falling for a scam, but it’s better to avoid one before it even happens.

A new phishing campaign that uses the fake CAPTCHA websites we reported about recently is targeting hotel staff in a likely attempt to access customer data, according to research from ThreatDown.

Here’s how it works: Cybercriminals send a fake Booking.com email to a hotel’s email address, asking them to confirm a booking.

“Dear Team,

You have received a new booking. Please find the details below:

Reservation number: 5124588434141

Guest Name: Margit Kainz

Check-in Date: 2025-03-25

Check-out Date: 2025-04-01

Room Type: Deluxe Double Room

Guests: 2 Adults

Special Requests:Early check-in requested (before 2 PM)

Payment Status: Payment at property

{link to landing page}

(Copy and paste this link in your browser to confirm booking)

Please ensure the room is prepared according to the guest’s requests.

If you have any questions or need more information, please contact the guest directly or through our platform.

Thank you for your cooperation,

The Booking.com Team”

The email is sent only a few days before the check-in-date, which is very likely to create a sense of urgency—a common tactic of scammers.

But if the hotel staff were to copy and paste the URL into the browser address bar they will be greeted by this fake CAPTCHA website.

When they check the box, they’ll then see “verification” instructions that will effectively infect their system.

“Verification steps

Press Windows Key + R.

Press Ctrl + V.

Press Enter”

As we explained in more detail here, these instructions will infect their Windows system with an information stealer or Trojan.

What the hotel staff would actually be doing is copy and pasting a mshta command into the Run prompt and then executing the command, which then fetches a remote file and then runs it on their system.

We don’t know the exact plans of the criminals once they have gained control over the system, but it’s highly likely they’re after customer payment details and other personal data: Data that is very valuable to them and can be traded on the dark web.

There isn’t much you can do to protect your own data in situations like these, when cybercriminals are attacking the companies that hold your personal information. However, there are a few things you can do to lower your risk.

How to protect your data online

• Don’t store your card details. Not in your browser, not on websites. Sure, it’s more convenient to get sites to remember your card details for you, but we highly recommend not storing that information.
• Find out what information is already out there. Our free Digital Footprint scan searches the dark web, social media, and other online sources, to tell you where your data has been exposed.
• Remove as much of that information as you can. You can do this manually by cleaning things up yourself, or if you’re in the US then you can use Malwarebytes Personal Data Remover to do it for you.
• Monitor your accounts. Check your accounts periodically for unexpected changes and notifications of suspicious login attempts.
• Use a different password for every online account. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

The threat intel research used in this post was provided by Malwarebytes Senior Director of Research, Jérôme Segura.

DeepSeek’s rising popularity has not only raised concerns and questions about privacy implications, but cybercriminals are also using it as a lure to trap unsuspecting Google searchers.

Unfortunately, we are getting so used to sponsored Google search results being abused by criminals that we advise people not to click on them. So, it was to be expected that DeepSeek would show up in our monitoring of fake Google ads.

Here’s the fake ad:

If you put it side by side with the real DeepSeek ads, the difference is relatively easy to spot:

But as an unsuspecting searcher, you aren’t likely to make that comparison, and as you may know from previous posts about fake Google sponsored ads, the criminals behind these campaigns can be a lot more convincing.

In this case, they certainly put a lot more effort into creating the fake website which the advertisement linked to:

It’s different from the real website, but it looks convincing, nonetheless.

Should you happen to click the download button, you will receive a Trojan programmed in Microsoft Intermediate Language (MSIL), which the Artificial Intelligence (AI) module in Malwarebytes/ThreatDown products detects as Malware.AI.1323738514.

How to avoid these traps

As we mentioned earlier, Google has demonstrated that it can’t keep fake ads out of its sponsored search results. And apparently the success rate of these fake ads is high enough to allow the criminals to pay Google enough to outrank legitimate brands.

So, our first tip is not to click on sponsored search results. Ever.

The second tip is to look at the advertiser by clicking the three dots behind the URL in the search result and look whether he advertiser listed is the legitimate owner of the brand or not.

