Archive for author: makoadmin

Researchers have discovered a huge Google Cloud Storage bucket, found freely accessible on the internet and containing a treasure trove of personal information.

AI startup WotNot provides companies with the ability to create their own customized chatbot. The company reportedly has 3,000 customers including some household family names.

But the way its solution is set up introduces an extra link in the chain in the flow of personally identifiable information (PII) from the customer to the company that deployed the chatbot, leaving an additional risk of exposure.

Given the variety in the data the researchers found in the 346,381 files, they suspect that it stems from several WotNot customers. Some of the records that were found included:

• Identification documents including passports, which contain information like full names, dates of birth, passport numbers, and other information cybercriminals love to get their hands on.
• Medical records including diagnoses, treatment history, test results and other medical information that should be private.
• Resumes which include employment history, addresses, education, and contact data like email addresses and phone numbers.

All in all, if a group of cybercriminals finds data like that they can deploy all sorts of schemes to defraud the people whose information they found—ranging from phishing mails that look convincing because they include personal information, to identity theft.

In a statement, WotNot said:

“The cause for the breach was that the cloud storage bucket policies were modified to accommodate a specific use case. However, we regretfully missed thoroughly verifying its accessibility, which inadvertently left the data exposed.”

The “specific use case”  seems to be that these customers were using the “free plan” which apparently comes with no security.

WotNot clarified:

“For enterprise customers, we provide private instances to ensure security and compliance standards are strictly adhered to.”

WotNot also said it typically recommends that its customers delete such files from the server after they have been received and forwarded to their own systems. I would recommend that WotNot customers provide their own customers with a method to send them such files directly.

We have already seen way too many cases where leaks in the supply chain have exposed data from people who had never heard of the company that leaked them.

If anything, the incident shows the importance of checking where your data is going before providing companies with sensitive personal information. But it also demonstrates it’s not always clear to the end user whether there are extra links in the chain to the company they are dealing with.

If you do get a chance, don’t send sensitive data to a chatbot, but ask for a safe company email address instead.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Of all the different kinds of malicious search ads we track, those related to customer service are by far the most common. Brands such as PayPal, eBay, Apple or Netflix are among the most coveted ones as they tend to drive a lot of online searches.

Tech support scammers are leveraging Google ads to lure victims in, getting them on the phone and finally fleecing them. While hard to measure precisely, tech support scams accounted for $924M, according to the FBI’s 2023 Internet Crime Report.

We’ve identified specific advertiser accounts that make up the bulk of fraudulent ads we have reported to Google this past year. What’s interesting is that the scammers keep reusing the same accounts over time. For instance, one advertiser had over 30 reported incidents in the past 3 months.

While it would be foolish to assume fraudsters would stop scamming altogether if those accounts were terminated, it also exposes something problematic with our reporting, and to a greater extent with how Google’s policies apply to repeat offenders.

Search for help, find a scam

Search engines, and Google’s in particular, are our gateway to the web. Yet, that door sometimes opens up to unsavory places thanks to sponsored search results, AKA ads.

Take this search for ‘paypal help‘ which displays an ad as the first result, followed by the official website. While the organic result looks more trustworthy, it does appear under. We should also note that sometimes it shows way below the fold, as documented in our recent blog “Printer problems? Beware the bogus help“.

Not only is the ad malicious, it is also linking to a fraudulent page hosted on Google Sites, Google’s free platform to build websites. The scammers created it with PayPal’s logo to make it look legitimate, with — quite literally — a simple call to action.

Somewhere far in Asia, someone in a call centre is waiting to welcome the next victim by starting with “Hi, welcome to PayPal support, my name is John, how can I help you?“

Repeat offenders

We have found and reported many of such fraudulent ads to Google over the past year. At some point, we realized that the same advertiser accounts kept coming up, begging the question: why would an account with multiple incidents not get blocked permanently?

In the screenshot below, you can see the same advertiser ID associated with over 30 incidents in a period of around 3 months.

In fact, these are only the malicious ads we were able to find, using our own tools. For example, not in the list of targeted brands in our tracking for this account is Amazon. Looking at this advertiser via Google’s Ads Transparency Center, we see a fraudulent ad we had missed reporting:

We reported 2 other advertiser accounts with very similar behavior, and perhaps not just a coincidence is that they all belonged to profiles registered and verified by Google from Vietnam.

Taking down scammers

Going after scammers is a relentless job that both private individuals, companies and government agencies perform day in and day out. It can be frustrating having to repeat the same thing over and over while the offenders have the upper hand.

