Malware Bytes Security

iPhone owners are reporting that photos they’d deleted are now back on their phones, after updating to iOS 17.5.

With so many users reporting similar oddities, it would seem something went wrong, or at least different than to be expected. Here are some examples from Reddit:

“When in conversation with my partner, I went to send a picture and saw that the latest pictures were nsfw material we’d made years ago”

“I have four pics from 2010 that keep reappearing as the latest pics uploaded to iCloud. I have deleted them repeatedly.”

“Same thing happened to me. Six photos from different times, all I have deleted. Some I had deleted in 2023.”

When you delete a photo from an iPhone or iPad, it goes into a “Recently deleted” album for up to 30 days to make it easy to recover if the photo is accidentally deleted. However, the above examples vastly exceed this timeframe, and it’s unclear exactly what’s happened here.

When you delete a file, actually all that happens is you remove the pointer that tells you where exactly the file is located. This makes it hard to find, but not impossible. Until the system uses the location of the deleted file and replaces it with other data, the file can be retrieved.

Apple’s last update for iOS 17.5 and iPadOS 17.5 came out on Monday with a warning to update your iPhone as soon as possible. That’s because iOS 17.5 fixes 15 security vulnerabilities, some of which are serious. Please don’t let this article stop you from installing the update, but it’s good to be prepared for some unexpected behavior.

At the time of writing, Apple hasn’t commented on the issue.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. That’s a great thing. But as security evolves, so do cybercriminals who are always looking for new ways to scam us.

A type of phishing we’re calling authentication-in-the-middle is showing up in online media. While these techniques, named after man-in-the-middle (MitM) attacks, have existed for a while, they appear to be gaining traction now.

It works like this: A user gets lured to a phishing site masquerading as a site they normally use, such as a bank, email or social media account. Once the user enters their login into the fake site, that information gets redirected by the cybercriminals to the actual site, without the user knowing.

The user is then prompted for their MFA step. They complete this, usually by entering a code or accepting a push notification, and this information is then relayed to the criminals, allowing them to login to the site.

Once the criminals are into an account, they can start changing settings like the account’s email address, phone number, and password, so the user can no longer log in, or they can simply clean out a bank account. This may help you understand why many platforms ask for your PIN or other authentication again when you try to change one of these important settings.

Victims are lured to phishing sites like these via links from social media or emails where it can be hard to identify the real link.  Phishing sites can even show up in sponsored search results, in the same way as we reported about tech support scams.

How to protect yourself from authentication-in-the-middle attacks

• Keep your wits about you. Being aware of how scammers work is the first step to avoiding them. Don’t assume sponsored search results are legit, and trust that if something seems suspicious then it probably is.
• Use security software. Many security programs block known phishing sites, although domains are often short-lived and get rotated quickly. Malwarebytes Browser Guard can help protect you.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.
• Consider passkeys. Multi-factor authentication is still super-important to enable, and will protect you from many types of attacks, so please continue to use it. However, authentication-in-the-middle attacks only work with certain types of MFA, and passkeys won’t allow the cybercriminals to login to your account in this way. Many services have already begun using passkeys and they’re no doubt here to stay.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

BreachForums—probably the largest dark web marketplace for stolen data to be leaked and sold—has been seized by law enforcement.

Now, both the regular and the TOR domain of BreachForums are plastered with a message telling visitors the site is now under control of the FBI.

The FBI said BreachForums and its predecessor Raidforums was:

“…operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services.”

Raidforums ran from early 2015 until February 2022. The first iteration of BreachForums was then set up in March 2022 and ran until March 2023, when US law enforcement arrested the alleged operator, “Pompompurin”, in New York.

A new administrator then rose to the occasion and said they were working on a plan to get the forum through the problems caused by that arrest. But on March 21, 2023, the new administrator announced the decision to shut BreachForums down.

Another forum administrator going by the account name “Baphomet” then took over.

According to BleepingComputer, the FBI has also seized the site’s Telegram channel, with law enforcement sending messages to the channel on behalf of the forum’s operator “Baphomet”.

BreachForums was in use just last week for a big name breach when a cybercriminal put up for sale breached customer data taken from Dell between 2017-2024.

We’ll keep you posted on any new developments.

Has your data been exposed?

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Apple and Google have announced an industry specification for Bluetooth tracking devices which help alert users to unwanted tracking.

The specification, called Detecting Unwanted Location Trackers, will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them.

The alert would be pushed to the users device and would say “[Item] Found Moving With You.”

In many cases “[Item]” might well actually be an AirTag.