Here is one example of another DeepSeek impersonator we found. The advertiser’s name is not in Chinese characters by the way. The language in which the advertiser’s name is written is Hebrew: תמיר כץ.

If you don’t want to see sponsored ads at all then it’s worth considering installing an ad-blocker that will make sure you go straight to the regular search results.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The genetic testing company 23andMe filed for bankruptcy on Sunday, announcing that, in searching for financial stability through its sale to a new owner, the business will continue operating as normal, including in how customer data is handled.

“The company intends to continue operating its business in the ordinary course throughout the sale process,” 23andMe wrote in a news statement. “There are no changes to the way the company stores, manages, or protects customer data.”

For some customers, that’s exactly the problem.

In 2023, not only did the company suffer a major data breach, it also placed some of the blame on the victims who, according to 23andMe, “negligently recycled and failed to update their passwords.”  With concerns now swirling about exactly who will become the new steward of 23andMe’s data following its bankruptcy, customers are asking how they can secure their most private genetic information, if at all.

Here are two big steps that 23andMe customers can take right now:

1. Request that the company delete your data.
2. Discover whether your data was included in the 2023 breach.

These are two, separate actions that will not impact one another and should be both taken for separate reasons—the first, to ask that the company remove your data from its possession; the second, to know how to protect yourself if your data was leaked in the past.

What is happening?

Over the weekend, 23andMe announced that it would file for bankruptcy after months of financial decline. Though the company was valued at a reported $6 billion in 2021, its genetic testing business—in which customers can have their saliva tested for insights into their genealogy and potential health risks—has faltered. Just last week, the company was reportedly valued at $50 million.

To save the company and its operations, 23andMe’s leadership is now on the hunt for a new owner (and that new owner’s cash infusion). One potential bidder has already made their intent abundantly clear: Former CEO Anne Wojcicki, who resigned the same day that the company announced its bankruptcy.

“I have resigned as CEO of the company so I can be in the best position to pursue the company as an independent bidder,” Wojcicki wrote on LinkedIn.

Wojcicki faces an uphill battle, though—her earlier proposal to take the company private was rejected last year.

Whoever becomes the new owner of 23andMe, however, could also become the new owner of 23andMe customer data. According to the company’s own privacy statement:

“If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction.”

That has worried some experts who have pointed out that a new owner could, for instance, hand over customer data to insurance companies to hike up monthly premiums, or to data brokers to power increasingly invasive, targeted advertising.

How to delete your 23andMe data

For 23andMe customers who want to delete their data from 23andMe:

• Log into your account and navigate to Settings.
• Under Settings, scroll to the section titled 23andMe data. Select View.
• You will be asked to enter your date of birth for extra security. 
• In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (onto a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
• You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account. 

How to find your 23andMe data in the 2023 breach

In 2023, 23andMe suffered a data breach that impacted up to seven million people. Found being sold on the dark web, the data reportedly included “profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23AndMe’s health data.”

With the data, cybercriminals could learn about a person’s genealogy and potentially use some of the information to aid them in committing identity fraud.

There is no meaningful way to remove this data from the dark web. Instead, we recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the 2023 breach, and then to take additional steps to protect yourself.

SCAN NOW

If your data was exposed in the 23andMe breach, here is what you can do:

• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Google has admitted it accidentally deleted some users’ Google Maps Timeline data after a “technical issue”.

As reported by Forbes on March 11, users started noticing that their Google Maps Timelines had completely disappeared. At the time, we didn’t know anything about the cause of this issue.

However, now we do, after some of the impacted users received a email from Google on March 21. Not with an apology, mind you, but with an explanation.

Google wrote that it had:

“Briefly experienced a technical issue that caused the deletion of Timeline data for some people. If you have encrypted backups enabled, you may be able to restore your data.”

