3 ways Malwarebytes helps you browse securely and privately online

Malicious links. Third-party ad trackers. Information-gobbling data brokers. Lets face it, the Internet is kind of like the Wild West when it comes to threats to our privacy and security. And unfortunately, it takes a little more than a cowboy hat and a pistol to defend yourself out there. Thats...

"2.6 million DuoLingo account entries" up for sale

Not a week goes by where we dont see an example of data scraping causing concern for both business and folks at home. The latest target happens to be popular language platform DuoLingo, who is currently digging into a forum post concerning data related to its customer accounts. Scraping data for...

Video game playing FISH live streams credit card 'theft'

A fish is in hot water metaphorically speaking after having performed some incredible antics on a video game live stream. The fish, known for playing popular video game titles to completion on live streams, decided to take that whole gamer lifestyle thing a little too far and went on a rip-roarin...

Update vRealize now! VMware patches critical RCE vulnerabilities

VMware has issued a security advisory for vRealize Log Insight that covers four vulnerabilities reported privately by the Zero Day Initiative ZDI. Two of these vulnerabilities are rated as critical. The issues have been fixed on vRealize Log Insight 8.10.2, so users should upgrade to the latest...

Consumer privacy and social media

Looking at the privacy related stories of 2022, its not hard to see that much of the focus was on the social media giants. Banning TikTok is slowly becoming a trend among US states. Google and Facebooks owner Meta was fined on several occasions for amounts that would have put other companies out ...

Grand Theft Auto 5 exploit allows cheaters to tamper with your data

Yesterday I spent some time helping to fix a relatives gaming PC. Their gaming data tied to Rockstars Grand Theft Auto 5 GTAV had somehow become corrupted and was no longer functional. I managed to repair the account and restore everything back to the way it was, but this isnt the end of the stor...

Own an older iPhone? Check you're on the latest version to avoid this bug

In December, 2022, we warned our readers about an actively exploited vulnerability in Apples WebKit. Back then we wondered why Apple specifically stated that the issue may have been actively exploited against versions of iOS released before iOS 15.1. At the time, our resident Apple expert Thomas...

VASTFLUX ad fraud massively affected millions of iOS devices, dismantled

Researchers have successfully dismantled a massive ad fraud campaign they stumbled upon by accident. The Satori Threat Intelligence and Research Team dubbed the campaign VASTFLUX, a portmanteau of "fast flux"--an evasion technique involving the constant changing of IP addresses behind a single...

What privacy can get you

The fight for data privacy must be won in the middle. No declaration, no call to arms, will sway the worst offenders. No public swell, no great big hack, has changed how money gets made. Corporations will continue to reap our data, package it into ad-friendly profiles, and, for a price, deliver t...

Riot Games compromised, new releases and patches halted

Popular game developer Riot Games brings word of a system compromise which may cause issues for updates to well known titles, although for the time being it seems as though customer data isn't affected. A social engineering development Making the notification via Twitter late last week, were stil...

Key takeaways from Malwarebytes 2023 State of Mobile Cybersecurity

The results of our latest survey on mobile cybersecurity in K-12 and hospitals are in--and its not all peaches and roses. When we talk about endpoint protection, its only natural to only think about the most commonly compromised endpoints like work laptops and servers--but your smartphone isnt of...

4 ways to protect your privacy while scrolling

Privacy is a right that is yours to value and defend. Article 8 of the Human Rights Act protects your right to respect for your private and family life. One of the pillars of the article is that personal information about you including official records, photographs, letters, diaries, and medical...

TikTok CEO told to "step up efforts to comply" with digital laws

EU Commissioner Thierry Breton, the EU's digital policy chief, "explicitly conveyed" to TikTok CEO Shou Zi Chew that the company must "step up efforts to comply" with the European Union's rules on copyright, data protection, and the Digital Services Act DSA--an EU regulation setting out "an...

Microsoft to end direct sale of Windows 10 licenses at the end of January

Windows 10 is slowly coming to an end, with one more way to purchase the operating system riding off into the sunset. Microsoft is posting notices in a variety of locations to confirm it will no longer sell Windows 10 licenses directly. Support remains in place for the time being, as is the usual...

Ransomware revenue significantly down over 2022

According to blockchain data platform Chainalysis, ransomware revenue "plummeted" from $765.6 in 2021 to at least $456.8 in 2022. The data is based on an analysis of the cryptocurrency addresses known to be controlled by ransomware attackers. Precision While the real numbers are likely much highe...

T-Mobile reports data theft of 37 million customers in the US

T-Mobile has announced that an attacker has accessed "limited types of information" on customers. It says it is informing impacted customers. According to the press release, no passwords, payment card information, social security numbers, government ID numbers or other financial account informati...

A week in security (January 16—22)

Last week on Malwarebytes Labs: Google to support the use of Rust in Chromium Law enforcement app SweepWizard leaks data on crime suspects Accountant ordered to pay ex-employer after bossware shows "time theft" TikTok dances to the tune of $5.4m cookie fine "Untraceable" surveillance firm sued fo...