AirTags’ intended use is to let you easily track things like your keys, wallet, purse, backpack, luggage, and more. You can simply set it up with your iPhone, iPad, or iPod touch, attach it somewhere, and the AirTag will show up in your Find My app. However, AirTags have long been associated with this unwanted tracking, which is something Apple apparently did not foresee and has been working on to make this type of abuse harder.

Apple’s first step to discourage unwanted tracking was the “Tracking Notifications” option in the Find My app. This feature is available on iOS or iPadOS 14.5 or later.

Android introduced a similar “unknown tracker alert” to find trackers placed near you or in your belongings without your knowledge or consent.

With the new capability that both tech giants have pushed, users will now get the alert, regardless of the platform the device is paired with. If a user gets such an alert on their device, it means that someone else’s Bluetooth tracker is moving with them.

Android and iPhone users can view the tracker’s identifier, have the tracker play a sound to help locate it, and access instructions to disable it. Bluetooth tag manufacturers including Chipolo, eufy, Jio, Motorola, and Pebblebee have all said that future tags will be compatible.

Apple and Google will continue to work with the Internet Engineering Task Force via the Detecting Unwanted Location Trackers working group to develop the official standard for this technology.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Google has released an emergency security update for its Chrome browser. The update includes a patch released four days earlier for a vulnerability which Google say is already being exploited.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

Click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

After the update, the version should be 124.0.6367.207, or later Technical details on the vulnerabilities

If you have already updated to version 124.0.6367.201/.202 for Mac and Windows or 124.0.6367.201 for Linux, this will provide protection against the first vulnerability. The patch Google issued four days ago covered this actively exploited vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited CVE patched in this update is:

CVE-2024-4671 a use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, by exploiting the vulnerability, the attacker can escape the sandbox that should contain any threats to the browser.

Exploitation is possible by getting the target to open a specific, specially crafted webpage, so the vulnerability is suitable for exploitation as a drive-by attack.

CVE-2024-4761: An out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

V8 is Google’s open-source high-performance JavaScript and WebAssembly engine and is part of the Chromium project. Among others it runs the JavaScript code included in webpages.

Again, exploitation is possible by getting the target to open a specific, especially crafted webpage, which makes the vulnerability suitable for exploitation as a drive-by attack.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Across America, survivors of domestic abuse and stalking are facing a unique location tracking crisis born out of policy failure, unclear corporate responsibility, and potentially risky behaviors around digital sharing that are now common in relationships.

No, we’re not talking about stalkerware. Or hidden Apple AirTags. We’re talking about cars.

Modern cars are the latest consumer “device” to undergo an internet-crazed overhaul, as manufacturers increasingly stuff their automobiles with the types of features you’d expect from a smartphone, not a mode of transportation.

There are cars with WiFi, cars with wireless charging, cars with cameras that not only help while you reverse out of a driveway, but which can detect whether you’re drowsy while on a long haul. Many cars now also come with connected apps that allow you to, through your smartphone, remotely start your vehicle, schedule maintenance, and check your tire pressure.

But one feature in particular, which has legitimate uses in responding to stolen and lost vehicles, is being abused: Location tracking.

It’s time car companies do something about it.  

In December, The New York Times revealed the story of a married woman whose husband was abusing the location tracking capabilities of her Mercedes-Benz sedan to harass her. The woman tried every avenue she could to distance herself from her husband. After her husband became physically violent in an argument, she filed a domestic abuse report. Once she fled their home, she got a restraining order. She ignored his calls and texts.

But still her husband could follow her whereabouts by tracking her car—a level of access that Mercedes representatives reportedly could not turn off, as he was considered the rightful owner of the vehicle (according to The New York Times, the husband’s higher credit score convinced the married couple to have the car purchased in his name alone).

As reporter Kashmir Hill wrote of the impasse:

“Even though she was making the payments, had a restraining order against her husband and had been granted sole use of the car during divorce proceedings, Mercedes representatives told her that her husband was the customer so he would be able to keep his access. There was no button she could press to take away the app’s connection to the vehicle.”

This was far from an isolated incident.

In 2023, Reuters reported that a San Francisco woman sued her husband in 2020 for allegations of “assault and sexual battery.” But some months later, the woman’s allegations of domestic abuse grew into allegations of negligence—this time, against the carmaker Tesla.

Tesla, the woman claimed in legal filings, failed to turn off her husband’s access to the location tracking capabilities in their shared Model X SUV, despite the fact that she had obtained a restraining order against her husband, and that she was a named co-owner of the vehicle.