If you’re among those affected and you did have backups enabled, here’s how you can attempt to restore your data:

• Make sure you have the latest version of the Google Maps app installed on your device.
• Open Google Maps, tap on your profile picture in the top right corner, and select Your Timeline.
• Look for a cloud icon at the top of the Timeline screen and tap it. Choose a backup to import your data.

This doesn’t seem to work for everyone though, with some users commenting that this method didn’t work for them.

If you didn’t have backups enabled, it might not be possible to recover your lost Timeline data.

Planned deletion

For those interested in keeping their Timeline, bear in mind that if you don’t take action soon, your visits and routes might be erased, and your Timeline settings disabled. Earlier this month, Google announced that it will begin deleting the last three months of Timeline data unless you take action to back it up, as part of a roll out of significant changes to Maps Timeline.

After you receive the notification from Google, you have about six months to save or transfer your Timeline data before deletion takes place. The sender of the email is “Google Location History,” with the subject line: “Keep your Timeline? Decide by [date].”

When you get the prompt, follow the instructions on how to adjust your settings on your device. If you don’t, your visits and routes will be erased, and your Timeline settings will be disabled.

How to back up your Google Maps Timeline data

Here’s how back up your Timeline data to prevent any future losses, and help preserve your data during the planned deletion:

• Open the Google Maps app.
• Tap your profile picture, then Your Timeline.
• At the top right, tap the cloud icon.
• If auto-delete is turned on, turn it off.
• On the Backup screen, turn on Backup.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Last week on Malwarebytes Labs:

• What Google Chrome knows about you, with Carey Parker (Lock and Code S06E06)
• Personal data revealed in released JFK files
• Semrush impersonation scam hits Google Ads
• Targeted spyware and why it’s a concern to us
• The “free money” trap: How scammers exploit financial anxiety
• Sperm bank breach deposits data into hands of cybercriminals
• AMOS and Lumma stealers actively spread to Reddit users
• Amazon disables privacy option, will send your Echo voice recordings to the cloud
• Warning over free online file converters that actually install malware
• 1 in 10 people do nothing to stay secure and private on vacation

Last week on ThreatDown:

• Ransomware group Mora_001 targets Fortinet applications
• Product of the Year! AVLab honors ThreatDown Endpoint Protection
• Welcome to the era of macOS stealers
• Introducing ThreatDown OneView free self-serve trial for MSPs
• Ransomware in February 2025—Cl0p and RansomHub run riot

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This week on the Lock and Code podcast…

Google Chrome is, by far, the most popular web browser in the world.

According to several metrics, Chrome accounts for anywhere between 52% and 66% of the current global market share for web browser use. At that higher estimate, that means that, if the 5.5 billion internet users around the world were to open up a web browser right now, 3.6 billion of them would open up Google Chrome.

And because the browser is the most common portal to our daily universe of online activity—searching for answers to questions, looking up recipes, applying for jobs, posting on forums, accessing cloud applications, reading the news, comparing prices, recording Lock and Code, buying concert tickets, signing up for newsletters—then the company that controls that browser likely knows a lot about its users.

In the case of Google Chrome, that’s entirely true.

Google Chrome knows the websites you visit, the searches you make (through Google), the links you click, and the device model you use, along with the version of Chrome you run. That may sound benign, but when collected over long periods of time, and when coupled with the mountains of data that other Google products collect about you, this wealth of data can paint a deeply intimate portrait of your life.

Today, on the Lock and Code podcast with host David Ruiz, we speak with author, podcast host, and privacy advocate Carey Parker about what Google Chrome knows about you, why that data is sensitive, what “Incognito mode” really does, and what you can do in response.

We also explain exactly why Google would want this money, and that’s to help it run as an ad company.

“That’s what [Google is]. Full stop. Google is an ad company who just happens to make a web browser, and a search engine, and an email app, and a whole lot more than that.”

Tune in today to listen to the full conversation.

