Archive for author: makoadmin

A week in security (August 26 – September 1)

Last week on Malwarebytes Labs:

Last week on ThreatDown:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Iranian cybercriminals are targeting WhatsApp users in spear phishing campaign

An Iranian state-sponsored group often referred to as Iran’s Islamic Revolutionary Guard Corps (IRGC) is making headlines again this season as Meta disclosed that the cybercriminals targeted WhatsApp users in Israel, Palestine, Iran, the UK, and the US.

Other names for this group—depending on the vendor– are APT42, Storm-2035, Charming Kitten, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda.

Earlier the group was linked to disinformation campaigns around the US elections in a Microsoft threat report, Google research findings, and when OpenAI banned accounts linked to an Iranian influence operation.

It is no surprise that nations like Iran have an interest in influencing elections in the US and the targets in this campaign also included staff members of President Joe Biden and former President Donald Trump.

Meta blocked a small cluster of WhatsApp accounts posing as support agents for tech companies. These accounts used social engineering against political and diplomatic officials, and other public figures. This type of attacks is called spear phishing, as it involves highly targeted phishing attempts.

The fake accounts linked to the Iranian group posed as technical support for AOL, Google, Yahoo, and Microsoft.

The APT in APT42 stands for advanced persistent threat (APT), which signifies a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.

This is exactly the kind of group that you will see involved in spear phishing attacks, that target individuals to collect information about them, or manipulate them into revealing information about their occupation, or compromise their devices and accounts so they can spy on them.

There is no evidence that this group managed to compromise any accounts and Meta praises the targets that reported these suspicious messages using the in-app reporting tools, so WhatsApp could launch an investigation and disrupt the campaign.

Phishers often use technical support accounts in phishing attempts because people tend to trust them with information if they happen to be a customer of the company that the “support agent” claims to represent.

WhatsApp users should remain on the lookout for unsolicited contacts and messages.

  • If a message looks suspicious, comes unsolicited, or sounds too good to be true, don’t tap, share, or forward it. Don’t become part of a misinformation campaign.
  • Always inspect links and attached files thoroughly before opening them. Ask the known sender through other means what it’s for.
  • Do not engage in conversations when you are not sure who the sender is. Even the fact that you respond to them will tell them this is a way to reach you and might lead to more attempts.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

Fake Canva home page leads to browser lock

In a previous blog post, we showed how fraudsters were leveraging features from the very company (Microsoft) they were impersonating. We continue this series with another clever trick abusing Canva, a popular online tool for graphic design.

This time, the scammers registered an account on Canva to create a new design that, is in fact, a replica of the Canva home page. As victims come from a malicious ad, they land on this deceiving page that lures them into interacting with it. The result: as soon as you click on the image, your browser is hijacked with a fake Microsoft alert.

In this blog, we share the details of yet another abuse of the online experience. We have reported this malicious campaign to both Google and Canva.

Convincing search ads

We identified two different advertiser accounts involved in creating fraudulent ads for the design platform Canva. The corresponding ads from both advertisers were displayed at the very top of the Google search page results, as seen in the image below.

There is very little that tells you that those ads are fake, and since most people trust what they see, they will likely be inclined to click on them.

image fea701

Canva home page?

Scammers created a free account on Canva and made a design that looks just like… Canva’s home page. Of all the possible art they could have created, they chose to take a screenshot of Canva’s site and use it as their creation.

This is their “trick”, they want users to think they have landed on the real website and expect them to click on the ‘Start designing’ button:

image 15730c

Malicious URL opens up fake Microsoft alert

If we look at the source code behind that design, we see something rather interesting: a hyperlink to an external site. This means that if you click on the image, a new tab (target=”_blank”) will open at the given URL.

image 556a7c

This URL hijacks your browser and claims “Windows locked due to unusual activity”:

image b8ce5d

Threat actors from different walks of life are leveraging a powerful combo: branded Google ads and decoy pages. This allows them to lure in a large number of potential victims right from search engine to scams or malware.

The bottom line is you simply can’t trust what you see, as everything is made to look legitimate in one way or another. To regain control of their web browsing experience, users need to be more proactive and use any of the tools at their disposal.

Malwarebytes continues to hunt for malvertising schemes and diligently reports them to the platforms that are being abused. For additional protection, we recommend our free Browser Guard extension.

