Scammers are impersonating the FBI to steal your personal data

Been scammed? Hoping to report it to the FBI? Definitely do so, but be careful. Spoofed versions of the FBI's Internet Crime Complaint Center IC3 website are now circulating online, and they lead straight back to the scammers. The FBI issued an advisory last week, warning that cybercriminals are...

Beware of Zelle transfer scams

As we have said many times before, falling for a scam can happen to the best of us. And it can ruin lives. In our podcast How a scam hunter got scammed, scam hunter Julie-Anne Kearns talked about how she had been duped by people pretending to be from HMRC, which is the UK’s version of the US...

ChatGPT solves CAPTCHAs if you tell it they’re fake

If you’re seeing fewer or different CAPTCHA puzzles in the near future, that’s not because website owners have agreed that they’re annoying, but it might be because they no longer prove that the visitor is human. For those that forgot what CAPTCHA stands for: Completely Automated Public Turing te...

A week in security (September 15 – September 21)

Last week on Malwarebytes Labs: ChatGPT Deep Research zero-click vulnerability fixed by OpenAI Disrupted phishing service was after Microsoft 365 credentials Update your Chrome today: Google patches 4 vulnerabilities including one zero-day Age verification and parental controls coming to ChatGPT ...

ChatGPT Deep Research zero-click vulnerability fixed by OpenAI

OpenAI has moved quickly to patch a vulnerability known as “ShadowLeak” before anyone detected real-world abuse. Revealed by researchers yesterday, ShadowLeak was an issue in OpenAI’s Deep Research project that attackers could exploit by simply sending an email to the target. Deep Research was...

Disrupted phishing service was after Microsoft 365 credentials

Microsoft and Cloudflare have disrupted a Phishing-as-a-Service operation, known as RaccoonO365. The primary goal of RaccoonO365 or Storm-2246 as Microsoft calls it was to rent out a phishing toolkit that specialized in stealing Microsoft 365 credentials. They were successful in at least 5,000...

Update your Chrome today: Google patches 4 vulnerabilities including one zero-day

Google has released an update for its Chrome browser to patch four security vulnerabilities, including one zero-day. A zero-day vulnerability refers to a bug that has been found and exploited by cybercriminals before the vendor even knew about it they have "zero days" to fix it. This update is...

Age verification and parental controls coming to ChatGPT to protect teens

OpenAI is going to try and predict the ages of its users to protect them better, as stories of AI-induced harms in children mount. The company, which runs the popular ChatGPT AI, is working on what it calls a long-term system to determine whether users are over 18. If it can't verify that a user ...

224 malicious apps removed from the Google Play Store after ad fraud campaign discovered

Researchers have discovered a large ad fraud campaign on Google Play Store. The Satori Threat Intelligence and Research team found 224 malicious apps which were downloaded over 38 million times and generated up to 2.3 billion ad requests per day. They named the campaign "SlopAds." Ad fraud is a...

Airline data broker selling 5 billion passenger records to US government

We already knew that the US airline industry gave the government access to passenger records. However, this week it emerged that at least five billion passenger records are being sold to government agencies via a searchable database—far more than was initially believed. A few weeks ago,...

Update your Apple devices to fix dozens of vulnerabilities

Apple has released security updates for iPhones, iPads, Apple Watches, Apple TVs, and Macs as well as for Safari, and Xcode to fix dozens of vulnerabilities which could give cybercriminals access to sensitive data. How to update your devices How to update your iPhone or iPad For iOS and iPadOS...

Grok, ChatGPT, other AIs happy to help phish senior citizens

If you are under the impression that cybercriminals need to get their hands on compromised AI chatbots to help them do their dirty work, think again. Some AI chatbots are just so user friendly that they can help the user craft phishing text, and even malicious HTML and Javascript code. A few week...

“A dare, a challenge, a bit of fun:” Children are hacking their own schools’ systems, says study

As if ransomware wasn’t enough of a security problem for the sector, educational institutions also need to worry about their own students, a recent study shows. Last week, the UK Information Commissioner’s Office ICO published a report about the "insider threat of students". Here are a few key...

Watch out for the “We are hiring” remote online evaluator message scam

Looking at our team’s recent text messages, you’d think that remote online evaluators are in high demand right now. Several members of our team have received the almost exact same job offer scam texts. The content of the messages is almost identical, but there is a variation in background images...

A week in security (September 8 – September 14)

Last week on Malwarebytes Labs: AI browsers or agentic browsers: a look at the future of web surfing From Fitbit to financial despair: How one woman lost her life savings and more to a scammer Meta ignored child sex abuse in VR, say whistleblowers When AI chatbots leak and how it happens Fake...

AI browsers or agentic browsers: a look at the future of web surfing

Browsers like Chrome, Edge, and Firefox are our traditional gateway to the internet. But lately, we have seen a new generation of browsers emerge. These are AI-powered browsers or "agentic browsers"—which are not to be confused with your regular browsers that have just AI-powered plugins bolted o...