Having said that, it is possible to make long lasting change by looking at incidents from a macro level. Rather than chasing one-offs, data shows us that criminals tend to reuse the same techniques, and in this case, the same accounts.

It’s unclear why Google has not taken definitive action on the advertiser profiles we have reported. However, we have escalated this issue and hope to see some changes as a result.

The banner image for this blog post contains a typo. It was made using Google’s Gemini AI and despite several requests, it kept getting the spelling wrong.

We don’t just report on threats—we block them

Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today.

The US Department of Justice has charged a Russian national named Evgenii Ptitsyn with selling, operating, and distributing a ransomware variant known as “Phobos” during a four-year cybercriminal campaign that extorted at least $16 million from victims across the world.

The government’s indictment against Ptitsyn should dispel any notion that ransomware gangs only target the largest, richest, most robust corporations on the planet, as one Phobos affiliate allegedly extorted a Maryland-based healthcare provider out of just $2,300—possibly the lowest payment ever recorded.

In a November 18 statement, Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, stressed the wanton victim targeting by Ptitsyn’s ransomware network.

“Ptitsyn and his co-conspirators hacked not only large corporations but also schools, hospitals, nonprofits, and a federally recognized tribe, and they extorted more than $16 million in ransom payments.”

Ransomware is the single most devastating cyberthreat to businesses today. Through a variety of evolving techniques, cybercriminals break into a company’s network and then deploy ransomware to lock down every file, computer, and sensitive piece of data within reach. The files cannot be unlocked without a “decryption key,” which the cybercriminals will only offer for a price.

But for many companies, the price of a ransom demand isn’t the only dilemma they face, as the price of recovery can be even heftier.

According to Malwarebytes’ business unit, ThreatDown, the average cost of a ransomware attack—excluding the ransom itself—is a whopping $4.7 million. That enormous sum represents a company’s downtime during a ransomware attack, any reputational damage it suffers, and the lengthy recovery process of rebuilding databases and reestablishing workplace accounts and permissions.

From what was revealed in the government’s indictment against Ptitsyn, those costs were likely beyond reach for many Phobos victims, which included a marketing and data analytics firm in Arizona, a Connecticut public school system, and an automotive company out of Ohio.

According to an analysis of Phobos ransom demands last year, these smaller targets line up with the gang’s focus. In 2023, ThreatDown discovered that, unlike other ransomware gangs that demanded up to $1 million or more from each victim, Phobos operators demanded an average of $1,719 from victims, with a median demand of just $300.

Smaller demands mean little, however, for the companies hit by the ransomware.

Ptitsyn, who was extradited to the United States out of South Korea, now faces 13 counts, which include wire fraud, conspiracy to commit wire fraud, and conspiracy to commit computer fraud and abuse, along with four counts each of causing intentional damage to protected computers and extortion in relation to hacking. According to the Department of Justice, the charges carry a “maximum penalty of 20 years in prison for each wire fraud count; 10 years in prison for each computer hacking count; and five years in prison for conspiracy to commit computer fraud and abuse.”

How to protect your small business from ransomware

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

• Block common forms of entry. Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
• Prevent intrusions and stop malicious encryption. Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

This week on the Lock and Code podcast…

Two weeks ago, the Lock and Code podcast shared three stories about home products that requested, collected, or exposed sensitive data online.

There were the air fryers that asked users to record audio through their smartphones. There was the smart ring maker that, even with privacy controls put into place, published data about users’ stress levels and heart rates. And there was the smart, AI-assisted vacuum that, through the failings of a group of contractors, allowed an image of a woman on a toilet to be shared on Facebook.

These cautionary tales involved “smart devices,” products like speakers, fridges, washers and dryers, and thermostats that can connect to the internet.

But there’s another smart device that many folks might forget about that can collect deeply personal information—their cars.

Today, the Lock and Code podcast with host David Ruiz revisits a prior episode from 2023 about what types of data modern vehicles can collect, and what the car makers behind those vehicles could do with those streams of information.

In the episode, we spoke with researchers at Mozilla—working under the team name “Privacy Not Included”—who reviewed the privacy and data collection policies of many of today’s automakers.

To put it shortly, the researchers concluded that cars are a privacy nightmare. 

According to the team’s research, Nissan said it can collect “sexual activity” information about consumers. Kia said it can collect information about a consumer’s “sex life.” Subaru passengers allegedly consented to the collection of their data by simply being in the vehicle. Volkswagen said it collects data like a person’s age and gender and whether they’re using your seatbelt, and it could use that information for targeted marketing purposes. 

And those are just the highlights. Explained Zoë MacDonald, content creator for Privacy Not Included: 

“We were pretty surprised by the data points that the car companies say they can collect… including social security number, information about your religion, your marital status, genetic information, disability status… immigration status, race.”