Telegram CEO Pavel Durov charged with allowing criminal activity

France has indicted the CEO of the popular messaging app Telegram on charges of complicity in the distribution of child sex abuse images, aiding organized crime, drug trafficking, fraud, and refusing lawful orders to give information to law enforcement.

The arrest warrants for Pavel Durov and his brother, co-founder of Telegram Nikolai Durov, reportedly were issued in March. Pavel was arrested on Saturday August 24, allegedly after a female influencer travelling with him posted real-time updates about their location and means of transportation.

At the same time, the Indian government is investigating Telegram for alleged extortion activities on the platform, and over concerns about illegal gambling operations.

Pavel Durov is a French national but was born in Russia. He also holds citizenship of the United Arab Emirates where Telegram is based. He avoided jail by putting up a $5 million bail, but has to stay in France and report to a police station twice a week.

Russian officials claim that Durov’s arrest is politically motivated, a claim strongly denied by French president Emmanuel Macron, who met with Durov on several occasions prior to Durov receiving the French nationality through a special procedure for those deemed to have made a special contribution to France.

There is no reasonable doubt that Telegram as a platform is used for illegal purposes. It’s well known that cybercriminals use it to exchange and sell both malware and information, and the app is banned in several countries.

One of the questions is whether providing the tools for a crime is a crime in itself. Logic dictates that this is not the case, or every crowbar manufacturer would be behind bars. However, the underlying question is: did Telegram do its best to prevent the app from being used for criminal activity?

Telegram commented that its moderation was:

“within industry standards and constantly improving.”

Some are asking whether this arrest is a limitation of the freedom of speech. Telegram is also used by citizens of countries with a totalitarian regime to communicate outside of the government’s reach.

This is considered safe because Telegram shares no information with any authorities about the messages or activities on the app. However, as experts have explained, Telegram is not end-to-end encrypted unless you use the “Secret Chats” feature which is not easy.

End-to-end encryption means that only the person you are sending your messages can read them. This is impossible in Telegram unless it is a one-on-one conversation with Secret Chats enabled, which only works if the other person is online.

Undoubtedly this story will develop further, and we will keep you posted about it.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

CODAC Behavioral Healthcare, US Marshalls are latest ransomware targets

The Qilin ransomware group listed CODAC Behavioral Healthcare, a nonprofit health care treatment organization, as one of their latest victims.

Qilin seems to have a preference for healthcare and support organizations. One of their most well-known victims was the pathology lab services provider Synnovis in June 2024, causing chaos across the NHS in London.

CODAC Behavioral Healthcare is Rhode Island’s oldest and largest nonprofit, outpatient provider of treatment for Opioid Use Disorder (OUD) and runs seven community-based locations. CODAC works with individuals, families, and communities and provides comprehensive resources to those living and struggling with the challenges of substance use disorder and behavioral healthcare issues.

The Qilin ransomware group listed CODAC Behavioral Healthcare
The Qilin ransomware group listed CODAC Behavioral Healthcare

Within the stolen data, Malwarebytes Labs noticed financial information, pictures of ID cards, a list of staff members—including their Social Security Numbers (SSNs)—and healthcare cards.

Ransomware attacks are evolving around the world, as cybercriminals have steadily advanced their tactics to not only encrypt and lock up systems once inside an organization, but to also steal sensitive data and then threaten to publish it as a way to add extra pressure to their demands. Attacks are at an all-time high in 2024, and attacks specifically targeting healthcare and support organizations represent a large portion of all attacks in the US.

As ThreatDown reported earlier in 2024, 70% of all known attacks on healthcare happen in the US. This makes healthcare the second most attacked sector in the US, where it accounts for 9% of known attacks.

Sensitive information like the data kept by healthcare organizations obviously increases the amount of leverage for the ransomware group, and despite some gangs promising not to attack healthcare, most of them show no such conscience.

A separate data breach carried out by a ransomware group that Malwarebytes Labs learned about this week was on the US Marshalls Service. Hunters International ransomware group posted 386 GB of data that appears to include files on gangs, documents from the FBI, specific case information, operational data, and more.

The US Marshalls Service said the data comes from a ransomware attack they acknowledged in February of 2023, but which had never been claimed before. Maybe the ransomware group was hesitant to paint a bullseye on their back.

So far, Malwarebytes Labs has not seen any official reaction by CODAC Behavioral Healthcare. If they come out with one or respond to our query, we will keep you posted.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

SMS scammers use toll fees as a lure

In April 2024, the FBI warned about a new type of smishing scam.

