4706 matches found
Russian hacking group targets home and small office routers to spy on users
British security officials found that a group linked to the Russian military is spying on users of compromised Small Office/Home Office SOHO routers in a broad cyber espionage campaign. A Microsoft blog goes into the technical details of these attacks. The group, which we’ll refer to as APT28, bu...
Traffic violation scams swap links for QR codes to steal your card details
As soon as people start to get to grips with a certain type of scam, criminals deploy new tactics to keep stealing money. Now people have learned to distrust links in text messages, scammers have changed the bait, and in 2026 the “new link” is often a QR code tucked inside a fake notice. The late...
A week in security (March 30 – April 5)
Last week on Malwarebytes Labs: That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords Blocking children from social media is a badly executed good idea Apple expands "DarkSword" patches to iOS 18.7.7 Malwarebytes Privacy VPN receives full third-party audit Wikipedia’s AI...
Killer robots are here. Now what? (Lock and Code S07E07)
Big news : Lock and Code is nominated for a Webby Award! You can help us win the People's Voice Award by voting here. Vote now! This week on the Lock and Code podcast … We have to talk about killer robots. No, not the Terminator, and not some Boston Dynamics robot run amok. We have to talk instea...
Apple expands “DarkSword” patches to iOS 18.7.7
Apple widened its latest iOS 18 security update to cover far more iPhones and iPads, specifically to stop real‑world DarkSword attacks that can compromise a device from a single website visit. After researchers published their findings about the DarkSword attacks and an exploit kit abusing the...
Asking AI for personal advice is a bad idea, Stanford study shows
Stanford computer scientists just proved what therapists already suspected: AI chatbots will agree with almost anything you say to keep you happy. The researchers caught these systems validating dangerous decisions just to maintain user engagement. That's a worrying development, especially given...
Criminals are renting virtual phones to bypass bank security
Researchers at Group-IB warn about criminals using virtual Android devices to bypass modern security solutions. Cloud phones are virtual Android devices that can fully mimic real device fingerprints model, hardware, IP, timezone, sensor data, behavior. This allows them to undermine banks’...
Landmark verdicts put Meta’s “addiction machine” platforms on trial
Meta faced two major legal setbacks this week as courts in New Mexico and California both found the company liable for harm to children. A New Mexico jury just ordered Meta to pay $375 million for misleading parents about child safety on Instagram and Facebook. Jurors found the company violated...
Hackers claim to have accessed data tied to millions of crime tipsters
Millions of crime tips may have been exposed after a hacker group claims to have compromised systems used by Crime Stoppers programs and other organizations worldwide. The incident centers on P3 Global Intel, a Texas-based provider of cloud-based tip and intelligence management software owned by...
Your tax forms sell for $20 on the dark web
Tax season is also peak season for identity theft. Criminals use stolen personal data to file fake tax returns and claim refunds before the real taxpayer does. Here’s how the fraud works, and how to protect yourself. What is Stolen Identity Refund Fraud SIRF? Stolen Identity Refund Fraud SIRF is ...
Fake Pudgy World site steals your crypto passwords
A phishing site impersonating the newly-launched Pudgy World browser game is targeting crypto users with a technique that goes well beyond a convincing logo and matching color scheme. Pudgy World is a free-to-play browser game built around the Pudgy Penguins NFT brand. Players explore a virtual...
Delete doesn’t mean gone. Here’s how File Shredder fixes that
You have done it a thousand times. Right-click. Delete. Empty Trash. Done. Except it's not done. That file, your tax return, your private photos, that EmbezzlementPlan.doc… it's all still sitting on your drive. Invisible to you, but not to anyone with a $30 recovery tool downloaded from the...
[updated] Google patches two Chrome zero-days under active attack
Update March 16, 2026 Earlier this week, Google incorrectly reported that an actively exploited vulnerability in Chrome had been fixed, and has now announced it will roll out a new update to protect users against the vulnerability tracked as CVE-2026-3909. Original content: Google has released an...
Hackers may have breached FBI wiretap network via supply chain
Investigators are worried that a recent attack on a critical FBI system was more than just a random hit, and that another nation-state might have been involved. On February 17, the FBI flagged irregular network activity that led straight to its Digital Collection System Network. That system...
Fake Claude Code install pages hit Windows and Mac users with infostealers
Attackers are cloning install pages for popular tools like Claude Code and swapping the “one‑liner” install commands with malware, mainly to steal passwords, cookies, sessions, and access to developer environments. Modern install guides often tell you to copy a single command like curl...
Attackers abuse OAuth’s built-in redirects to launch phishing and malware attacks
Attackers are abusing normal OAuth error redirects to send users from a legitimate Microsoft or Google login URL to phishing or malware pages, without ever completing a successful sign‑in or stealing tokens from the OAuth flow itself. That calls for a bit more explanation. OAuth Open Authorizatio...
Pentagon ditches Anthropic AI over “security risk” and OpenAI takes over
On Friday the US Pentagon cut ties with Anthropic, the company behind Claude AI. Defense Secretary Pete Hegseth designated the San Francisco-based company a "supply-chain risk to national security." The supply-chain risk designation means that no contractor, supplier, or partner doing business wi...