In our full conversation from last year, we spoke with Privacy Not Included’s MacDonald and Jen Caltrider about the data that cars can collect, how that data can be shared, how it can be used, and whether consumers have any choice in the matter.

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• Printer problems? Beware the bogus help
• Data broker exposes 600,000 sensitive files including background checks
• Medical testing company LifeLabs failed to protect customer data, report finds
• Explained: the Microsoft connected experiences controversy
• Spotify, Audible, and Amazon used to push dodgy forex trading sites and more
• “Hilariously insecure”: Andrew Tate’s The Real World breached, 800,000 users affected

Last week on ThreatDown:

• What is Buffer Overflow?
• Beluga phishing campaign targets OneDrive credentials

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Anyone who has ever used a printer likely has had a frustrating experience at some point. There always seems to be some kind of issue with the software not responding, paper getting jammed or one of many other possible failures.

When people need help, they often turn to Google (and now AI) to look for an answer. This is where scammers come in, preying on unsuspecting and irate users ready to throw their printer out the window.

After clicking on a malicious Google ad, victims are redirected to a fraudulent site often using official brand names and logos. The crooks’ end goal is to get people to call them, and they achieve that by tricking them with fake printer drivers that always fail to install.

In this blog post, we review how this scam works and how to stay away from it.

Malicious Search Ads

Two of the most popular printer brands are HP and Canon. If you were to Google for help related to either of those brands right now, you would likely see sponsored results at the top of the search results page.

Unfortunately, in the majority of cases these ads are not from trusted providers but instead from tech support scammers. In the image below, you can see 4 ads shown for the query ‘hp printer help‘. It’s only after those that the official HP website appears.

If you were to say that consumers stand no chance, you’d be right. Unless you clicked on the official (organic search results), you’d end up getting scammed.

The list of sites includes:

megadrive[.]solutions
geeksprosoftwareprints[.]org
select-easy123print[.]com
printcaretech[.]com

The driver scam

A driver is a software program that your computer uses to talk to physical hardware (i.e. your printer). In the early Microsoft Windows days, drivers were very important to get printers, monitors and other peripherals working. Today, the operating system is usually good at detecting new hardware and installing the required drivers automatically. There are some exceptions, not to mention that some manufacturers like to package additional software with their drivers.

After clicking on a malicious ad, the website instructs you to enter your printer’s model number in order to download the required driver, which it proceeds to “install”. This is entirely fake, and the only thing the website displays is a recorded animation that will always end up with the same error message.

This type of error is very similar to those seen in the “Microsoft tech support scam”, typically done via a browser hijack. Scammers want to scare and then get their victims to contact them directly, via phone or live chat.

Remote access and extortion

There are many people that fall for these types of scams and entire armies of tech support agents working in poor conditions ready to defraud them. The script is usually standard across scams, with the support agent impersonating a popular brand and requesting personal information from the victim.

It is quite common for scammers to request and be granted remote access to the user’s computer. This gives them leverage to do a number of things, such as stealing data, locking the machine or even using it to log into the victim’s bank account.

This is why it is so important to be extremely cautious with online search ads, and search results in general. Browser extensions such as Malwarebytes Browser Guard will block ads but also the scam or malware sites associated with these schemes.

This won’t help with your printer issues, but at least it’ll save you the trouble of being defrauded. When it comes to such questions, online forums are usually a good place to start, and if you’re lucky to count a computer person in your family, that’s always a good favor to ask for.

A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.

The 713.1 GB container (an Amazon S3 bucket ) did not have password-protection, and the data was left unencrypted, so anybody who stumbled on them could read the files. The files not only contained thousands of people’s vehicle records (license plate and VIN) and property ownership reports, but also criminal histories, and background checks.

The majority of the records were labelled as background checks which contained full names, home addresses, phone numbers, email addresses, employment history, family members, social media accounts, and criminal record history.

Data brokers collect and sell your information, including financial, personal, behavior and interests, for profit. SL Data Services markets itself as a provider of real estate information reports. But when the researcher contacted its support team, they stated the company also provides criminal checks, division of motor vehicles (DMV) records, death and birth records.

Probably to organize the data to this end, the folders inside the container all had names of separate website domains. The company apparently operates a network of an estimated 16 different websites, offering a range of information services (e.g. PropertyRec).

Background checks can and are often done without the subject’s awareness. But with all the combined information about a person, it paints a very complete picture that insurance companies, advertisers, and even cybercriminals can use to their advantage.