Show notes and credits:

“Firewalls Don’t Stop Dragons,” blog and podcast hosted by Carey Parker: https://firewallsdontstopdragons.com/

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Over 60,000 pages related to the 1963 assassination of US President John F. Kennedy were released as part of President Donald Trump’s directive on March 17, 2025, and while readers will not find a conclusive answer to the main question—nor will the files put an end to surrounding conspiracy theories—one unplanned consequence was the disclosure of 400 Social Security Numbers (SSNs) and other privacy sensitive information amongst the rest of the records.

The records, which belong to the President John F. Kennedy (JFK) Assassination Records Collection, were previously withheld for classification but are now available to access online or at the National Archives at College Park, Maryland. The hard copy contains more data since the records have not been completely digitized yet. Some of the records had been made available previously but were redacted. Many, although not all redactions have been removed. And while the documents reveal new information, some of the records are not even directly related to the assassination but rather deal with covert CIA operations.

What has also drawn attention, however, is the leak of SSNs and private info.

This information mostly belongs to former congressional staffers. After a report by The  Washington Post of this oversight, the National Archives started screening the documents for Social Security numbers so that the Social Security Administration could identify living individuals and issue them new numbers. And according to an anonymous source those affected will receive free credit monitoring.

In total, the Post reportedly found 3,500 instances of SSNs, but many of them were mentioned more than once. Up to dozens of times.

With 100 staff members of the Senate Church Committee, established in 1975 to investigate abuses by America’s intelligence agencies and government, and 100 staff members of the House Select Committee on Assassinations, which investigated the killing of JFK, many of the affected have since become high-ranking officials in Washington.

For example, a former assistant secretary of state, a former US ambassador, and several prominent figures in the intelligence and legal fields are included in the leak.  

The release of the personal information in the JFK files is a major oversight caused by the sudden urgency put behind the release. The procedure has been called anything from “sloppy” to “incredibly irresponsible,” according to a former lawyer for the Trump campaign, Joseph diGenova.

We feel it certainly qualifies as a data breach when SSNs are leaked. Your Social Security Number is a key to many aspects of your life—financial, medical, and personal, especially when it concerns public figures that are already in the spotlight and in danger of harassment.

Or, as diGenova described it:

“It not only means identity theft, but I’ve had threats against me.”

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

SCAN NOW

This blog post was co-authored with Elie Berreby, Senior SEO Strategist

Criminals are highly interested in online marketing and advertising tools that they can leverage as part of their ongoing malware campaigns.

In particular, we have previously detailed how Google advertiser accounts can be hijacked to create new malicious ads and perpetuate a vicious cycle leading to more compromised accounts.

As part of our investigations, we uncovered a new operation going after Semrush, a visibility management SaaS platform that offers SEO, advertising, and market research, amongst other things.

With 40% of Fortune 500 companies and 117,000 paying customers relying on Semrush, the platform presents a highly attractive target for online criminals.

In this blog post, we detail how fraudsters are taking an indirect approach to hacking Google advertisers and by the same token likely gaining access to Semrush accounts.

We have diligently reported the malicious ads to Google. We would like to stress that we are not referring to any vulnerability or data breach with Semrush or its platform in this post. They are simply being targeted because of their growing popularity.

Google Ads crew pivots

Back in January, we documented a large phishing campaign targeting Google accounts via Google Ads using a very specific technique that abused Google Sites.

We believe the criminals behind it likely regrouped and switched to a less direct approach, yet one that might deliver just as much.

We observed this transition with a malicious ad for “Google Ads” that oddly enough redirected to a fraudulent login page for Semrush. While the phishing page uses the Semrush brand, only the “Log in with Google” option is enabled, forcing victims to authenticate with their Google account username and password.

Semrush phishing campaign

Barely a day later, the campaign was starting to take shape with Google ads now fully moving away from the “Google Ads” brand to fully impersonating Semrush.

The infrastructure for this new wave was deployed recently and the domain names registered for it are all variations on the Semrush name.

Each ad uses a unique domain name which does a redirect to more static domains dedicated to the fake Semrush and Google account login pages.

Once again, the landing page here shows two different types of login but only the Google method is enabled. We believe this is because the threat actors are primarily interested in harvesting Google accounts.