When The New York Times retrieved filings from the San Francisco lawsuit above, attorneys for Tesla argued that the automaker could not realistically play a role in this matter:

“Virtually every major automobile manufacturer offers a mobile app with similar functions for their customers,” the lawyers wrote. “It is illogical and impractical to expect Tesla to monitor every vehicle owner’s mobile app for misuse.”

Tesla was eventually removed from the lawsuit.

In the Reuters story, reporters also spoke with a separate woman who made similar allegations that her ex-husband had tracked her location by using the Tesla app associated with her vehicle. Because the separate woman was a “primary” account owner, she was able to remove the car’s access to the internet, Reuters reported.

A better path

Location tracking—and the abuse that can come with it—is a much-discussed topic for Malwarebytes Labs. But the type of location tracking abuse that is happening with shared cars is different because of the value that cars hold in situations of domestic abuse.

A car is an opportunity to physically leave an abusive partner. A car is a chance to start anew in a different, undisclosed location. In harrowing moments, cars have also served as temporary shelter for those without housing.

So when a survivor’s car is tracked by their abuser, it isn’t just a matter of their location and privacy being invaded, it is a matter of a refuge being robbed.

In speaking with the news outlet CalMatters, Yenni Rivera, who works on domestic violence cases, explained the stressful circumstances of exactly this dynamic.

“I hear the story over and over from survivors about being located by their vehicle and having it taken,” Rivera told CalMatters. “It just puts you in a worst case situation because it really triggers you thinking, ‘Should I go back and give in?’ and many do. And that’s why many end up being murdered in their own home. The law should make it easier to leave safely and protected.”

Though the state of California is considering legislative solutions to this problem, national lawmaking is slow.

Instead, we believe that the companies that have the power to do something act on that power. Much like how Malwarebytes and other cybersecurity vendors banded together to launch the Coalition Against Stalkerware, automakers should work together to help users.

Fortunately, an option may already exist.

When the Alliance for Automobile Innovation warned that consumer data collection requests could be weaponized by abusers who want to comb through the car location data of their partners and exes, the automaker General Motors already had a protection built in.

According to Reuters, the roadside assistance service OnStar, which is owned by General Motors, allows any car driver—be they a vehicle’s owner or not—to hide location data from other people who use the same vehicle. Rivian, a new electric carmaker, is reportedly working on a similar feature, said senior vice president of software development Wassym Bensaid in speaking with Reuters.

Though Reuters reported that Rivian had not heard of their company’s technology being leveraged in a situation of domestic abuse, Wassym believed that “users should have a right to control where that information goes.”

We agree.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Dell notifies customers about data breach
• DocGo patient health data stolen in cyberattack
• Desperate Taylor Swift fans defrauded by ticket scams
• Tracing what went wrong in 2012 for today’s teens, with Dr. Jean Twenge: Lock and Code S04E10

Last week on ThreatDown:

• Ransomware review: May 2024
• FakeBat threat profile
• Law enforcement places new teasers on LockBit leak site and reveals sanctions

Stay safe!

Dell is warning its customers about a data breach after a cybercriminal offered a 49 million-record database of information about Dell customers on a cybercrime forum.

A cybercriminal called Menelik posted the following message on the “Breach Forums” site:

“The data includes 49 million customer and other information of systems purchased from Dell between 2017-2024.

It is up to date information registered at Dell servers.

Feel free to contact me to discuss use cases and opportunities.

I am the only person who has the data.”

Screenshot taken from the Breach Forums

According to Menelik the data includes:

• The full name of the buyer or company name
• Address including postal code and country
• Unique seven digit service tag of the system
• Shipping date of the system
• Warranty plan
• Serial number
• Dell customer number
• Dell order number

Most of the affected systems were sold in the US, China, India, Australia, and Canada.

Users on Reddit reported getting an email from Dell which was apparently sent to customers whose information was accessed during this incident:

“At this time, our investigation indicates limited types of customer information was accessed, including:

• Name
• Physical address
• Dell hardware and order information, including service tag, item description, date of order and related warranty information.

The information involved does not include financial or payment information, email address, telephone number or any highly sensitive customer information.”

Although Dell might be trying to play down the seriousness of the situation by claiming that there is not a significant risk to its customers given the type of information involved, it is reassuring that there were no email addresses included. Email addresses are a unique identifier that can allow data brokers to merge and enrich their databases.

So, this is another big data breach that leaves us with more questions than answers. We have to be careful that we don’t shrug these data breaches away with comments like “they already know everything there is to know.”

