Two Chrome flaws could be triggered by simply browsing the web: Update now

Google issued an extra patch addressing two security vulnerabilities in Chrome, both of which can be triggered remotely by an attacker when a user visits a specially crafted, malicious web page. Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That makes it ...

A week in security (December 8 – December 14)

Last week on Malwarebytes Labs: The US digital doxxing of H-1B applicants is a massive privacy misstep Google ads funnel Mac users to poisoned AI chats that spread the AMOS infostealer How private is your VPN? DroidLock malware locks you out of your Android device and demands ransom Malwarebytes...

GhostFrame phishing kit fuels widespread attacks against millions

GhostFrame is a new phishing-as-a-service PhaaS kit, tracked since September 2025, that has already powered more than a million phishing attacks. Threat analysts spotted a series of phishing attacks featuring tools and techniques they hadn't seen before. A few months later, they had linked over a...

EU fines X $140m, tied to verification rules that make impostor scams easier

The European Commission slapped social networking company X with a €120 million $140 million fine last week for what it says was a lack of transparency with its European users. The fine, the first ever penalty under the EU's landmark Digital Services Act, addressed three specific violations with...

Deepfakes, AI resumes, and the growing threat of fake applicants

Recruiters expect the odd exaggerated resume, but many companies, including us here at Malwarebytes, are now dealing with something far more serious: job applicants who aren't real people at all. From fabricated identities to AI-generated resumes and outsourced impostor interviews, hiring pipelin...

Canadian police trialling facial recognition bodycams

A municipal police force in Canada is now using facial recognition bodycams, it was revealed this week. The police service in the prairie city of Edmonton is trialling technology from US-based Axon, which makes products for the military and law enforcement. Up to 50 officers are taking part in th...

Canadian police trialing facial recognition bodycams

A municipal police force in Canada is now using facial recognition bodycams, it was revealed this week. The police service in the prairie city of Edmonton is trialing technology from US-based Axon, which makes products for the military and law enforcement. Up to 50 officers are taking part in the...

Attackers have a new way to slip past MFA in educational orgs

Researchers are warning about a rise in cases of attackers using Evilginx to steal session cookies among educational institutions—letting them bypass the need for a multi-factor authentication MFA token. Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real...

Fileless protection explained: Blocking the invisible threat others miss

Most antivirus software for personal users scans your computer for malware hiding in files. This is, after all, how most malware is traditionally spread. But what about attacks that never create files? Fileless malware is a fast-growing threat that evades traditional antivirus software, because...

Malwarebytes joins Global Anti-Scam Alliance (GASA) as supporting member

We are excited to share that Malwarebytes has officially joined the Global Anti-Scam Alliance GASA as a supporting member. Working with GASA helps us stay aligned with others who are focused on reducing scams and keeping people safer online. Modern-day scams aren’t the clumsy, obvious tricks they...

A week in security (November 24 – November 30)

Last week on Malwarebytes Labs: How CVSS v4.0 works: characterizing and scoring vulnerabilities Millions at risk after nationwide CodeRED alert system outage and data breach Holiday shoppers targeted as Amazon and FBI warn of surge in account takeover attacks Fake LinkedIn jobs trick Mac users in...

How CVSS v4.0 works: characterizing and scoring vulnerabilities

The Common Vulnerability Scoring System CVSS provides software developers, testers, and security and IT professionals with a standardized way to assess vulnerabilities. You can use CVSS to assess the threat level of each vulnerability and then prioritize mitigation accordingly. This article...

Fake LinkedIn jobs trick Mac users into downloading Flexible Ferret malware

Researchers have discovered a new attack targeting Mac users. It lures them to a fake job website, then tricks them into downloading malware via a bogus software update. The attackers pose as recruiters and contact people via LinkedIn, encouraging them to apply for a role. As part of the...

1 million victims, 17,500 fake sites: Google takes on toll-fee scammers

A Phishing-as-a-Service PhaaS platform based in China, known as “Lighthouse,” is the subject of a new Google lawsuit. Lighthouse enables smishing SMS phishing campaigns, and if you’re in the US there is a good chance you've seen their texts about a small amount you supposedly owe in toll fees...

Are you paying more than other people? NY cracks down on surveillance pricing

When you search for a product online, you might think you're getting the same price as everyone else. Think again. Your price might be different based on everything from your location to what you've looked at online. Companies often use algorithms to set their prices that rely heavily on customer...

We opened a fake invoice and fell down a retro XWorm-shaped wormhole

Somebody forwarded an “invoice” email and asked me to check the attachment because it looked suspicious. Good instinct—it was, and what we found inside was a surprisingly old trick hiding a modern threat. What it does If the recipient had opened the attached Visual Basic Script .vbs file, it woul...

