Archive for author: makoadmin

Roblox introduces age checks to use communication features

Roblox is an online platform that allows users to build, play and share online worlds and 3D games. Unfortunately, it’s also a popular platform among predators reaching out to kids and seducing them using game features such as messaging, avatar customization, and role-play.

Over the years, the company has faced several lawsuits and backlash for not doing enough to protect kids on its gaming services. Recently, Louisiana sued the Roblox, alleging the wildly popular site has perpetuated an environment where sexual predators “thrive, unite, hunt, and victimize kids.” And back in February Roblox, along with Discord, was sued in California. The law suit referred to it as a “real life nightmare for children.”

The initial response by Roblox’s CEO, Dave Baszucki, was “if you’re not comfortable, don’t let your kids be on Roblox.” But apparently, the company thought better of it, and so yesterday Roblox announced a plan to expand age estimation to all Roblox users who access its on-platform communication features by the end of this year.

Roblox defines age estimation as follows:

“We estimate your age by analyzing a selfie of your face and examining your facial features. Your estimated age helps place you in the appropriate age group (under 13, 13+ and 18+) to customize your experience on Roblox. If you are placed in the under 13 age group based on facial age estimation, certain personal data, including your email and phone number, will be removed from Roblox.”

While we understand the move, which aims to strengthen communication safety and prevent inappropriate interactions between adults and minors on the platform, we wonder if this will be enough to stop predators.

But the goal is clear: Limit communication between minors and adults that do no know each other in the real world. So, by using methods like facial age estimation, ID verification, and parental consent, Roblox aims to ensure users only access features and content suitable for their age group, and with that create a safer environment, ensuring that young users aren’t exposed to content or interactions that might be inappropriate for their developmental stage.

With governments demanding actual age verification on websites with adult content, and platforms like social media and Roblox introducing restrictions based on a user’s age, the controversy about different types of age verification and those implications is growing.

While Roblox didn’t release any details about how its age estimation technology works, the age estimation processes we know are based on Artificial Intelligence (AI) tools that scan selfies or short videos and compare them to a database to estimate the user’s age. Needless to say, they are not always right and it opens up the system to deepfakes, and spoofing.

This kind of technology is definitely more effective than asking the user to provide their birthday or check a box that they are over 18, but it’s not foolproof.

And methods like facial scans, ID verification, and so on, will store information on servers which can be breached. We would prefer websites to use “double-anonymity” solutions, but it seems to be hard to convince them. Double anonymity basically separates the information of two providers from each other. The first provider (website asking for age confirmation) would only get the requester’s age and no other information. The second provider (the age verifier) wouldn’t receive information about the service or website the age verification is needed for. That enters the user into the appropriate age group, but keeps sensitive information away from servers that are not secure enough to hold it.

Roblox also acknowledges another danger:

“Unfortunately, bad actors will try to circumvent our systems to try to direct users off the platform, where safety standards and moderation practices may differ. We continuously work to block those efforts and to enhance our moderation approaches to promote a safe and enjoyable environment for all users.”

In defense to the Louisiana lawsuit, Roblox rolled out an AI system to help detect early signs of possible child endangerment, such as sexually exploitive language. Roblox said the system led it to submit 1,200 reports of potential attempts at child exploitation to the National Center for Missing and Exploited Children in the first half of 2025.

How to keep your kids safe on Roblox

Since it’s not likely you’ll be able to guide your children 24/7 in their online journey, here are some tips you can use to keep them safe:

  • Take control. Use Roblox’s Parental Controls to limit access to age-appropriate games and content and enable features like daily screen-time limits.
  • Anonymize. When setting up your child’s Roblox account, avoid using real names, and use an appropriate date of birth to enable the relevant restrictions.
  • Friend requests. Access the settings of your child’s account to limit or disable friend requests and online chat capabilities.
  • Stay on the platform. Tell your child to refuse requests to take chats offline or to another platform. Predators will do this to avoid Roblox’s restrictions about sharing images.
  • Education. Teach children about online safety, including not sharing personal information and avoiding suspicious links, and make sure they are comfortable sharing their online experiences with you.
  • Play with them. What’s more fun than beating your parents in your favorite game? Spending some quality time with them makes it fun to keep an eye on them and the games they enjoy.
  • Information. Stay on top of information about Roblox’s updates, features, and changes.
  • Protect the device. Make sure they are playing on a device that is fully up-to-date and actively protected.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts

TP-Link has issued a warning about a botnet exploiting two vulnerabilities to infect small office/home (SOHO) routers, which are then weaponized to attack Microsoft 365 accounts. 

The vulnerabilities affect the Archer C7 and TL-WR841N/ND routers, though other models may also be at risk. Despite the fact that these routers have reached end-of-life (EOL), TP-Link has nonetheless released firmware updates to address the flaws.