This kind of information is exactly what scammers need in order to impersonate Dell support.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

SCAN NOW

Medical health care provider DocGo has disclosed in a form 8-K that it experienced a cybersecurity incident involving some of the company’s systems. As part of the investigation of the incident, the company says it has determined that the attacker accessed and acquired data, including certain protected health information.

DocGo is a healthcare provider that offers mobile health services, ambulance services, and remote monitoring for patients in 30 US states, and across the United Kingdom. On its company website it touts over 7,000,000 patient interactions.

In the same form, DocGo says the breach concerns a limited number of healthcare records within the company’s US-based ambulance transportation business, and that no other business lines have been involved.

DocGo says it is actively reaching out to those individuals who had their data compromised in the attack.  

So far, we have no indication what the nature of the cyberattack was, but it is almost standard procedure nowadays for ransomware groups to use stolen data as extra leverage to get the victim to pay the ransom.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

SCAN NOW

Ticket scams are very common and apparently hard to stop. When there are not nearly enough tickets for some concerts to accommodate all the fans that desperately want to be there, it makes for ideal hunting grounds for scammers.

With a ticket scam, you pay for a ticket and you either don’t receive anything or what you get doesn’t get you into the venue.

As reported by the BBC, Lloyds Bank estimates that fans have lost an estimated £1m ($1.25 m) in ticket scams ahead of the UK leg of Taylor Swift’s Eras tour. Roughly 90% of these scams were said to have started on Facebook.

Many of these operations work with compromised Facebook accounts and make both the buyer and the owner of the abused account feel bad. These account owners are complaining about the response, or lack thereof, they are getting from Meta (Facebook’s parent company) about their attempts to report the account takeovers.

Victims feel powerless as they see some of their friends and family fall for the ticket scam.

“After I reported it, there were still scams going on for at least two or three weeks afterwards.”

We saw the same last year when “Swifties” from the US filed reports about scammers taking advantage of fans, some of whom lost as much as $2,500 after paying for tickets that didn’t exist or never arrived. The Better Business Bureau reportedly received almost 200 complaints nationally related to the Swift tour, with complaints ranging from refund struggles to outright scams.

Now that the tour has European cities on the schedule the same is happening all over again.

And mind you, it’s not just concerts. Any event that is sold out through the regular, legitimate channels and works with transferable tickets is an opportunity for scammers. Recently we saw a scam working from sponsored search results for the Van Gogh Museum in Amsterdam. People that clicked on the ad were redirected to a fake phishing site where they were asked to fill out their credit card details.

Consider that to be a reminder that it’s easy for scammers to set up a fake website that looks genuine. Some even use a name or website url that is similar to the legitimate website. If you’re unsure or it sounds too good to be true, leave the website immediately.

Equally important to keep in mind is the power of AI which has taken the creation of a photograph of—fake—tickets to a level that it’s child’s play.

How to avoid ticket scams

No matter how desperate you are to visit a particular event, please be careful. When it’s sold out and someone offers you tickets, there are a few precautions you should take.

• Research the ticket seller. Anybody can set up a fake ticket website, and sponsored ads showing at the top of search engines can be rife with bogus sellers. You may also run into issues buying tickets from sites like eBay. Should you decide to use sites other than well-known entities like Ticketmaster, check for reviews of the seller.
• Are the tickets transferable? For some events the tickets are non-transferable which makes it, at least, unwise to try and buy tickets from someone who has decided they “don’t need or want them” after all. You may end up with tickets that you can’t use.
• Use a credit card if possible. You’ll almost certainly have more protection than if you pay using your debit card, or cash. We definitely recommend that you avoid using cash. If someone decides to rip you off, that money is gone forever.
• A “secure” website isn’t all it seems. While sites that use HTTPS (the padlock) ensure your communication is secure, this does not guarantee the site is legitimate. Anyone can set up a HTTPs website, including scammers.
• It’s ticket inspector time. One of the best ways to know for sure that your ticket is genuine is to actually look at it. Is the date and time correct? The location? Are the seat numbers what you were expecting to see? It may well be worth calling the event organizers or the event location and confirming that all is as it should be. Some events will give examples of what a genuine ticket should look like on the official website.
• Use a blocklist. Software like Malwarebytes Browser Guard will block known phishing and scam sites.

This week on the Lock and Code podcast…

You’ve likely felt it: The dull pull downwards of a smartphone scroll. The “five more minutes” just before bed. The sleep still there after waking. The edges of your calm slowly fraying.