This is confirmed by the malicious sign in page for Google which sends those credentials to the criminals. We should note that victims that arrive at this page are most likely Semrush users, given the path they took to get here.

Google Analytics and Search Console Data Theft

Disclaimer: The following is not taken from a real compromise but rather is meant to illustrate the importance and extent of owning the credentials for a valuable Google account.

Google Analytics (GA) and Google Search Console (GSC) contain critical and confidential information for businesses, revealing detailed perspectives on website performance, user behavioral patterns, and strategic business focuses.

If a Google account is compromised, the malicious actors can access the raw data directly without having to log into Semrush.

E-commerce tracking in GA shows revenue, transaction volumes, average order values, and conversion rates by channel (organic search, paid ads).

Here’s a local shop selling products to a niche audience in a major U.S. city.

When malicious actors access the Google Analytics account, they can see a wealth of confidential information belonging to the publisher. For companies, this is a direct peek into financial performance.

The GSC account below is connected to Semrush. In GSC, the bad actors could see historical data for the past 16 months, including but not limited to search queries, pages, countries, devices, search appearance and dates.

Semrush Fraud and spear-phishing

Disclaimer: Similarly, the following screenshots were not taken from an actual compromise, but highlight the interconnectivity between Google and Semrush accounts.

As mentioned earlier, Google Analytics and Google Search Console data is often integrated with tools like Semrush for enhanced analysis.

For new projects, the SaaS platform requests validation from a Google account to allow Semrush to see and download GA and GSC data.

Once this is done, we can export behavioral data and KPIs coming directly from Google Search Console (GSC) without direct access to the Google account.

There is additional information stored in a Semrush account (name, phone, business name, address, email and the last 4 digits of a Visa card) that a threat actor could leverage to impersonate an individual or business.

Posing as the business, a threat actor could deceive vendors or partners into sending payments to fraudulent accounts, exploiting the trust tied to the business’s identity.

The combination of billing information and card details could be used to mount a more comprehensive attack. Someone posing as Semrush support, referencing an upcoming payment or the billing update process, could trick the victim into providing full credit card details.

Conclusion

Brand impersonation continues to be a popular attack vector used by online criminals to get access to valuable account credentials.

As Google Search is a central part of the SEO and ad ecosystems, individuals and businesses who inadvertently click on a malicious ad are at a major risk of losing extremely sensitive data and feel the impact of fraud on many levels. 

This should be a wakeup call to take steps to prevent such exposure by enforcing guard rails to anyone who manages an account for themselves or a company.

If you are a Malwarebytes customer, you are already protected against the malicious ads and sites used in this campaign. All these incidents have also been reported directly to Google.

We would like to thank the folks at Silent Push for giving us access to their platform, enabling us to uncover additional infrastructure.

Malicious Semrush domains adsense-word[.]com
auth[.]semrush[.]help
sem-russhh[.]com
sem-rushhh[.]com
sem-rushh[.]com
semrush[.]click
semrussh[.]sbs
semrush[.]tech
seemruush[.]com
semrush-auth[.]com
auth.seem-rush[.]com
ads-semrush[.]com
semrush-pro[.]co
semrush-pro[.]click
auth.sem-ruush[.]com
semrush[.]works

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Experts are again warning about the proliferating market for targeted spyware and espionage.

Before we dive into the world of targeted spyware, it’s worth looking at a few of the main players that are active in and against this industry.

Paragon Solutions is an Israeli company which sells high-end surveillance technology primarily to government clients, positioning its products as essential for combating crime and national security. The name of Paragon’s spyware is Graphite.

However, a lot of controversy arose when it faced allegations over the targeting of specific WhatsApp users, including journalists and civil society members, leading to a cease-and-desist notice from WhatsApp. Following these allegations, Paragon Solutions ended its contract with Italy after Italian citizens were found to have been targeted.

The NSO group creates the high-level spyware known as Pegasus, and has also been caught spying on WhatsApp users. The NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public.