If you have a router issued by your internet service provider (ISP) this also deserves checking. Several ISPs have used the TP-Link Archer C7 and TL-WR841N/ND routers, sometimes rebranding them for distribution to customers, especially in Europe and North America. For example, Dutch ISP Ziggo is known to have rebranded the TP-Link Archer C7 as the “Wifibooster Ziggo C7”, supplying it to customers with Ziggo-specific firmware.

The two vulnerabilities, tracked as CVE-2025-50224 and CVE-2025-9377, are chained to add a router to a botnet. CVE-2025-50224 is a vulnerability that allows an attacker to steal passwords from the router and CVE-2025-9377 is a known Parental Control command injection RCE exploit, allowing the attacker to run their code on the router.

The botnet, called Quad7 (aka 7777) uses the infected routers to perform password-spraying attacks against Microsoft 365 accounts. Password spraying literally means trying common passwords across many accounts or using many common passwords against the same account.

Last year, Microsoft warned about the same botnet but the specific vulnerabilities were unknown at the time. Detection remains difficult for defenders, as the botnet uses thousands of IP addresses from home users and small businesses. TP-Link urges owners of these router models to install the updated firmware or switch to a fully supported router. The company is also investigating reports that other models might be vulnerable. Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) has also issued advisories for these two flaws.

It is rare that a manufacturer would issue a firmware update for a EOL product, which emphasizes the importance of deploying that update. Being a part of a botnet is not just a danger to others, it can considerably slow down your home device(s).

  • Check if your router is an Archer C7 or TL-WR841N/ND, or another older TP-Link model. If so, update your firmware immediately with the version provided by TP-Link.
  • If firmware updates are no longer provided or your router is out of support, strongly consider upgrading to a supported model.
  • Change your router’s admin password to a strong, unique value, meaning you should avoid reusing passwords from other accounts.
  • Disable remote management features unless absolutely necessary and always check that parental control pages are only accessible by authenticated users.

Recommendations for Microsoft 365 users

Since the botnet is used at this moment in time to take over Microsoft 365 accounts, there are a few things you can do to make this a lot harder.

Staying ahead of threats like botnets means keeping devices patched, using strong authentication practices, and remaining alert for updates on device security. Don’t wait until your router—or your Microsoft 365 account—becomes part of someone else’s attack toolkit.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Give your PC a fresh start: New free tools to boost your PC’s speed, security, and peace of mind  

If you ever have the feeling your computer is dragging its feet, or shows odd behavior, you’re not alone. In some cases, the culprit is indeed malware, but often it’s something more mundane. Over time, baggage accumulates, much like a toddler’s backpack after a day in the forest.  

Too many apps starting up at once, Windows settings not tuned for your needs, or even a firewall that’s too confusing to manage.   

That’s why we’re launching Malwarebytes Tools, a new set of free features designed to give your Windows PC a breath of fresh air.   

Think of Malwarebytes Tools as spring cleaning for your computer: clearing out what slows you down, tidying up behind the scenes, and strengthening defenses—without having to read a manual as lengthy as The Lord of the Rings trilogy.   

And the best part? They’re completely free, available today in preview mode inside the Malwarebytes app.  

As Michael Sherwood, VP of Product at Malwarebytes, explains:  

“For years, people have come to Malwarebytes when something’s not right with their computer. But issues aren’t always caused by malware. Sometimes it’s slow performance, privacy settings, or other configuration issues. With our new optimization tools, we’re making it easier for users to spot these problems and take proactive steps to keep their devices running smoothly and securely.” 

Here’s what you get with Malwarebytes Tools: 

  • Startup Applications: If your PC takes forever to start up, it could be because too many apps are trying to start all at the same time. Our feature gives you a clear view of what’s booting up with Windows, and the power to say “no thanks” to the ones that don’t need to be there.  
  • System Tweaks*: These are like quick-fix buttons for your PC. You can use them to repair common issues, adjust privacy settings, and fine-tune how Windows behaves.  
  • Firewall Control: Firewalls are essential for online security, but for many people, managing them can be challenging. That’s why we don’t give you another firewall to figure out, we simplify the one you already have. With our new Firewall Control, you can block unwanted traffic, manage which apps have internet access, and switch filtering modes with just one click. Simple, powerful, and built right into what you already use. 

*Windows 11 only  

Malwarebytes Tools are available now in preview, meaning you get early access, free of charge, and can help shape what the full version becomes.  

Your computer deserves to run light, fast, and secure, without you having to become its full-time mechanic. With Malwarebytes Tools, we’re making that possible.  

Curious to try it out? Open Malwarebytes on Windows, test its user-friendliness, and immediately feel the difference it makes to your digital experience. 

Popular Android VPN apps found to have security flaws and China links

People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff your data—and they’re not being honest about who’s behind them.