Mailchimp breach feels like deja vu

A threat actor successfully used compromised employee credentials to gain access to 133 accounts on Mailchimp, the mainstream Intuit-owned email marketing platform, in a security incident that recently came to light. "On January 11, the Mailchimp Security team identified an unauthorized actor...

Credit card fraud group member could get up to 30 years in jail

Card fraud, a staple diet of scammers online, is currently featuring heavily on the US Department of Justice portal. The reason? A story which has rumbled on for a few years finally seems to be pulling into its final destination, as a man admits his role in a slice of fraud which impacted thousan...

[updated]Ransomware money laundering operation disrupted, founder arrested

The US Department of Justice DOJ has released information about the arrest of Anatoly Legkodymov, the founder and majority owner of a cryptocurrency exchange called Bitzlato, on money laundering charges. Legkodymov, a Russian national who lives in China, is accused of processing over $700 million...

Google sponsored ads lead to rogue imitation sites

Theres a big push in rogue advert land at the moment, with multiple forms of bogus websites being used as bait to rob people of their logins and funds. This story first came to light a few days ago, with news of a well known cryptocurrency fan "NFT God" being caught out by a bogus video recording...

Update now! Two critical flaws in Git's code found, patched

In a sponsored security source code audit, security experts from X41 D-SEC GmbH Eric Sesterhenn and Markus Vervier and GitLab Joern Schneeweisz found two notable critical flaws in Git's code. A vulnerability on Git could generally compromise source code repositories and developer systems, but...

LastPass users should move their crypto funds, experts warn

Several experts have warned LastPass users who store cryptocurrency-related login information in their vaults to change that login information as soon as they can. Apparently, cybercriminals who have access to the stolen information are making it a priority to decrypt the data in an attempt to...

CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA

Software development service company CircleCI has published its incident report on a breach that happened in December. CircleCI revealed an engineer's laptop was successfully infected with a yet-to-be-named information-stealing Trojan, which was used to steal an engineer's session cookie. The...

Update now! Proof of concept code to be released for Zoho ManageEngine vulnerability

Users of multiple Zoho ManageEngine products are under urgent advice to install the patch issued October 27, 2022. The advice is urgent because on January 13, 2023 the Horizon3 Attack Team tweeted that Proof of Concept PoC code and a deep-dive blog will be released within a week. Mitigation A lon...

University suffers leaks, shutdowns at the hands of Vice Society

The Vice Society ransomware gang is back and making some unfortunate waves in the education sector. According to Bleeping Computer, the Society has held their ransomware laden hands up and admitted an attack on the University of Duisberg-Essen. Sadly this isnt the Universitys first encounter with...

Web skimmer found on website of Liquor Control Board of Ontario

On January 12, 2023, the Liquor Control Board of Ontario LCBO published a news release about a cybersecurity incident, affecting online sales through LCBO.com. It is one of the largest retailers and wholesalers of beverage alcohol in the world. Web skimmer The cybersecurity incident was a web...

Fighting technology's gender gap with TracketPacer: Lock and Code S04E02

Last month, the TikTok user TracketPacer posted a video online called "Network Engineering Facts to Impress No One at Zero Parties." TracketPacer regularly posts fun, educational content about how the Internet operates. The account is run by a network engineer named Lexie Cooper, who has worked i...

"Untraceable" surveillance firm sued for scraping Facebook and Instagram data

Days after Meta achieved victory after suing the NSO Group for Computer Fraud and Abuse Act charges, Meta filed a lawsuit against surveillance company Voyager Labs for violations of its Terms and Policies and California law. According to court documents, Voyager Labs created 38,000 fake accounts ...

TikTok dances to the tune of $5.4m cookie fine

The big social media fines just keep coming. Hot on the heels of Meta experiencing a $277m fine from the Irish Data Protection Commission, its now TikToks turn in the spotlight thanks to a cookie crumble. Can you walk into a huge fine in 2023 for making it difficult to refuse a cookie as easily a...

Accountant ordered to pay ex-employer after bossware shows "time theft"

The case of Karlee Besse, an accountant in British Colombia, was recently dismissed by the Civil Resolution Tribunal CRT in Canada, with a judge ordering her to pay back her former employer, Reach CPA, for "engaging in time theft"--a revelation that wouldn't have been possible if not for software...

Law enforcement app SweepWizard leaks data on crime suspects

SweepWizard, an obscure app apparently created by ODIN Intelligence and used by more than 60 law enforcement departments, has a flaw: According to an ethical hacker, a misconfiguration in the app's API application programming interface caused it to unintentionally leak to the open internet a trov...

Google to support the use of Rust in Chromium

In a blog by the Chrome security team we learned that the Chromium project is going to support the use of third-party Rust libraries from C++ in Chromium. This is good news because Rust is a so-called memory-safe programming language. So using it in a widespread program like Chrome and the other...