Fake CAPTCHA sites now have tutorial videos to help victims install malware

Early on in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions for website visitors that would effectively infect their own machines with an information stealer known as the Lumma Stealer. ClickFix is the name researchers have since given to...

Hackers commit highway robbery, stealing cargo and goods

There’s a modern-day train heist happening across America, and this time, some of the bandana-masked robbers are sitting behind screens. According to new research, a group of cybercriminals has been attacking trucking, freight, and logistics companies for months, impersonating brands and even...

Take control of your privacy with updates on Malwarebytes for Windows

It’s getting harder to keep your Windows space truly yours, as Microsoft increasingly serves annoying ads and tracks your data across third-party apps. Pushing back against your eroding privacy has been a scattered and sometimes complicated process… but we're making it easier for you. With the...

Should you let Chrome store your driver’s license and passport?

Google has rolled out a new autofill feature for Chrome that goes beyond storing just your passwords, addresses, and credit card numbers. The new "enhanced autofill" can now stash your driver's license, passport details, VIN, or license plate information. Sounds convenient, right? But just becaus...

Gmail breach panic? It’s a misunderstanding, not a hack

After a misinterpretation of an interview with a security researcher, several media outlets hinted at a major Gmail breach. Reporters claimed the incident took place in April. In reality, the researcher had said there was an enormous amount of Gmail usernames and passwords circulating on the dark...

Chinese gangs made over $1 billion targeting Americans with scam texts

We regularly warn our readers about new scams and phishing texts. Almost everyone gets pestered with these messages. But where are all these scam texts coming from? According to an article in The Wall Street Journal: “It has become a billion-dollar, highly sophisticated business benefiting...

TikTok scam sells you access to your own fake money

This scam starts in your TikTok DMs. A brand-new account drops a melodramatic message—terminal illness, last goodbye, “I left you some assets.” At the bottom: a ready-made username and password for a crypto site you’ve never used. It’s designed to feel urgent and personal so you tap before you...

A week in security (October 6 – October 12)

Last week on Malwarebytes Labs: Apple voices concerns over age-check law that could put user privacy at risk Your passwords don’t need so many fiddly characters, NIST says Millions of very private chats exposed by two AI companion apps Fake VPN and streaming app drops malware that drains your ban...

Apple voices concerns over age-check law that could put user privacy at risk

Apple has raised concerns about a new Texas state law, SB 2420, which introduces age assurance requirements for app stores and app developers. One of its main objections is that the requirements are over the top and don’t take into account what the user is actually trying to do. Apple stated: “We...

One stolen iPhone uncovered a network smuggling thousands of devices to China

If you think Apple's 'Find My' feature was just there to help you locate your phone when it slipped down the side of the couch, think again. It turns out this service also helps law enforcement capture criminals. The original "Find My iPhone" was introduced in 2010 as a feature on the iPhone. It...

Modeling scams see mature models as attractive new prospects

The BBC reported on modeling scams targeting older models. Modeling scams aren't new, but it’s worth looking at how they spread today, how to spot them, and—most importantly—how to avoid falling victim to them. The classic pitch goes like this: Someone walks up to you in the street and says, "You...

Don’t connect your wallet: Best Wallet cryptocurrency scam is making the rounds

Phishers and scammers can’t get enough of sending their feeble attempts to Malwarebytes’ employees. For which we can’t thank them enough because it means we can warn you, our readers. This time the scammers tried to impersonate Best Wallet—an app that lets people store, send, and receive...

A week in security (September 29 – October 5)

Last week on Malwarebytes Labs: From threats to apology, hackers pull child data offline after public backlash Your Meta AI conversations may come back as ads in your feed Scam Facebook groups send malicious Android malware to seniors Sendit tricked kids, harvested their data, and faked messages,...

Sendit tricked kids, harvested their data, and faked messages, FTC claims

The Federal Trade Commission FTC has sued Sendit’s parent company, saying it signed up children under 13, collected their personal data, and misled them with fake messages and recurring bills. The lawsuit, filed against the app's owner Iconic Hearts Holdings Inc and CEO Hunter Rice, alleges the...

Tile trackers plagued by weak security, researchers warn

Researchers at the Georgia Institute of Technology scrutinized the security of the popular Tile tracker and came out disappointed. Bluetooth trackers are a steadily growing market, and Life360 is one of the major players. In 2021, Amazon expanded its Sidewalk network to include Tile. That means...

A week in security (September 22 – September 28)

Last week on Malwarebytes Labs: Hackers threaten parents: Get nursery to pay ransom or we leak your child’s data Google and Flo to pay $56 million after misusing users’ health data Neon App pays users to record their phone calls, sells data for AI training updated New SVG-based phishing campaign ...