After more than a decade of our most recent technological experiment, in turns out that having the entirety of the internet in the palm of your hands could be … not so great. Obviously, the effects of this are compounded by the fact that the internet that was built after the invention of the smartphone is a very different internet than the one before—supercharged with algorithms that get you to click more, watch more, buy more, and rest so much less.

But for one group, in particular, across the world, the impact of smartphones and constant social media may be causing an unprecedented mental health crisis: Young people.

According to the American College Health Association, the percentage of undergraduates in the US—so, mainly young adults in college—who were diagnosed with anxiety increased 134% since 2010. In the same time period for the same group, there was in increase in diagnoses of depression by 106%, ADHD by 72%, bipolar by 57%, and anorexia by 100%.

That’s not all. According to a US National Survey on Drug Use and Health, the prevalence of anxiety in America increased for every age group except those over 50, again, since 2010. Those aged 35 – 49 experienced a 52% increase, those aged 26 – 34 experienced a 103% increase, and those aged 18 – 25 experienced a 139% increase.

This data, and much more, was cited by the social psychologist and author Jonathan Haidt, in debuting his latest book, “The Anxious Generation: How the Great Rewiring of Childhood Is Causing an Epidemic of Mental Illness.” In the book, Haidt examines what he believes is a mental health crisis unique amongst today’s youth, and he proposes that much of the crisis has been brought about by a change in childhood—away from a “play-based” childhood and into a “phone-based” one.

This shift, Haidt argues, is largely to blame for the increased rates of anxiety, depression, suicidality, and more.

And rather than just naming the problem, Haidt also proposes five solutions to turn things around:

• Give children far more time playing with other children. 
• Look for more ways to embed children in stable real-world communities.  
• Don’t give a smartphone as the first phone.
• Don’t give a smartphone until high school.  
• Delay the opening of accounts on nearly all social media platforms until the beginning of high school (at least).

But while Haidt’s proposals may feel right—his book has spent five weeks on the New York Times Best Seller list—some psychologists disagree.

Writing for the outlet Platformer, reporter Zoe Schiffer spoke with multiple behavioral psychologists who alleged that Haidt’s book cherry-picks survey data, ignores mental health crises amongst adults, and over-simplifies a complex problem with a blunt solution.  

Today, on the Lock and Code podcast with host David Ruiz, we speak with Dr. Jean Twenge to get more clarity on the situation: Is there a mental health crisis amongst today’s teens? Is it unique to their generation? And can it really be traced to the use of smartphones and social media?

According to Dr. Twenge, the answer to all those questions is, pretty much, “Yes.” But, she said, there’s still some hope to be found.

“This is where the argument around smartphones and social media being behind the adolescent mental health crisis actually has, kind of paradoxically, some optimism to it. Because if that’s the cause, that means we can do something about it.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• You get a passkey, you get a passkey, everyone should get a passkey
• Dropbox Sign customer data accessed in breach
• Watch out for tech support scams lurking in sponsored search results
• Psychotherapy practice hacker gets jail time after extorting patients, publishing personal therapy notes online
• Wireless carriers fined $200 million after illegally sharing customer location data
• Malwarebytes Premium Security earns “Product of the Year” from AVLab
• FBI warns online daters to avoid “free” online verification schemes that prove costly
• Kaiser health insurance leaked patient data to advertisers

Last week on ThreatDown:

• ThreatDown earns “Product of the Year” from AVLab
• Gitlab zero-click vulnerability under active exploitation
• Nitrogen threat profile
• London Drugs closes retail stores after ransomware attack
• CISA pilot has sent 2,000 alerts to organizations at risk of ransomware
• LockBit Black threat profile
• The anatomy of a Medusa ransomware attack: ThreatDown MDR team investigates
• Medusa ransomware: What organizations need to know
• Corporate users targeted via malicious ads and modals

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft is rolling out passkey support for all consumer accounts.

Passkeys are a very secure replacement for passwords that can’t be cracked, guessed or phished, and let you log in easily, without having to type a password every time.

After enabling them in Windows 11 last year, Microsoft account owners can now generate passkeys across multiple platforms including Windows, Android, and iOS. You can create passkeys for your Microsoft account, and you can choose your face, fingerprint, PIN, or a security key to secure it.

How to set up a passkey

To create a passkey for your Microsoft account, follow these steps on the device where you’d like to create a passkey:

• Sign in to your Microsoft account.
• Navigate to Security  > Advanced Security Options.

• Click on Get started.
• Choose Add a new way to sign in or verify.