On the opposite side of the fence, CitizenLab is an interdisciplinary laboratory based in Toronto, Canada. CitizenLab focuses on studying information controls that impact the openness and security of the internet and pose threats to human rights.

The work done by CitizenLab has led to greater understanding of the global digital surveillance landscape and its implications for human rights.

Often, we will see newly found vulnerabilities in iOS, WhatsApp and other software credited to CitizenLab or one of its associates. They often find these vulnerabilities by analyzing devices of individuals infected with high-level spyware.

In an interview with TheRecord, founder Ronald Deibert said CitizenLab routinely checks people’s phones for spyware. Over time, the researchers at CitizenLab have honed their forensic skills to the level that they can pinpoint the moment of infection for the device right down to the second.

In a recent article, CitizenLab explained in great detail how it cooperated with Meta on uncovering a WhatsApp zero-day vulnerability and how it traced it back to Paragon and the Italian government.

While most of us will, hopefully, never have to deal or worry about getting infected with high-level spyware, we may end up falling victim to the vulnerabilities that are used to infect targets.

Both Paragon and the NSO group have brought many zero-day vulnerabilities to light in browsers and other online applications by using them to compromise mobile devices.

Zero-day vulnerabilities are hard to come by and therefore expensive. But once they are used against victims, there is a good chance that at some point they will be discovered and patched.

But small-time criminals will pick them up and try to use them against people who haven’t had a chance or the time to update their device yet.

Which is why we, on this blog, and through Malwarebytes’ Trusted Advisor, always urge people to keep their devices up-to-date.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

With financial stress at an all-time high, and many Americans grappling with confusion about social security, Medicaid, and Medicare, people are desperately seeking relief. Scammers know this all too well and have tailored their tactics to exploit these fears, preying on vulnerable individuals with promises of “free money.”

Whether it’s a so-called “subsidy program,” a “government grant,” or a “relief card,” these scams all share the same underlying goal—to manipulate people into giving away their personal information, or—worse—their hard-earned cash. 

Common free money scams Too-good-to-be-true claims

• “Get a $6,400 Subsidy to Pay for Groceries, Rent, and Gas!” 
• “Only 3 Days Left to Claim Your Government Benefit!”
• “482 Spots Remaining! Act Now!” 

Urgency and exclusivity are classic scam tactics. By creating a demand to do something as soon as possible, scammers push people to act before they have time to think critically. 

Fabricated social proof 

• “Floyd Miles from LA just received his subsidy!” 
• “Mary T. Pritts from Silsbee, TX qualified 17 seconds ago!” 
• “Thousands of Americans are getting financial relief!” 

These so called testimonials are almost always fake, designed to create a false sense of trust. The names, locations, and stories are either entirely made up or copied from other scam sites. 

A push to submit personal information 

• “Enter your name, email, and phone number to check eligibility!” 
• “Claim your subsidy now – just provide your bank details!” 

The goal? To collect personal data that can be used for identity theft, sold to third parties, or leveraged for future scams. 

Push notification scams 

After submitting information, users are prompted to “Allow” notifications to receive updates on their application. In reality, enabling notifications results in a flood of unwanted ads and malicious content (malvertising), potentially exposing users to phishing attempts and harmful software. 

Additional social engineering techniques

• Phishing emails and messages: Scammers send convincing emails or text messages that appear to be from legitimate government agencies or financial institutions, urging users to click on malicious links or provide personal information. 
• Impersonation scams: Fraudsters pose as government officials, representatives from relief organizations, or financial advisors to gain victims’ trust. 
• Fake customer support calls: Victims may receive calls from so-called “support agents” asking for verification details to process their subsidy claim. 
• QR code scams: Increasingly, scammers use QR codes on fake subsidy pages to drive users to phishing sites that steal their credentials.
• Malware-infested attachments: Scammers send downloadable forms for “subsidy applications,” which are actually embedded with malware that steals information from users’ devices. 