How to understand and avoid Advanced Persistent Threats
By definition, an advanced persistent threat APT is a prolonged, targeted attack on a specific victim with the intention to compromise their system and gain information from or about that target. About a decade ago, the term was mostly used for state-sponsored threat actors. I used threat actors...
Instagram flagged explicit messages to minors in 2018. Image-blurring arrived six years later
Meta took six years to blur explicit images on Instagram, even though internal emails show executives were aware in 2018 that minors were receiving them, according to newly unsealed court documents. In a deposition given last year, Adam Mosseri now the head of Instagram discusses an email thread...
Refund scam impersonates Avast to harvest credit card details
A fraudulent website dressed in Avast’s brand is tricking French-speaking users into handing over their full credit card details—card number, expiry date, and three-digit security code—under the cover story of processing a €499.99 refund that was never owed to them. The operation combines live ch...
AI-generated passwords are a security risk
Using Artificial Intelligence AI to generate your passwords is a bad idea. It's likely to give that password to a criminal who can then use it in a dictionary attack—which is when an attacker runs through a prepared list of likely passwords words, phrases, patterns with automated tools until one ...
Man tricked hundreds of women into handing over Snapchat security codes
Fresh off a breathless Super Bowl Sunday, we're less thrilled to bring you this week's Weirdo Wednesday. Two stories caught our eye, both involving men who crossed clear lines and invaded women's privacy online. Last week, 27-year-old Kyle Svara of Oswego, Illinois admitted to hacking women's...
Apple Pay phish uses fake support calls to steal payment details
It started with an email that looked boringly familiar: Apple logo, a clean layout, and a subject line designed to make the target’s stomach drop. The message claimed Apple has stopped a high‑value Apple Pay charge at an Apple Store, complete with a case ID, timestamp, and a warning that the...
Grok continues producing sexualized images after promised fixes
Journalists decided to test whether the Grok chatbot still generates non‑consensual sexualized images, even after xAI, Elon Musk’s artificial intelligence company, and X, the social media platform formerly known as Twitter, promised tighter safeguards. Unsurprisingly, it does. After scrutiny from...
An AI plush toy exposed thousands of private chats with children
Bondu’s AI plush toy exposed a web console that let anyone with a Gmail account read about 50,000 private chats between children and their cuddly toys. Bondu's toy is marketed as: “A soft, cuddly toy powered by AI that can chat, teach, and play with your child.” What it doesn’t say is that anyone...
Meta confirms it’s working on premium subscription for its apps
Meta plans to test exclusive features that will be incorporated in paid versions of Facebook, Instagram, and WhatsApp. It confirmed these plans to TechCrunch. But these plans are not to be confused with the ad-free subscription options that Meta introduced for Facebook and Instagram in the EU, th...
Malicious Chrome extensions can spy on your ChatGPT chats
Researchers discovered 16 malicious browser extensions for Google Chrome and Microsoft Edge that steal ChatGPT session tokens, giving attackers access to accounts, including conversation history and metadata. The 16 malicious extensions 15 for Chrome and 1 for Edge claim to improve and optimize...
Malicious Google Calendar invites could expose private data
Researchers found a way to weaponize calendar invites. They uncovered a vulnerability that allowed them to bypass Google Calendar’s privacy controls using a dormant payload hidden inside an otherwise standard calendar invite. Image courtesy of Miggo An attacker creates a Google Calendar event and...
Google will pay $8.25m to settle child data-tracking allegations
Google has settled yet another class-action lawsuit accusing it of collecting children’s data and using it to target them with advertising. The tech giant will pay $8.25 million to address allegations that it tracked data on apps specifically designated for kids. AdMob's mobile data collection Th...
Data broker fined after selling Alzheimer’s patient info and millions of sensitive profiles
California's privacy regulator has fined a Texas data broker $45,000 and banned it from selling Californians' personal information after it sold Alzheimer patients' data. Texan company Rickenbacher Data LLC, which does business as Datamasters, bought and resold the names, addresses, phone numbers...
Why iPhone users should update and restart their devices now
If you were still questioning whether iOS 26+ is for you, now is the time to make that call. Why? On December 12, 2025, Apple patched two WebKit zero‑day vulnerabilities linked to mercenary spyware and is now effectively pushing iPhone 11 and newer users toward iOS 26+, because that’s where the...
Enshittification is ruining everything online (Lock and Code S07E01)
This week on the Lock and Code podcast … There's a bizarre thing happening online right now where everything is getting worse. Your Google results have become so bad that you’ve likely typed what you’re looking for, plus the word “Reddit,” so you can find discussion from actual humans. If you...
One million customers on alert as extortion group claims massive Brightspeed data haul
US fiber broadband company Brightspeed is investigating claims by the Crimson Collective extortion group that it stole sensitive data belonging to more than 1 million residential customers, including extensive personally identifiable information PII, as well as account and billing details...