Note: Under certain circumstances, somewhere along the way you may end up in this screen which basically offers you the same choices in a prompt.

• To create a passkey: Select Face, fingerprint, PIN, or security key.
• Follow the instructions on your device.
• During this process, you can choose to save the passkey to different devices like your Android, iPad, or iPhone, or a hardware key.
• You’ll be presented with a QR code to scan with the selected device.
• On the selected device you’ll be asked to authenticate.
• When the procedure is successful, you’ll be asked to provide a name for the passkey. A good choice is to use a name that gives away the location where you stored the passkey.

Where is you passkey saved? Give this passkey a name to easily manage it later.

• After confirming the name you’ll see this confirmation.

Passkey added. You can now use this passkey to sign in to your account. Removing a passkey

Should you have second thoughts and want to remove a passkey, follow these steps:

• Visit the Advanced Security Options.
• From the list under Ways to prove who you are, select the passkey you’d like to remove.
• Choose Remove.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Dropbox is reporting a recent “security incident” in which an attacker gained unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. During this access, the attacker had access to Dropbox Sign customer information.

Dropbox Sign is a platform that allows customers to digitally sign, edit, and track documents. The accessed customer information includes email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The access is limited to Dropbox Sign customers and does not affect users of other Dropbox services because the environments are largely separate.

“We believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Even if you never created a Dropbox Sign account but received or signed a document through Dropbox Sign, your email addresses and names were exposed. In a government (K-8) filing about the incident, Dropbox says it found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information. 

The attacker compromised a back-end service account that acted as an automated system configuration tool for the Dropbox Sign environment. The attacker used the privileges of the service account for the production environment to gain access to the customer database.

To limit the aftermath of the incident, Dropbox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.

For customers with API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach.

Dropbox says it has reported this event to data protection regulators and law enforcement.

Recommendations

Dropbox expired affected passwords and logged users out of any devices they had connected to Dropbox Sign for further protection. The next time these users log in to their Sign account, they’ll be sent an email to reset the password. Dropbox recommends users do this as soon as possible.

If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. Here is how you can easily create a new key.

API customers should be aware that names and email addresses for those who received or signed a document through Dropbox Sign, even if they never created an account, were exposed. So, this may impact their customers.

Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and use multi-factor authentication when available.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

This blog post was written based on research carried out by Jérôme Segura.

A campaign using sponsored search results is targeting home users and taking them to tech support scams.

Sponsored search results are the ones that are listed at the top of search results and are labelled “Sponsored”. They’re often ads that are taken out by brands who want to get people to click through to their website. In the case of malicious sponsored ads, scammers tend to outbid the brands in order to be listed as the first search result.

The criminals that buy the ads will go as far as displaying the official brand’s website within the ad snippet, making it hard for an unsuspecting visitor to notice a difference.

Who would, for example, be able to spot that the below ad for CNN is not legitimate. You’ll have to click on the three dots (in front of where we added malicious ad) and look at the advertiser information to see that it’s not the legitimate owner of the brand.

Only then it becomes apparent that the real advertiser is not CNN, but instead a company called Yojoy Network Technology Co., Limited.

Below, you can see another fake advertisement by the same advertiser, this time impersonating Amazon.

In our example, the scammers failed to use the correct CNN or Amazon icons, but in other cases (like another recent discovery by Jerome Segura), scammers have even used the correct icon.

The systems of the people that click one of these links are likely to assessed on what the most profitable follow-up is (using a method called fingerprinting). For systems running Windows, we found visitors are redirected to tech support scam websites such as this one.

Tech Support Scam site telling the visitor to call 1-844-476-5780

You undoubtedly know the type. Endless pop-ups, soundbites, and prompts telling the visitor that they should urgently call the displayed number to free their system of alleged malware.

These tech support scammers will impersonate legitimate software companies (i.e. Microsoft) and charge their victims hundreds or even thousands of dollars for completely bogus malware removal.

Getting help if you have been scammed

Getting scammed is one of the worst feelings to experience. In many ways, you may feel like you have been violated and angry to have let your guard down. Perhaps you are even shocked and scared, and don’t really know what to do now. The following tips will hopefully provide you with some guidance.

If you’ve already let the scammers in

• Revoke any remote access the scammer has (if you are unsure, restart your computer). That should cut the remote session and kick them out of your computer.
• Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes to quickly identify and remove threats.
• Change all your passwords. (Windows password, email, banking, etc.)

If you’ve already paid

• Contact your financial institution/credit card company to reverse the charges and keep an eye out for future unwanted charges.
• If you gave them personal information such as date of birth, Social Security Number, full address, name, and maiden name, you may want to look at some form of identity theft protection.