Red flags to watch out for 

• Vague or unverifiable claims: Legitimate government programs are clearly outlined on official websites (.gov domains). If a subsidy isn’t listed there, it doesn’t exist.
• No contact information: If a website lacks a verifiable phone number, email or office address, it’s likely a scam. 
• Unrealistic promises: Any offer of free money with no strings attached should raise suspicions. 
• Pressuring users to act quickly: Government aid programs don’t work on a first-come, first-served basis with countdown timers. 

How to protect yourself from free money scams

• Verify sources: If an offer sounds too good to be true, check with official government sites like USA.gov or your local state agency. 
• Never share personal information: Avoid entering sensitive information (Social Security Number, bank details, etc.) on unverified websites. 
• Report suspicious sites: If you come across a scam, report it to the Federal Trade Commission (FTC) at reportfraud.ftc.gov. 
• Educate others: Many scam victims are elderly or financially struggling individuals who may not recognize these red flags. Share this knowledge to protect your loved ones. 

Conclusion 

Scammers are constantly evolving, but their tactics remain predictable. By staying informed and skeptical of “too-good-to-be-true” offers, we can collectively shut down these fraudulent schemes. The best defense is awareness—because in reality, there’s no such thing as free money. 

IOCs 

34[.]123[.]196[.]68 

34[.]132[.]227[.]60 

34[.]31[.]92[.]173 

aidforhealthcare[.]org 

americansubsidy[.]com 

assistanceadvocate[.]org 

assistanceadvocates[.]org 

communitycareaid[.]org 

grabsubsidy[.]com 

healthaidhub[.]org 

healthaidnetwork[.]org 

improveourcredit[.]com 

justhealthbenefits[.]com 

local-subsidy[.]com 

localaid[.]co 

nationaid[.]org 

nationwidesubsidy[.]com 

qualifyaca[.]com 

subsidyacrossnation[.]com 

subsidyaid[.]com 

subsidysupport[.]org 

subsidysupportnetwork[.]org 

timeforacahelp[.]com 

us-debtassistance[.]org 

wellnesssubsidyhub[.]org 

Sperm donor giant California Cryobank has announced it has suffered a data breach that exposed customers’ personal information.

California Cryobank (CCB) is a sperm donation and cryopreservation firm and one of the US’ top sperm banks. As such, it services all US states and over 30 countries worldwide.

The data breach notification states that the breach occurred on April 20, 2024 and CCB discovered it on October 4, 2024. After an investigation, CCB determined that an unauthorized party gained access to its IT environment and may have accessed and/or acquired files maintained on certain computer systems between April 20, 2024, and April 22, 2024.

The information potentially involved varies by customer but includes names and one or more of the following:

• Driver’s license numbers
• Bank account and routing numbers.
• Social Security Numbers (SSN)
• Health insurance information

CCB is posting letters—along the lines of this California example—to everyone who may be impacted.

It is unclear whether the CCB considers sperm donors as customers so their personal information may or may not have been breached.

Anonymous sperm donations are mostly a thing of the past. Anonymous donation was considered a method deemed to protect the privacy of the donor and shield them from any legal obligations, but online DNA databases have put an end to any guarantee of anonymity. However, untimely disclosure of sperm donor details might pose a significant privacy concern to those who donated in the past anonymously.

The handling, storage, and sharing of protected health information (PHI) within sperm banks falls under the Health Insurance Portability and Accountability Act (HIPAA):

• The Privacy Rule requires sperm banks to implement safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that can be made without patient consent.
• The Security Rule specifically requires sperm banks to secure electronic PHI (ePHI) appropriately against potential risks to confidentiality, integrity, and availability.
• The Breach Notification Rule requires the provision of a notification to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media, in the event of a breach of unsecured PHI.

CCB is offering individuals whose Social Security and/or driver’s license numbers may have been involved in the incident complimentary one-year memberships to credit monitoring services.

For those that receive a notification letter, CCB has set up a dedicated, tollfree call center to answer questions that recipients may have.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

SCAN NOW