Phishing campaign abuses Google Cloud services to steal Microsoft 365 logins
Attackers are sending very convincing fake “Google” emails that slip past spam filters, route victims through several trusted Google-owned services, and ultimately lead to a look-alike Microsoft 365 sign-in page designed to harvest usernames and passwords. Researchers found that cybercriminals us...
Disney fined $10m for mislabeling kids’ YouTube videos and violating privacy law
Disney will pay a $10m settlement over allegations that it violated kids' privacy rights, the Federal Trade Commission FTC said this week. The agreement, first proposed in September 2025, resolves a dispute over Disney's labeling of child-targeted content on YouTube. The thousands of YouTube vide...
A week in security (December 29 – January 4)
Last week on Malwarebytes Labs: How AI made scams more convincing in 2025 In 2025, age checks started locking people out of the internet 2025 exposed the risks we ignored while rushing AI Malware in 2025 spread far beyond Windows PCs Stay safe! We don 't just report on privacy—we offer you the...
Inside a purchase order PDF phishing campaign
A PDF named "NEW Purchase Order 52177236.pdf" turned out to be a phishing lure. So we analyzed the phishing script behind it. A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received. Malwarebytes blocked this ionoscloud.com subdomain When I...
A week in security (December 8 – December 14)
Last week on Malwarebytes Labs: The US digital doxxing of H-1B applicants is a massive privacy misstep Google ads funnel Mac users to poisoned AI chats that spread the AMOS infostealer How private is your VPN? DroidLock malware locks you out of your Android device and demands ransom Malwarebytes...
The US digital doxxing of H-1B applicants is a massive privacy misstep
Technology professionals hoping to come and work in the US face a new privacy concern. Starting December 15, skilled workers on H-1B visas and their families must flip their social media profiles to public before their consular interviews. It’s a deeply risky move from a security and privacy...
DroidLock malware locks you out of your Android device and demands ransom
Researchers have analyzed a new threat campaign actively targeting Android users. The malware, named DroidLock, takes over a device and then holds it for ransom. The campaign to date has primarily targeted Spanish-speaking users, but researchers warn it could spread. DroidLock is delivered via...
EU fines X $140m, tied to verification rules that make impostor scams easier
The European Commission slapped social networking company X with a €120 million $140 million fine last week for what it says was a lack of transparency with its European users. The fine, the first ever penalty under the EU's landmark Digital Services Act, addressed three specific violations with...
How phishers hide banking scams behind free Cloudflare Pages
During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don't just grab a username and password–they also ask for answers to...
Scammers harvesting Facebook photos to stage fake kidnappings, warns FBI
The FBI has warned about a new type of scam where your Facebook pictures are harvested to act as “proof-of-life” pictures in a virtual kidnapping. The scammers pretend they have kidnapped somebody and contact friends and next of kin to demand a ransom for their release. While the alleged victim i...
A week in security (December 1 – December 7)
Last week on Malwarebytes Labs: Leaks show Intellexa burning zero-days to keep Predator spyware running How scammers use fake insurance texts to steal your identity Canadian police trialing facial recognition bodycams Update Chrome now: Google fixes 13 security issues affecting billions Attackers...
How scammers use fake insurance texts to steal your identity
Sometimes it’s hard to understand how some scams work or why criminals would even try them on you. In this case it may have been a matter of timing. One of my co-workers received this one: “Insurance estimates for certain age ranges: 20-30 200 – 300/mo 31-40 270 – 450/mo 41-64 350 – 500/mo Please...
Fileless protection explained: Blocking the invisible threat others miss
Most antivirus software for personal users scans your computer for malware hiding in files. This is, after all, how most malware is traditionally spread. But what about attacks that never create files? Fileless malware is a fast-growing threat that evades traditional antivirus software, because...
Malwarebytes joins Global Anti-Scam Alliance (GASA) as supporting member
We are excited to share that Malwarebytes has officially joined the Global Anti-Scam Alliance GASA as a supporting member. Working with GASA helps us stay aligned with others who are focused on reducing scams and keeping people safer online. Modern-day scams aren’t the clumsy, obvious tricks they...
A week in security (November 24 – November 30)
Last week on Malwarebytes Labs: How CVSS v4.0 works: characterizing and scoring vulnerabilities Millions at risk after nationwide CodeRED alert system outage and data breach Holiday shoppers targeted as Amazon and FBI warn of surge in account takeover attacks Fake LinkedIn jobs trick Mac users in...
How CVSS v4.0 works: characterizing and scoring vulnerabilities
The Common Vulnerability Scoring System CVSS provides software developers, testers, and security and IT professionals with a standardized way to assess vulnerabilities. You can use CVSS to assess the threat level of each vulnerability and then prioritize mitigation accordingly. This article...
AI teddy bear for kids responds with sexual content and advice about weapons
In testing, FoloToy’s AI teddy bear jumped from friendly chat to sexual topics and unsafe household advice. It shows how easily artificial intelligence can cross serious boundaries. It’s a fair moment to ask whether AI-powered stuffed animals are appropriate for children. It’s easy to get swept u...