The researcher explained:

“I am not stating nor implying that Propertyrec’s customers or any individuals are at risk of impersonation, spear phishing, or social engineering attacks, I am only providing a real world risk scenario of how this type of information could possibly be exploited by criminals.”

And to make things worse—if possible– the files had names that used the following format: “First_Middle_Last_State.PDF.” Which makes it incredibly easy for anyone, whether they are supposed to have access or not, to find a person of interest and read that file.

It took the researcher quite a few calls and emails to get the exposed data taken out of public sight, and SL Data Services never provided the researcher with a response, let alone an explanation how this could happen.

Don’t give up your information, remove it where you can

Unfortunately, incidents like this are commonplace, so it’s clear that we should take it upon ourselves to make sure our information can’t be found by data brokers.

Removing your personal information from data broker sites can be a complex and time-consuming process. While manual opt-outs are effective, they require considerable effort to keep up with new data entries and the reappearance of your information on various sites. This is where data broker removal services come in handy. 

Data broker removal services are designed to automate the process of finding and removing your personal information from data broker databases. These services regularly scan known databases for your information and submit opt-out requests on your behalf, ensuring a more comprehensive and continuous protection of your privacy. 

Malwarebytes offers a Personal Data Remover service (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.

In 2019, a ransomware attack hit LifeLabs, a Canadian medical testing company. The ransomware encrypted the lab results of 15 million Canadians, and personally identifiable information (PII) of 8.6 million people was stolen.

After noticing the attack, LifeLabs informed its customers and the Canadian privacy regulators, which immediately announced an investigation.

The privacy commissioners of both British Columbia and Ontario finished writing a report about the incident in 2020 but LifeLabs managed to hold that up in court for four years. Now the report is publicly available and some of the findings are both shocking and unsurprising.

According to the report, LifeLabs had several shortcomings before the breach:

• LifeLabs failed to take reasonable steps to protect personal information and personal health information in its custody and control from theft, loss, and unauthorized access, collection, use, disclosure, copying, modification or disposal.
• LifeLabs failed to have in place and follow policies and information practices that comply with PIPA and PHIPA
• LifeLabs collected more personal information and personal health information than is reasonably necessary to meet the purpose for which it was collected.

Additionally, the investigation found that LifeLabs didn’t comply with its obligation to notify affected people at the first reasonable opportunity. This was because it didn’t implement a process to notify people about the details of what personal health information was compromised without requiring them to make a formal access request.

Patricia Kosseim, Information and Privacy Commissioner of Ontario commented:

“Personal health information is particularly sensitive and privacy breaches can have devastating impacts for individuals.”

The regulator said it was important for the report to be made public after four years of resistance by LifeLabs. We agree that it is important that we know how companies are protecting our data, especially the medical kind. But at the same time we also know that many organizations in the healthcare industry do not have the staff to handle this, not do they have the funding to hire those staff. It’s catch 22.

At the time, LifeLabs wrote in an open letter that the cybersecurity firm it hired to investigate the incident advised it that the risk to its customers in connection with this cyberattack was low. LifeLabs said it hadn’t seen any public disclosure of customer data as part of its investigations, including monitoring of the dark web and other online locations.

Malwarebytes checked up whether that claim still held through and could indeed not find any LifeLabs customer data that came from that breach.

The reason is not a big mystery. Reportedly, LifeLabs paid the ransomware group, which is why it’s still unknown which group was behind the attack. The specific amount of the ransom paid has not been disclosed by the company.

But as ransomware groups are just a gang of criminals, it might be hard to take their word for it that they won’t release the data at some point. We will keep an eye on it.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Recently we’ve seen some heated discussion about Microsoft’s connected experiences feature. As in many discussions lately there seems to be no room for middle ground, but we’re going to try and provide it anyway.

First of all, it’s important to understand what the “connected experiences” are.

Microsoft describes it like this:

“Connected experiences that analyze your content are experiences that use your Office content to provide you with design recommendations, editing suggestions, data insights, and similar features.”

If that sounds like auto-correct on steroids, you’re close. You like it or you don’t.

But I found that there are two types of connected experiences.

Let’s start with a locally saved document created in Microsoft 365 (Word). To find the connected experiences settings, you’ll need to

• Click on File > Options

• Select Trust Center and click on Trust Center Settings

• Select Privacy Options and click on Privacy Settings

Then you’ll see three entries for Connected experiences:

• Experiences that analyze your content
• Experiences that download online content
• All connected experiences

My tinfoil hat warns me that the second one is bound to show up in some vulnerability, but nowhere does it say that anything you produce will be shared with anyone, let alone train an AI model. If anything is worrying in there, it’s the fact that it uses content in your documents to find online information that might be of interest to you.