A week in security (January 9—15)

Last week on Malwarebytes Labs: Slack private code on GitHub stolen Crypto-inspired Magecart skimmer surfaces via digital crime haven Security vulnerabilities in major car brands revealed Microsoft ends extended support for Windows 7 and Windows Server 2008 today Pokemon NFT card game malware...

Timely patching is good, but sometimes it's not enough

Ransomware gangs have shown that they can play a long game, so it shouldnt come as a surprise to learn of one prepared to wait months to make use of a compromised system. S-RMs Incident Response team shared details of a campaign attributed to the Lorenz ransomware group that exploited a specific...

Multiple schools hit by Vice Society ransomware attack

The real world impact of cybercrime rears its head once more, with word that 14 schools in the UK have been caught out by ransomware. The schools, attacked by the group known as Vice Society, have had multiple documents leaked online in the wake of the attack. One of the primary schools...

US Department of the Interior's passwords "easily cracked"

It's bad news for the US Department of the Interior--a Government watchdogs security audit has revealed its passwords are simply not up to the job of warding off cracking attempts. The audit's wordy title was not kind: P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, La...

WhatsApp lawsuit against NSO Group greenlit by Supreme Court

On Monday, the US Supreme Court denied the NSO Group's petition for a writ of certiorari, a request to the high court to review its case, signaling that Meta's WhatsApp can go ahead with its case against the Israeli-based company behind the Pegasus spyware. The court didn't explain why it refused...

Update now! Patch Tuesday January 2023 includes one actively exploited vulnerability

The first Microsoft Patch Tuesday of 2023 is an important one to start of the year with. In total 98 vulnerabilities were patched, including 11 that were labelled critical and one that is being actively exploited in the wild. This is also the last time we expect to see fixes for Windows 8.1...

5 must-haves for K-12 cybersecurity

Over the years, cyberattacks on K-12 schools and districts have steadily increased, and in 2022 that trend only continued. In the first half of 2022 alone, the education sector saw an average of almost 2,000 attacks every week--a 114% increase compared to two years ago. The tight budgets of many...

Cyberattack halts Royal Mail's overseas post

If youre looking to send letters or parcels outside of the UK using Royal Mail, youll want to hold off for a little while. Royal Mail is suffering from "severe disruption" after an unnamed cyber incident. While no specifics are currently available, Royal Mail has disclosed enough to let us know...

2023 prediction: Security workforce shortage will lead to nationally significant cyberattack

If 2022 was any indication, businesses are about to face an unprecedented volume, frequency, and sophistication of cyberthreats in 2023. Global cyberattacks have increased by 483 percent over the last two years, and at the current rate of growth, damage from such attacks will amount to $10.5...

Open redirect on government website sends users to adult content

Fake websites and open redirects have conspired to make things awkward for a UKGOV website. The site in question, riverconditionsdotenvironment-agencydotgovdotuk, was being abused in search engine results to redirect to various sites which arent associated with UKGOV--most of which were adult...

Maternal & Family Health Services discloses ransomware attack months after discovery

Maternal & Family Health Services MFHS, a nonprofit healthcare giant based in Pennsylvania, said in an advisory and press release that it has suffered a ransomware attack which led to the potential exposure of sensitive data of patients, employees, and vendors. That data includes names, addresses...

Identity thieves bypass security questions to access Experian credit reports

After a tip from a Telegram user who frequented identity theft channels, Brian Krebs tested and confirmed that anyone who knew your name, address, social security number SSN, and birthday could view your full credit report at Experian. Skipping security questions The method to get access did not...

US school district sues Facebook, Instagram, Snapchat, TikTok over harm to kids

Public schools in a Seattle district filed a lawsuit on Friday against parent companies of the biggest social networks on the internet, alleging social media is to blame for "a youth mental health crisis", and saying these companies have purposefully designed, refined, and operated their platform...

Polite WiFi loophole could allow attackers to drain device batteries

Researchers at the University of Waterloo in Ontario have further researched a loophole in the WiFi protocol that was dubbed "polite WiFi". Last year the researchers published a study in which they showed someone could use this loophole to triangulate the location of any WiFi enabled device. Now,...

Pokemon NFT card game malware chooses you

Pokemon fans are urged to be on their guard after bogus card game portals have been offering up malware under the guise of NFTs. The sites in question offer up an enticing looking mix of card gaming with a splash of money making on the side. Digital card games are big business in gaming circles,...

Microsoft ends extended support for Windows 7 and Windows Server 2008 today

Time has finally run out for Windows 7 Professional and Enterprise users. Microsoft will stop providing its Extended Security Updates ESU program for the OS version today, January 10. When the company ended its mainstream support for Windows 7 three years ago, it also offered an ESU program to...

Security vulnerabilities in major car brands revealed

Your car potentially hasnt "just" been a car for a long time. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. These systems tie into everything from passwords and web chat systems for car company employees, to file repositories and oth...