4706 matches found
The March Madness scam playbook
March Madness is the annual men's and women's NCAA Division I basketball tournament, where 68 teams play in a single-elimination bracket for the US national championship. But March Madness doesn’t just bring buzzer beaters and busted brackets. It also kicks off a short, intense season for scammer...
Could your face change what you pay? NYC wants limits on biometric tracking
New York City lawmakers are pushing to ban private businesses from using biometric tools like voice and facial recognition software to track the public. While the desire to use surveillance technology in stores to fight shoplifting is understandable, lawmakers and privacy advocates are worried th...
Inside a network of 20,000+ fake shops
We mapped a sprawling fake shop operation of over 20,000 domains, dozens of shared IP addresses and identical storefronts with different names pasted on top. They exist for one purpose: to steal your payment details and personal data. The thread that ties them all together is a browser tab title...
Password managers keep your passwords safe, unless…
I’m a big advocate of password managers. Granted, there are better alternatives for passwords like passkeys, but if a provider offers nothing but password options, which many do, you can’t do much about that. So, for the time being we seem to be stuck with passwords. Every reputable password...
Betterment data breach might be worse than we thought
Betterment LLC is an investment advisor registered with US Securities and Exchange Commission SEC. The company disclosed a January 2026 incident in which an attacker used social engineering to access a third‑party platform used for customer communications, then abused it to send crypto‑themed...
Fake shops target Winter Olympics 2026 fans
If you've seen the two stoat siblings serving as official mascots of the Milano Cortina 2026 Winter Olympics, you already know Tina and Milo are irresistible. Designed by Italian schoolchildren and chosen from more than 1,600 entries in a public poll, the duo has already captured hearts worldwide...
Outlook add-in goes rogue and steals 4,000 credentials and payment data
Researchers found a malicious Microsoft Outlook add-in which was able to steal 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers. How is it possible that the Microsoft Office Add-in Store ended listing an add-in that silently loaded a phishing kit insid...
TikTok’s privacy update mentions immigration status. Here’s why.
In 2026, could any five words be more chilling than “We’re changing our privacy terms?” The timing could not have been worse for TikTok US when it sent millions of US users a mandatory privacy pop-up on January 22. The message forced users to accept updated terms if they wanted to keep using the...
Regulators around the world are scrutinizing Grok over sexual deepfakes
Grok’s failure to block sexualized images of minors has turned a single “isolated lapse” into a global regulatory stress test for xAI’s ambitions. The response from lawmakers and regulators suggests this will not be solved with a quick apology and a hotfix. Last week we reported on Grok's apology...
Are we ready for ChatGPT Health?
How comfortable are you with sharing your medical history with an AI? I’m certainly not. OpenAI’s announcement about its new ChatGPT Health program prompted discussions about data privacy and how the company plans to keep the information users submit safe. ChatGPT Health is a dedicated “health...
2025 exposed the risks we ignored while rushing AI
This blog is part of a series where we highlight new or fast-evolving threats in the consumer security landscape. This one looks at how the rapid rise ofArtificial Intelligence AI is putting users at risk. In 2025 we saw an ever-accelerating race between AI providers to push out new features. We...
Photo booth flaw exposes people’s private pictures online
Photo booths are great. You press a button and get instant results. The same can’t be said, allegedly, for the security practices of at least one company operating them. A security researcher spent weeks trying to warn a photo booth operator about a vulnerability in its system. The flaw reportedl...
Canadian police trialling facial recognition bodycams
A municipal police force in Canada is now using facial recognition bodycams, it was revealed this week. The police service in the prairie city of Edmonton is trialling technology from US-based Axon, which makes products for the military and law enforcement. Up to 50 officers are taking part in th...
Attackers have a new way to slip past MFA in educational orgs
Researchers are warning about a rise in cases of attackers using Evilginx to steal session cookies among educational institutions—letting them bypass the need for a multi-factor authentication MFA token. Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real...
Hackers commit highway robbery, stealing cargo and goods
There’s a modern-day train heist happening across America, and this time, some of the bandana-masked robbers are sitting behind screens. According to new research, a group of cybercriminals has been attacking trucking, freight, and logistics companies for months, impersonating brands and even...
Chinese gangs made over $1 billion targeting Americans with scam texts
We regularly warn our readers about new scams and phishing texts. Almost everyone gets pestered with these messages. But where are all these scam texts coming from? According to an article in The Wall Street Journal: “It has become a billion-dollar, highly sophisticated business benefiting...