Feel free to turn these options off.

For online documents created with Microsoft 365 apps it’s a different topic, and depends on what the administrator of the organization that provided it has decided to make available to you.

The overview of optional connected services provided by Microsoft says:

“If you have a work or school account, your organization’s admin may have provided you with the ability to use one or more cloud-backed services (also referred to as “optional connected experiences”) while using the Office apps, like Word or Excel, that are included with Microsoft 365 Apps for enterprise.”

It then goes on to list all the possible optional connected experiences. The settings for these are of the type  “all or nothing.”

You can find these settings if you have a document open in your browser by following the path File > About > Privacy Settings > Optional connected experiences.

The official Microsoft 365 account on X tweeted to say it didn’t use customer data to train large language models (LLMs)—a type of artificial intelligence (AI) program—in M365 apps:

“In the M365 apps, we do not use customer data to train LLMs. This setting only enables features requiring internet access like co-authoring a document.”

So, turning that option off might result in some lost functionality if you’re working on the same document with other people in your organization.

If you want to turn these settings off for reasons of privacy and you don’t use them much anyway, by all means, do so. The settings can all be found under Privacy Settings for a reason. But nowhere could I find any indication that these connected experiences were used to train AI models.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Spotify and Amazon services have been flooded with bogus listings that push dubious “forex trading” sites, Telegram channels, and suspicious links claiming to offer pirated software according to our friends over at BleepingComputer.

Cybercriminals are abusing the options to inject keywords and links into playlist names to make their entries rank high in Google search results.

BleepingComputer found that spammers had posted a lot of links on the content platforms, but that the length of the audio “episodes” published under these “podcasts” was zero seconds.

What you can expect to be offered are cracks, keygens, cheat codes, and other game related content, but also “forex trading” seems to be a popular subject to promote.

The fact that many cracks, keygens, and game mods are often replaced by or come bundled with malware was already known in the previous century, so that shouldn’t surprise anyone.

The “forex trading” part may be a little harder to understand.

On the content platforms we mentioned, links are shared pointing to forex trading platforms where you can trade one currency for another speculating on exchange rate fluctuations. Forex trading is far from illegal, it’s an important part of international trade. But in areas where so much money changes hands, there will always be criminals looking for a piece of the action.

There are two main types of forex trading scams you need to be aware of. Scams performed by external criminals, and unethical forex brokers. Even though management teams within brokers must be vetted by regulators and licensers, there are plenty of incentives for brokers to take advantage of their customers.

The scams themselves can be largely identified as:

• Signal scams: Signals are data-driven broker-generated information prompts that give traders improved opportunities to make profitable trades. While many of them can be considered legitimate, they do not guarantee success and they can be abused by signal-sellers that prey on our tendency to want to get rich fast and with little effort.
• Pyramid schemes: The pyramid schemes are in fact private circles run by individuals who seek to profit by charging a subscription fee and encouraging new members to recruit fellow investors for the prize of a small commission payout. The higher up the money-earning pyramid you are, the more subscription fees flow your way.
• Point-spread scam: As brokers earn their commissions based on the gap between bid and ask prices, they make more money when the gap is bigger. When the natural supply and demand conditions do not create a big enough gap, some brokers have been known to exaggerate the gap by rigging the code that displays the prices.
• Robot scamming: This is a relative newcomer to the scams. It offers traders the option to earn money while you are not actively trading on your system. The term “robot” refers to the automation of the process with software. Needless to say these robots can be rigged to work for the broker instead of for you.
• Sale of personal information: Under the rules of Know Your Customer (KYC) legislation, every trader must be able to supply private and confidential information that often includes details like banking information and credit card information. Scam brokers could sell this information to a third party, who may try to lure you into another scheme.

But cybercriminals could also have set up their own fraudulent trading platforms and be phishing for your login credentials to existing platforms.

How to stay safe

If you decide you want to delve in forex trading, there are a few pointers to keep your money safe.

There are some similarities between forex trading and casino gambling, only forex trading involves more skill and analysis than most casino games. Don’t go all-in. Don’t lose your shirt.

• Get rich quick schemes often work for those offering them, but not for those falling for them.
• It is vital to research any financial service or platform before investing.
• As always, if it sounds too good to be true, it probably is.
• It is crucial to understand what you are doing or what is being done for you.
• Watch out for clone websites.
• If you don’t understand how the trader’s robot works, ask until you do or don’t use it.
• Stay away from forex trading platforms promoted on content platforms that have nothing to do with forex trading.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.