Reporting the scam

File a report

• In the US: File a complaint (FTC)
• In Canada: Contact law enforcement
• In the UK: Report fraud | Report a cold call
• In Australia: Report a scam

Shut down their remote software account

• Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support. They can later use the information you provide to block people/companies.
• LogMeIn: Report abuse

Spread the word

You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although sharing your experience of falling victim to these scams may be embarrassing, educating other people will help someone caught in a similar situation and deter further scam attempts.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

On October 30, 2020, I started a article with the words:

“Hell is too nice a place for these people.”

The subject of this outrage focused on the cybercriminals behind an attack on Finnish psychotherapy practice Vastaamo. Because it was a psychotherapy practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Sadly, the attacker did not stop at extorting the clinic but also sent extortion messages to the patients, asking them to pay around $240 to prevent their data from being published online. And that was a first, as far as we know—not just demanding a ransom from the breached organization, but also from all those that were unlucky enough to have their data on record there.

The attacker demanded a €400,000 ($425,000) ransom from the company. When it refused to pay, he emailed thousands of patients asking for €200 and threatening to publish their therapy notes and personal details on the dark web if they didn’t pay. He ended up publishing it anyway.

As a result of this cyberattack and the extortion attempts:

• Vastaamo’s board fired the CEO because they held him responsible for knowing about the breaches and of the shortcomings in the psychotherapy provider’s data security systems.
• Vastaamo’s owner, who bought the practice a few months after the second breach but was not informed about it, began legal proceedings related to its purchase.
• Vastaamo had to shut its doors because it could not meet its financial obligations.
• The Finnish government contemplated expanding the options for individuals to change their social security number in certain circumstances, such as the aftermath of a hacking incident.
• At least one suicide has been linked to the case.

Now the attacker has been convicted. 26-year-old Julius Kivimäki has been sentenced to six years and three months in prison. Kivimäki, known online as Zeekill, was one of the leading members of several groups of teenage cybercriminals which caused chaos between 2009-2015. One of those groups was the infamous Lizard Squad.

At the age of 17, Kivimäki was convicted of more than 50,000 computer hacks and sentenced to a two-year prison sentence, which was suspended because he was 15 and 16 when he carried out the crimes in 2012 and 2013.

Despite the conviction, the Vastaamo case is not over as civil court cases are now likely to begin to seek compensation for the victims of the hack.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

After four years of investigation, the Federal Communications Commission (FCC) has concluded that four of the major wireless carriers in the US violated the law in sharing access to customers’ location data.

The FCC fined AT&T, Sprint, T-Mobile, and Verizon a total of almost $200 million for “illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The fines are divided up into $12 million for Sprint, $80 million for T-Mobile (which has now merged with Sprint), more than $57 million for AT&T, and an almost $47 million for Verizon.

From the press release it becomes apparent that the FCC considers real-time location data some of the most sensitive data in a carrier’s possession. Each of the four major carriers was found to be selling its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers.

The investigation by the FCC was set in motion by public reports like the ones in the New York Times, Vice.com, and a letter from Sen. Ron Wyden to the FCC. All pointed out that anyone could get location information about almost any US phone if they were willing to pay an unauthorized source.

The FCC press release specifically mentions a location-finding service operated by Securus, a provider of communications services to correctional facilities, as a source that provided the possibility to track people’s location.

The US law, including section 222 of the Communications Act, requires carriers to take reasonable measures to protect certain customer information, including location information.

The wireless carriers attempted to offload their obligation to obtain customer consent onto the downstream recipients of the location information. The end result was a failure in which no valid customer consent was obtained. And even though the carriers were aware of this, they continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.

As reported by Krebs on Security, one of the data aggregation firms, LocationSmart, had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

Spokespersons of Verizon and AT&T both indicated to BleepingComputer that they felt as if they were taking the blame for another company’s failure to obtain consent.

T-Mobile said in a statement to CNN that it discontinued the location data-sharing program over five years ago. The company wanted to make sure first that critical services like roadside assistance, fraud protection, and emergency response would not suffer any negative consequences if it did.

All three companies indicated they will appeal the order. We’ll keep you posted on any new developments.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

After blocking 100% of “in-the-wild” malware samples that were deployed in multiple, consecutive third-party tests conducted by the AVLab Cybersecurity Foundation, Malwarebytes Premium Security has earned “Product of the Year.”