Researchers break OpenAI guardrails
The maker of ChatGPT released a toolkit to help protect its AI from attack earlier this month. Almost immediately, someone broke it. On October 6, OpenAI ran an event called DevDay where it unveiled a raft of new tools and services for software programmers who use its products. As part of that, i...
Fake VPN and streaming app drops malware that drains your bank account
Security researchers are warning Android users to delete a fake VPN and streaming app that can let criminals take over their phones and drain their bank accounts. The app, Mobdro Pro IP TV + VPN, was discovered by researchers at Cleafy to be a malicious sideloaded app, not a legitimate VPN. Their...
New SVG-based phishing campaign is a recipe for disaster
We've written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing. For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in...
A week in security (September 15 – September 21)
Last week on Malwarebytes Labs: ChatGPT Deep Research zero-click vulnerability fixed by OpenAI Disrupted phishing service was after Microsoft 365 credentials Update your Chrome today: Google patches 4 vulnerabilities including one zero-day Age verification and parental controls coming to ChatGPT ...
AI browsers or agentic browsers: a look at the future of web surfing
Browsers like Chrome, Edge, and Firefox are our traditional gateway to the internet. But lately, we have seen a new generation of browsers emerge. These are AI-powered browsers or "agentic browsers"—which are not to be confused with your regular browsers that have just AI-powered plugins bolted o...
Popular Android VPN apps found to have security flaws and China links
People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff you...
Popular Android VPN apps found to have security flaws and China links
People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff you...
No we didn’t warn all Gmail users about imminent digital doom, says Google
Cybersecurity publications are rife with headlines about breaches and threats, but sometimes things aren't always what they seem. In fact sometimes they're plain wrong remember toothbrushgate? This week, Google highlighted another story that it said was fake - and this one was about its own...
Travelers to the UK targeted in ETA scams
Since January 8, 2025, travelers from most countries, including the US, Australia, and Canada have to apply for an Electronic Travel Authorisation ETA for visa free travel to the UK. You can apply for an Electronic Travel Authorisation using the ETA App, or via an online form. When you apply for ...
A week in security (August 25 – August 31)
Last week on Malwarebytes Labs: Microsoft wants to automatically save your Word docs to the cloud "No place in our networks": FCC hangs up on thousands of voice operators in robocall war Claude AI chatbot abused to launch "cybercrime spree" Developer verification: a promised lift for Android...
Microsoft wants to automatically save your Word docs to the cloud
Microsoft has revealed it plans to automatically save all Word document to the cloud. The feature is currently only available to Microsoft 365 Insiders, although it's likely to expand this to all users in the future. Microsoft proudly announced: “We are modernizing the way files are created and...
“No place in our networks”: FCC hangs up on thousands of voice operators in robocall war
Everyone hates robocalls. However, it's difficult to track down all the scammers and spammers that make them, so the Federal Communications Commission FCC has taken another approach: it just disconnected over a thousand voice operators from the public telephone network for not doing their part to...
Claude AI chatbot abused to launch “cybercrime spree”
Anthropic—the company behind the widely renowned coding chatbot, Claude—says it uncovered a large-scale extortion operation in which cybercriminals abused Claude to automate and orchestrate sophisticated attacks. The company issued a Threat Intelligence report in which it describes several...
Developer verification: a promised lift for Android security
To reduce the number of harmful apps targeting Android users, Google has announced that certified Android devices will require all apps to be registered by verified developers in order to be installed. But this new measure is not just about malware that's found on the Google Play Store, it’s main...
A week in security (August 18 – August 24)
Last week on Malwarebytes Labs: Clickjack attack steals password managers’ secrets Grok chats show up in Google searches All Apple users should update after company patches zero-day vulnerability in all platforms Google settles YouTube lawsuit over kids’ privacy invasion and data collection...
Malwarebytes earns MRG Effitas Android 360° Certificate for mobile threat detection
We’re excited to announce that MRG Effitas, a globally recognized security assessment firm, has awarded Malwarebytes the prestigious MRG Effitas Android 360° Certificate, one of the toughest independent tests in mobile security. Our mobile protection received the highest marks, achieving a...
Alleged ‘tap-in’ scammer advertised services on social media
Would you give a complete stranger your credit card in return for the promise of easy money? No, neither would we. But apparently well over a hundred people did. Hillsborough County Sheriff's Office arrested 24 year-old Janetcilize Martinez in Tampa, FL, for allegedly using willing participants'...
Apple ID scam leads to $27,000 in-person theft of Ohio man
You've probably heard about people scamming from halfway around the world, but sometimes they turn up at your door. That's what happened in May, when 67 year-old Robert Wise of Ohio received a text telling him that his Apple ID had been compromised. It had been used at an Apple store for a $213...