Smishing is the term we use for phishing attacks sent via text message. This particular smishing scam tries to trick users into clicking a link by telling them they owe a “small amount” in toll fees.

The scammers send a text claiming that the recipient owes money for unpaid tolls.

We've noticed an outstanding toll amount
Redacted example of toll smishing text

“PA Turnpike Toll Services: We’ve noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00 visit [URL to fake site] to settle your balance.”

It looks as if the targets are chosen randomly, but if you’ve been on a recent summer trip or will be visiting your relatives during the holiday season the chances are higher that you will believe this type of text. Nobody is going to fool you into paying (extra) for your daily commute, right?

Because of the relatively low amount, people may decide to settle the payment before the amount rises.

One of the URLs we tracked for this campaign was myturnpiketollservices[.]com which was active from early April until late May. Some others have only been active for a few days.

On the fake website, which is a really convincing copy of the original, visitors are asked to fill out their details like phone numbers, email addresses, full name, address, and their credit card details. Scammers will happily abuse any information that you enter for other malicious activities like identity theft and financial fraud.

Tolls by Mail website mimicked by a scammer
Tollsinfosny[.]com mimicking the legitimate Tollsbymailny.com

These attacks are not just increasing in numbers in the US, smishing scammers are also targeting people in Australia, Canada, and Japan now.

How to avoid falling for a smishing scam

  • Check the phone number that the text message comes from. Some of the scams above were easy to dismiss because they came from telephone numbers outside the US.
  • Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
  • If you decided to pay, an alarm should go off if you don’t receive confirmation. Official toll agencies will send confirmation after collecting payments. If you don’t receive confirmation, it’s time to investigate and maybe freeze your credit card.
  • Never interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
  • If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
  • The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

Involved domains

myturnpiketollservices[.]com

nytollservices.com

tollsinfosny[.]com

tollsinfonyc[.]com

bayareafastraktollservices[.]com

intollroadacc219[.]com

toll-sunpass[.]com

tollnyezpassweb[.]com

indiana260roadtollac[.]com

inweb-tollroadtrust[.]com

in-tollroadgouv1[.]com

newyorktollroadtrust1[.]com

nyserviceezpass[.]com

intrust-tollroadweb[.]com

sunspass[.]com

sunspasstollsservices[.]com

sunpasstollservices[.]com

tollsbymailsny[.]com

Several of these were hosted at the IP:

45.8.92[.]38


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

TDECU data breach affects half a million people

The Texas Dow Employees Credit Union (TDECU) has filed a data breach notification, reporting that the data of 500,474 people has been accessed in an external system breach.

TDECU is the largest Houston-area credit union, and the fourth largest in the state of Texas. The credit union was founded by employees of Dow Chemical Company in December 1954 and membership was initially limited to Dow and Ethyl-Dow employees. Since then it has gone through several mergers and acquisitions

According to the data breach notification, the breach occurred on May 29, 2023, but wasn’t discovered until July 30, 2024.

TDECU has sent personal notifications to those individuals it suspects might have been affected. In this notification and on its website, TDECU explained that the incident was related to the MOVEit vulnerability that impacted many other organizations last year. Due to the attacks that used this vulnerability, over 20 million individuals were impacted, says TDECU. The vulnerability also allowed the attackers to view or take certain TDECU data.

“There was no compromise of TDECU’s broader network security.”

After learning of the vulnerability, TDECU launched an investigation and found that certain files containing personal information of TDECU members were potentially stolen from MOVEit by cybercriminals between May 29 and 31, 2023.

Affected individuals are being offered complimentary access to identity monitoring for 12 months.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

PSA: These ‘Microsoft Support’ ploys may just fool you

Many people turn to their favorite search engine when they are facing an issue with their computer. One common search query is to look for the telephone number or contact form for Microsoft, Apple or one of many other brands.

Scammers have long been interested in pretending to be Microsoft technical support. Years ago, inbound unsolicited calls were one of the most common techniques to bring in new victims. In more recent times, fake alerts that take over the browser claiming your computer is infected with viruses have been the dominant vector.

Today, we take a look at two subtle and extremely deceiving campaigns that leverage Google ads and Microsoft’s own infrastructure to create perfect scam scenarios that fooled us for a minute.

Trick #1: Fake Helpdesk page via Microsoft Learn

We found this ad while looking for Microsoft support live agents. The top (sponsored) result looks like it was bought by Microsoft itself with its official logo and URL.