The recognition cements Malwarebytes Premium Security’s perfect record of repeatable, trusted, and proven protection for users. It also comes alongside an additional AVLab certification for “Top Remediation Time.”

The latest results are part of AVLab’s regular “Advanced In-The-Wild Malware Test.”

For the March 2024 evaluation, AVLab tested 459 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 459/459 malware samples, with a remediation time of 20 seconds—a full 13 seconds faster than the industry average.

ThreatDown, powered by Malwarebytes, also participated in AVLab’s March evaluation, where it similarly blocked 100% of malware samples with a remediation time of 17 seconds.

Three cybersecurity vendors failed to block 100% of the malware samples deployed: Bitdefender, ESET, and Panda.

AVLab’s evaluations, which are performed every other month by a team of cybersecurity and information security experts, are constructed to test and compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors. To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps:

1. Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
2. Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
3. Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”

Malwarebytes is proud to receive “Product of the Year” and “Top Remediation Time” from AVLab, and is thankful to the third-party tester for its important work in the industry.

The FBI has warned of fraudsters targeting users of dating websites and apps with “free” online verification service schemes that turn out to be very costly.

Instead of being free, as advertised, the verification schemes involve steep monthly subscription fees, and will steal personal information on the side.

The scammers collect the information entered by victims at registrations and use it to commit further fraudulent activity such as identity theft or selling the information on the dark web. The stolen information may include email addresses, phone numbers, and even credit card information.

The scam works like this: The scammer initiates contact on a dating website or app, but then quickly asks the victim to move the conversation to a more private, encrypted platform.

Once there, the scammer will recommend a verification link that supposedly provides protection against predators like sex offenders and serial killers. This verification website asks the victim to provide their name, phone number, email address, and credit card number to complete the process.

After completing the registration, the victim is redirected to a shady dating site that charges hefty monthly fees to the victim’s credit card. These charges show up on the credit card statement as a company the victim has never heard of.

The personal information the victim gives the scammers is useful because it allows them to defraud the victims even more. Whether the scammers are the same ones, or others who have bought the information on the dark web makes no difference to the victims.

Avoid falling victim

There are some pointers that may help you to fall victim to scammers such as these:

• Stay on the platform of your choice. If someone contacts you and wants to continue the conversation elsewhere, that should be a red flag. We saw the same when we discussed scams on Airbnb: It is in the scammers’ interest that the fraud takes place on a platform under their control, where they can’t be as easily tracked.
• Don’t click on links, downloads or attachments sent to you by strangers. Even if you have been in contact with someone for some time on the internet, they are still strangers. Sometimes they will get to the point fast, but in pig butchering scams for example, the contact can be ongoing for quite a while.
• If you are contacted by someone and they come across as untrustworthy or suspicious, report them to the platform’s administrators. You may prevent others from falling victim to the scammers.
• Don’t provide someone you have just met with personal details and information.
• Monitor your credit card statements and bank accounts for irregularities and contact your bank if you see payments you don’t recognise.
• Avoid websites that use scare tactics to trick you into registering for a service. At least do a background check to find out if they are legitimate and live up to their promises.
• Consider identity monitoring. This alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Health insurance giant Kaiser has announced it will notify millions of patients about a data breach after sharing patients’ data with advertisers.

Kaiser said that an investigation led to the discovery that “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

In the required notice with the US government, Kaiser lists 13.4 million affected individuals. Among these third-party ad vendors are Google, Microsoft, and X. Kaiser said it subsequently removed the tracking code from its websites and mobile apps.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the information gathered by these pixels tells them a lot about your browsing behavior, and a lot about you.

This kind of data leak normally happens when a website includes sensitive information in its URLs (web addresses). The URLs you visit are shared with the company that provides the tracking pixel, so if the URL contains sensitive information it will end up in the hands of the tracking company. The good news is that while it’s easy for websites to leak information like this, there is no suggestion that tracking pixel operators are aware of it, or acting on it, and it would probably be hugely impractical for them to do so.

The leaked data includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service, how they interacted with it, how they navigated through the website and mobile applications, and what search terms they used in the health encyclopedia.

A spokesperson said that Kaiser intends to begin notifying the affected current and former members and patients who accessed its websites and mobile apps in May.

Not so long ago, we reported how mental health company Cerebral failed to protect sensitive personal data, and ended up having to pay $7 million. Also due to tracking pixels, so this is a recurring problem we are likely to see lots more of. Research done by TheMarkup in June of 2022 showed that Meta’s pixel could be found on the websites of 33 of the top 100 hospitals in America.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

SCAN NOW