From Fitbit to financial despair: How one woman lost her life savings and more to a scammer

We hear so often about people falling for scams and losing money. But we often don’t find out the real details of what happened, and how one "like" can turn into a nightmare that controls someone’s life for many years. This is that story. Not too long ago, a scam victim named Karen reached out to...

Meta ignored child sex abuse in VR, say whistleblowers

Two former employees at Meta testified against the company at a Senate hearing this week, accusing it of downplaying the dangers of child abuse in its virtual reality VR environment. The whistleblowers say they saw incidents where children were asked for sex acts and nude photos in Facebook's VR...

When AI chatbots leak and how it happens

In a recent article on Cybernews there were two clear signs of how fast the world of AI chatbots is growing. A company I had never even heard of had over 150 million app downloads across its portfolio, and it also had an exposed unprotected Elasticsearch instance. This needs a bit of an...

Fake Bureau of Motor Vehicles texts are after your personal and banking details

Scammers are sending out texts that claim to be from the Bureau of Motor Vehicles BMV, saying that you have outstanding traffic tickets. Here's an example, which was sent to one of our employees. “Ohio BMV Final Notice: Enforcement Begins September 10nd. Our records indicate that as of today, you...

‘Astronaut-in-distress’ romance scammer steals money from elderly woman

A Japanese octogenarian from Hokkaido Island lost thousands of dollars after being scammed by someone who described himself as a desperate astronaut in need of help. According to Hokkaidō Broadcasting, police in Sapporo say the fraudster contacted the woman on social media in July. After several...

Ransomware attack at blood center: Org tells users their data’s been stolen

A blood center has begun sending data breach notifications to its users after suffering a ransomware attack and theft of personal data. The New York Blood Center’s NYBC suffered the ransomware attack in January, in which an unauthorized party gained access to its network and acquired copies of a...

Pre-approved GLP-1 prescription scam could be bad for your health

A co-worker received a text which is, unfortunately, becoming more common. The text pretends to come from a doctor and states a weight-loss medication prescription has been approved. “Good morning. This is Dr. Santos. I pre-approved your GLP1 prescription. You may start treatment as of 09/04...

Plex users: Reset your password!

Media streaming platform Plex has warned customers about a data breach, advising them to reset their password. Plex said an attacker broke into one of its databases, allowing them to access a "limited subset" of customer data. This included email addresses, usernames, hashed passwords, and...

Popeyes, Tim Hortons, Burger King platforms have “catastrophic” vulnerabilities, say hackers

Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International RBI. RBI is one of the world's largest quick service restaurant companies. It was formed in 2014 through a $12.5 billion merger of the American fast food chain...

Google misled users about their privacy and now owes them $425m, says court

A court has ordered Google to pay $425m in a class action lawsuit after it was found to have misled users about their online privacy. In July 2020, Google user Anibal Rodriguez filed a lawsuit against the search giant, arguing that it misled users with its "Web & App Activity" setting. The settin...

This “insidious” police tech claims to predict crime (Lock and Code S06E18)

This week on the Lock and Code podcast… In the late 2010s, a group of sheriffs out of Pasco County, Florida, believed they could predict crime. The Sheriff’s Department there had piloted a program called “Intelligence-Led Policing” and the program would allegedly analyze disparate points of data ...

iCloud Calendar infrastructure abused in PayPal phishing campaign

Once again, phishers are targeting PayPal users by abusing existing legitimate infrastructure. Only this time they’re not abusing PayPal’s platform, but iCloud Calendar invites. Our friends over at BleepingComputer unraveled a call-back phishing scam which was sent to one of their readers. “Pedro...

A week in security (September 1 – September 7)

Last week on Malwarebytes Labs: Nexar dashcam video database hacked Roblox introduces age checks to use communication features Give your PC a fresh start: New free tools to boost your PC’s speed, security, and peace of mind TP-Link warns of botnet infecting routers and targeting Microsoft 365...

Nexar dashcam video database hacked

A hacker cracked into a database of video recordings taken from Nexar-branded cameras, which are built to be placed drivers’ cars, according to a new report from 404 Media. Nexar is a dashcam company that promotes its products as “virtual CCTV cameras” and offers automatic cloud uploads of critic...

Roblox introduces age checks to use communication features

Roblox is an online platform that allows users to build, play and share online worlds and 3D games. Unfortunately, it’s also a popular platform among predators reaching out to kids and seducing them using game features such as messaging, avatar customization, and role-play. Over the years, the...

Give your PC a fresh start: New free tools to boost your PC’s speed, security, and peace of mind

If you ever have the feeling your computer is dragging its feet, or shows odd behavior, you’re not alone. In some cases, the culprit is indeed malware, but often it’s something more mundane. Over time, baggage accumulates, much like a toddler’s backpack after a day in the forest. Too many apps...

TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts

TP-Link has issued a warning about a botnet exploiting two vulnerabilities to infect small office/home SOHO routers, which are then weaponized to attack Microsoft 365 accounts. The vulnerabilities affect the Archer C7 and TL-WR841N/ND routers, though other models may also be at risk. Despite the...

Popular Android VPN apps found to have security flaws and China links

People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff you...

Popular Android VPN apps found to have security flaws and China links

People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff you...

No we didn’t warn all Gmail users about imminent digital doom, says Google

Cybersecurity publications are rife with headlines about breaches and threats, but sometimes things aren't always what they seem. In fact sometimes they're plain wrong remember toothbrushgate? This week, Google highlighted another story that it said was fake - and this one was about its own...

Update your Android! Google patches 111 vulnerabilities, 2 are critical

Google has patched 111 vulnerabilities in Android, including two critical flaws, in its September 2025 Android Security Bulletin. While the last few months have been quite calm regarding the number of vulnerabilities, this month is a real whopper with 111, compared to 6 in August and none in July...

Why you should upgrade to Windows 11 now, and how to do it

I know many of us loved Windows XP and Windows 7 almost as much as we dislike Windows 10 and 11, but if you want to stay secure on Windows, the time to bite the bullet is closing in fast. Support for Windows 10 will end on October 14, 2025, which means the only Windows version that will continue ...

PayPal users targeted in account profile scam

A co-worker forwarded this rather convincing PayPal scam to me. Thanks Elena. A highly sophisticated email scam is targeting PayPal users with the subject line of "Set up your account profile." We decided to see what the scammers are after. First thing to do is to look at the headers: The sender...

Tax refund scam targets Californians

The State of California Franchise Tax Board FTB recently issued a warning to taxpayers to protect themselves from tax scams. In their warning the FTB states: “Recently, the FTB received reports of a scam targeting taxpayers through text messages that appear to be from FTB. These text messages...

WhatsApp fixes vulnerability used in zero-click attacks

WhatsApp says it has issued an update to patch a vulnerability that has been used in conjunction with an Apple vulnerability to target specific users and compromise their devices. Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:...

How to set up two-step verification on your WhatsApp account

Two step verification is the name Meta uses for what is generally referred to as Two-factor authentication 2FA. 2FA is not fool-proof, but it is one of the best ways to protect your accounts from hackers. It adds an extra step when logging in, which is a small extra effort for you, but it...

Travelers to the UK targeted in ETA scams

Since January 8, 2025, travelers from most countries, including the US, Australia, and Canada have to apply for an Electronic Travel Authorisation ETA for visa free travel to the UK. You can apply for an Electronic Travel Authorisation using the ETA App, or via an online form. When you apply for ...

A week in security (August 25 – August 31)

Last week on Malwarebytes Labs: Microsoft wants to automatically save your Word docs to the cloud "No place in our networks": FCC hangs up on thousands of voice operators in robocall war Claude AI chatbot abused to launch "cybercrime spree" Developer verification: a promised lift for Android...

Microsoft wants to automatically save your Word docs to the cloud

Microsoft has revealed it plans to automatically save all Word document to the cloud. The feature is currently only available to Microsoft 365 Insiders, although it's likely to expand this to all users in the future. Microsoft proudly announced: “We are modernizing the way files are created and...

“No place in our networks”: FCC hangs up on thousands of voice operators in robocall war

Everyone hates robocalls. However, it's difficult to track down all the scammers and spammers that make them, so the Federal Communications Commission FCC has taken another approach: it just disconnected over a thousand voice operators from the public telephone network for not doing their part to...

Claude AI chatbot abused to launch “cybercrime spree”

Anthropic—the company behind the widely renowned coding chatbot, Claude—says it uncovered a large-scale extortion operation in which cybercriminals abused Claude to automate and orchestrate sophisticated attacks. The company issued a Threat Intelligence report in which it describes several...

Claude AI chatbot abused to launch “cybercrime spree”

Anthropic—the company behind the widely renowned coding chatbot, Claude—says it uncovered a large-scale extortion operation in which cybercriminals abused Claude to automate and orchestrate sophisticated attacks. The company issued a Threat Intelligence report in which it describes several...

Developer verification: a promised lift for Android security

To reduce the number of harmful apps targeting Android users, Google has announced that certified Android devices will require all apps to be registered by verified developers in order to be installed. But this new measure is not just about malware that's found on the Google Play Store, it’s main...

More vulnerable stalkerware victims’ data exposed in new TheTruthSpy flaw

TheTruthSpy is at it again. A security researcher has discovered a flaw in the Android-based stalkerware that allows anyone to compromise any record in the system. TheTruthSpy stalkerware is designed to be installed surreptitiously on a victim's Android phone. It then monitors that phone's...