Users who click on the ad are redirected to a legitimate Microsoft website (learn.microsoft.com) showing Microsoft’s “official” phone number. This page has the look and feel of a genuine knowledge base article especially since it appears to be posted by “Microsoft Support”:

image 545302

Clicking the 3 dots beside the ad reveals that it actually doesn’t belong to Microsoft at all, but instead was paid for by an advertiser from Vietnam. This does not mean this is the actual scammer, simply that this account may have been compromised and is being used to create malicious ads.

image 25e78d

As for the Microsoft page, it was created by a scammer via a fake Microsoft Support profile using Microsoft Learn collections.

Microsoft Learn Collections is a feature available to anyone with a Microsoft Learn profile. Collections allow you to create curated lists of Microsoft Learn content to share with your followers. A collection can include documentation articles, training modules, learning paths, videos, code samples, and more.

Here’s the profile for “Microsoft Support” that actually belongs to the scammer, using the profile id JamesKing-8561:

image 51ed97

Trick #2: Microsoft Search query hijack

The second (unrelated) ad campaign we saw is using a different tactic but also starts with a Google ad. When victims clicking on it, it will launch a search query page via microsoft.com/en-us/search/explore.

This clever trick works by passing the following parameters to the URL:

Call+%2B1+%28844%29+327-5425++Microsoft+Support+%28USA%29

When the page finishes loading, it will display what looks like a contact number from Microsoft. In a way, this is a form of advertisement that totally abuses what the Microsoft search feature was intended for:

image 657510

Fraudsters sitting in a far away call center pretending to be Microsoft technicians will trick victims into letting them onto their computers using remote access programs. The damage these scammers can do ranges from stealing a few hundred dollars as part of a “repair”, to emptying entire savings accounts.

Needless to say, you do not want to call these crooks, let alone grant them access to your computer.

Getting real support

Scammers are well aware that many people, especially the elderly, aren’t in a position to take their computers to a brick and mortar shop. Looking for help online from the convenience of their home is often the only option.

Here are some tips:

  • Never call a phone number that you see in an ad (search ad, or display ad).
  • To visit an official website, refrain from clicking on sponsored links. Instead, scroll further down and look for the organic search result.
  • Tip above does not take into account SEO poisoning, where scammers game search engines’ results. If you can, type in the website directly into the address bar.
  • Tip above does not take into account ‘typosquatting’ which is when you make a mistake in the spelling of the website and are redirected to a malicious site instead. This is something you should be aware of as well.
  • Perhaps there is help available locally, which you may get by asking a friend or acquaintance.

Finally, keep your computer up-to-date and secure with protection against malware and malicious websites. Malwarebytes‘ offering includes the free Browser Guard extension which secures your online browsing experience.

In the meantime, the real Microsoft website can be accessed at support.microsoft.com and it looks like this (in the U.S.):

image a0abc9

Move over malware: Why one teen is more worried about AI (re-air) (Lock and Code S05E18)

This week on the Lock and Code podcast…

Every age group uses the internet a little bit differently, and it turns out for at least one Gen Z teen in the Bay Area, the classic approach to cyberecurity—defending against viruses, ransomware, worms, and more—is the least of her concerns. Of far more importance is Artificial Intelligence (AI).

Today, the Lock and Code podcast with host David Ruiz revisits a prior episode from 2023 about what teenagers fear the most about going online. The conversation is a strong reminder that when America’s youngest generations experience online is far from the same experience that Millennials, Gen X’ers, and Baby Boomers had with their own introduction to the internet.

Even stronger proof of this is found in recent research that Malwarebytes debuted this summer about how people in committed relationships share their locations, passwords, and devices with one another. As detailed in the larger report, “What’s mine is yours: How couples share an all-access pass to their digital lives,” Gen Z respondents were the most likely to say that they got a feeling of safety when sharing their locations with significant others.

But a wrinkle appeared in that behavior, according to the same research: Gen Z was also the most likely to say that they only shared their locations because their partners forced them to do so.

In our full conversation from last year, we speak with Nitya Sharma about how her “favorite app” to use with friends is “Find My” on iPhone, the dangers are of AI “sneak attacks,” and why she simply cannot be bothered about malware. 

“I know that there’s a threat of sharing information with bad people and then abusing it, but I just don’t know what you would do with it. Show up to my house and try to kill me?” 

Tune in today to listen to the full conversation.

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

A week in security (August 19 – August 25)

Last week on Malwarebytes Labs:

Last week on ThreatDown:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.