Trump Administration and Big Tech want you to share your health data
US President Donald Trump announced a loose plan Wednesday to allow Americans to voluntarily upload and port their medical records across hospitals, clinics, technology companies, and health apps, with broad participation from Google, Apple, OpenAI, Amazon, and more. While the system could help...
Prison visitor details shared with all inmates at correctional facility
The Everglades Correctional Institution ECI in Miami-Dade County has leaked the names, email addresses, and telephone numbers of visitors to the facility to every inmate. The inmates received an email last week sent by a staff member that included the personal information of the visitors. Inmates...
Allianz Life says majority of 1.4 million US customers’ info breached
Insurance company Allianz Life was breached, exposing the data of most of its 1.4 million American customers. According to Allianz, an attacker gained access to a third-party, cloud-based Customer Relationship Management CRM system through social engineering. The company filed a data breach...
Watch out: Instagram users targeted in novel phishing campaign
A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites. The email looked like this, which is very similar to the on...
AI-generated image watermarks can be easily removed, say researchers
Now that AI can make fake images that look real, how can we know what's legitimate and what isn't? One of the primary ways has been the use of defensive watermarking, which means embedding invisible markers in AI-generated images to show they were made up. Now, researchers have broken that...
CNN, BBC, and CNBC websites impersonated to scam people
Researchers have uncovered a large campaign impersonating news websites, such as those from CNN, BBC, CNBC, News24, and ABC News, to promote investment scams. Adding a well known brand to your scammy site is a tale as old as time, and gives it an air of legitimacy that increases the likelihood th...
WhatsApp to start targeting you with ads
WhatsApp has announced that it will start to show you targeted ads on the app. The ads, it says, will appear under the Updates tab. WhatsApp launched the Updates tab a year ago, and now 1.5 billion people visit it every day. Updates has historically been a place for users to follow news and updat...
AI tool GeoSpy analyzes images and identifies locations in seconds
It's just become even more important to be conscious about the pictures we post online. GeoSpy is an Artificial Intelligence AI supported tool that can derive a person’s location by analyzing features in a photo like vegetation, buildings, and other landmarks. And it can do so in seconds based on...
Zombie ZIP method can fool antivirus during the first scan
A researcher published “Zombie ZIP,” a simple way to change the first part header of a ZIP file so it falsely claims its contents are uncompressed while they are actually compressed. Many antivirus products trust that header and never properly decompress or inspect the real payload. In tests...
American Archive of Public Broadcasting allowed access to restricted media for years
A security flaw in the American Archive of Public Broadcasting AAPB website allowed unauthorized access to protected and private media, according to BleepingComputer. The American Archive of Public Broadcasting AAPB is a collaborative initiative between the Library of Congress and WGBH Educationa...
Give your PC a fresh start: New free tools to boost your PC’s speed, security, and peace of mind
If you ever have the feeling your computer is dragging its feet, or shows odd behavior, you’re not alone. In some cases, the culprit is indeed malware, but often it’s something more mundane. Over time, baggage accumulates, much like a toddler’s backpack after a day in the forest. Too many apps...
Grok chats show up in Google searches
I’m starting to feel like a broken record, but I feel you should know that yet another AI has been found sharing private conversations so that Google was able to index them, and now they can be found in search results. It’s déjà vu in the world of AI: another day, another exposé about chatbot...
Instagram Map: What is it and how do I control it?
Instagram Map is a new feature—for Instagram, anyway—that users may have enabled without being fully aware of the consequences. The Map feature launched in the US on August 6, 2025, and is reportedly planned for a global rollout "soon." As of mid-August 2025, not all users outside the US,...
Facebook users targeted in ‘login’ phish
A few weeks ago we warned our readers of a phishing campaign targeting Instagram users that didn’t resort to the usual links to phishing websites, but used mailto: links instead. Now, it seems that these scammers have turned their attention to Facebook users. It works like this: The target receiv...
Meta accessed women’s health data from Flo app without consent, says court
A jury has ruled that Meta accessed sensitive information from a woman's reproductive health tracking app without consent. The app in question is called Flo Health. Developed in 2015 in Belarus to track menstrual cycles, it has evolved over the years as a tracking app for highly detailed, intimat...
Weight loss scams, or why ‘Jodie Foster’ wants me to lose weight
It seems like it's hard to move on social media without some kind of mention of weight-loss injections these days. And, sure, these drugs can have a positive affect for many people, but not all these cases of weight loss are real, nor are the people promoting them who they say they are. Weight-lo...