Hackers threaten parents: Get nursery to pay ransom or we leak your child’s data

Just when you think extortionists can’t sink any lower, along comes a lowlife that manages to surprise you. The BBC reported that a group calling itself "Radiant" claims to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, an...

Neon App pays users to record their phone calls, sells data for AI training [updated]

TechCrunch reports about a “bizarre app” inviting you to record and share your audio calls so that it can sell the data to AI companies. And if that’s not weird enough on its own, it’s ranking No. 2 in Apple's US app store at the time of writing. The name of the app is Neon Mobile and it promises...

Police using drones to read your license plates, warns EFF

Police are using drones as flying automated license plate readers ALPRs, according to a report by the Electronic Frontier Foundation EFF. And where there is a market, a provider will jump in. Or was it the other way around this time? Flock Safety, for example, recently told a group of potential l...

Can you disappear online? (Lock and Code S06E19)

This week on the Lock and Code podcast There's more about you online than you know. The company Acxiom, for example, has probably determined whether you’re a heavy drinker, or if you're overweight, or if you smoke or all three. The same company has also probably estimated—to the exact dollar—the...

A week in security (September 15 – September 21)

Last week on Malwarebytes Labs: ChatGPT Deep Research zero-click vulnerability fixed by OpenAI Disrupted phishing service was after Microsoft 365 credentials Update your Chrome today: Google patches 4 vulnerabilities including one zero-day Age verification and parental controls coming to ChatGPT ...

Age verification and parental controls coming to ChatGPT to protect teens

OpenAI is going to try and predict the ages of its users to protect them better, as stories of AI-induced harms in children mount. The company, which runs the popular ChatGPT AI, is working on what it calls a long-term system to determine whether users are over 18. If it can't verify that a user ...

Pre-approved GLP-1 prescription scam could be bad for your health

A co-worker received a text which is, unfortunately, becoming more common. The text pretends to come from a doctor and states a weight-loss medication prescription has been approved. “Good morning. This is Dr. Santos. I pre-approved your GLP1 prescription. You may start treatment as of 09/04...

Popeyes, Tim Hortons, Burger King platforms have “catastrophic” vulnerabilities, say hackers

Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International RBI. RBI is one of the world's largest quick service restaurant companies. It was formed in 2014 through a $12.5 billion merger of the American fast food chain...

This “insidious” police tech claims to predict crime (Lock and Code S06E18)

This week on the Lock and Code podcast… In the late 2010s, a group of sheriffs out of Pasco County, Florida, believed they could predict crime. The Sheriff’s Department there had piloted a program called “Intelligence-Led Policing” and the program would allegedly analyze disparate points of data ...

iCloud Calendar infrastructure abused in PayPal phishing campaign

Once again, phishers are targeting PayPal users by abusing existing legitimate infrastructure. Only this time they’re not abusing PayPal’s platform, but iCloud Calendar invites. Our friends over at BleepingComputer unraveled a call-back phishing scam which was sent to one of their readers. “Pedro...

Roblox introduces age checks to use communication features

Roblox is an online platform that allows users to build, play and share online worlds and 3D games. Unfortunately, it’s also a popular platform among predators reaching out to kids and seducing them using game features such as messaging, avatar customization, and role-play. Over the years, the...

Popular Android VPN apps found to have security flaws and China links

People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff you...

Popular Android VPN apps found to have security flaws and China links

People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff you...

No we didn’t warn all Gmail users about imminent digital doom, says Google

Cybersecurity publications are rife with headlines about breaches and threats, but sometimes things aren't always what they seem. In fact sometimes they're plain wrong remember toothbrushgate? This week, Google highlighted another story that it said was fake - and this one was about its own...

Travelers to the UK targeted in ETA scams

Since January 8, 2025, travelers from most countries, including the US, Australia, and Canada have to apply for an Electronic Travel Authorisation ETA for visa free travel to the UK. You can apply for an Electronic Travel Authorisation using the ETA App, or via an online form. When you apply for ...

“No place in our networks”: FCC hangs up on thousands of voice operators in robocall war

Everyone hates robocalls. However, it's difficult to track down all the scammers and spammers that make them, so the Federal Communications Commission FCC has taken another approach: it just disconnected over a thousand voice operators from the public telephone network for not doing their part to...

Claude AI chatbot abused to launch “cybercrime spree”

Anthropic—the company behind the widely renowned coding chatbot, Claude—says it uncovered a large-scale extortion operation in which cybercriminals abused Claude to automate and orchestrate sophisticated attacks. The company issued a Threat Intelligence report in which it describes several...

AI browsers could leave users penniless: A prompt injection warning

Artificial Intelligence AI browsers are gaining traction, which means we may need to start worrying about the potential dangers of something called "prompt injection." Large language models LLMs—like the ones that power AI chatbots including ChatGPT, Claude, and Gemini—are designed to follow...