The report, called Hidden Links: Analyzing Secret Families of VPN Apps, comes from researchers at the University of Toronto’s Citizen Lab, and Arizona State University. It warns that several Android VPN apps for sale via the Google Play Store have security flaws that allow others to snoop on their traffic. They’re also deceiving users about their ownership, warns the report:

“The providers appear to be owned and operated by a Chinese company and have gone to great lengths to hide this fact from their 700+ million combined user bases.”

The researchers looked at the 100 most-downloaded VPNs and took the half of them that were not US-based. Then they scanned websites, business filings, and the VPN apps’ source code to try and find links between them. Using a combination of data points found in these resources, they found common software libraries, technical infrastructure, and business details that allowed them to group the VPN apps into three families.

Family A contained eight VPN applications linked to providers Innovative Connecting, Autumn Breeze, and Lemon Clove. These apps all shared some common security flaws. These included a hard-coded key used to create a password for Shadowsocks, a service designed to circumnavigate the Chinese government’s digital censorship system. This flaw enables anyone to decrypt communications sent using these apps.

From the report:

“On many of the VPNs we analyzed, a network eavesdropper between the VPN client and VPN server can use the hard-coded Shadowsocks password to decrypt all communications for all clients using the apps.”

Just as worrying is the undisclosed collection of user location data by these apps, even though the providers’ privacy policies claim that they don’t do this. They request the zip code of the user’s public IP from ip-api.com and upload it to a database, the researchers said.

The Tech Transparency Project has previously connected three providers responsible for these apps with Chinese cybersecurity firm Qihoo 360, which the US has sanctioned for its connections to the Peoples’ Liberation Army.

Family B consisted of six providers, who between them are responsible for apps including Global VPN, XY VPN, and Super Z VPN, all of which use the same VPN servers. They had hard-coded passwords for Shadowsocks, too. In general, the researchers warn against using apps that rely on Shadowsocks for anonymity. It was designed for getting around China’s censorship system, not maintaining anonymity, they said:

“It was counterintuitive to find deprecated ciphers and hard-coded passwords in these apps, given that they are security-sensitive apps and many of their providers are owned by Qihoo 360, a major chinese cybersecurity firm.”

Family C’s two providers were responsible for VPNs such as Fast Potato VPN and X-VPN, which also had security issues. This family, like the others, was also susceptible to other attacks, including what’s known as a blind in/on-path attack. This lets people manipulate traffic from a device using the app if they’re on the same network.

Why are these apps in the Play Store?

Why might companies seek to operate multiple VPNs and then hide the fact? The researchers muse that they might be trying to avoid reputational damage if something happens to one VPN. They share code because it’s simply more cost-effective to do so, the report added.

The takeaway here is that plenty of VPNs are not what they seem. That’s worrying, given that the people running the servers that the apps connect to can read all of the traffic—as can others who just reverse-engineer the passwords from the apps. So why doesn’t Google stop it?

One of the big problems is that the relationships between the different app providers are time-intensive to figure out. That makes it hard for the app store operators to automate at scale, the researchers point out. On the other hand, Google make $28.19bn in net profit for Q2 2025 alone, so maybe it could find some spare change down the back of the couch and put some manual investigators on it.

“Google is potentially exposing its brand to reputational damage by hosting and profiting from deceptive and insecure apps like the ones we investigated.”

It’s hard to know which providers to trust online. We suggest you research any security product carefully, and go for a trusted company with a solid reputation. Malwarebytes offers a VPN of our own here.

No we didn’t warn all Gmail users about imminent digital doom, says Google

Cybersecurity publications are rife with headlines about breaches and threats, but sometimes things aren’t always what they seem. In fact sometimes they’re plain wrong (remember toothbrushgate)? This week, Google highlighted another story that it said was fake – and this one was about its own services.

“Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false,” it said in a blog post debunking the claim.

The blog post doesn’t actually mention what the fake claim is, presumably in an attempt not to spread it. So we’re left guessing. What’s the biggest, scariest cybersecurity claim made about Google lately? Probably the one about Google warning 2.5 billion users about a recent attack on its systems.

The most difficult falsehoods to debunk are those where there’s a grain of truth. In this case there was an attack on Google’s systems. What’s at issue is how bad the attack was and what it did afterwards.

Here’s what happened. In June, Google was compromised by a group that it calls UNC6040 (the group is also widely known as ‘ShinyHunters’). This group targets companies that use the Salesforce enterprise software. It ‘voice phishes’ employees from those companies, impersonating IT staff and persuading them to enter their credentials on a web page. that page authorizes the intruders to access their Salesforce account, downloading sensitive data.

“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” Google said in its blog post about the incident, adding that it had notified all users by August 8.

However, some have suggested that Google’s ShinyHunters compromise has put 2.5 billion users at risk from phishing attacks, and that Google sent out an emergency warning to them. That story appears to have gone viral, and Google says it’s wrong. It didn’t send out that warning, and in spite of the attack on its systems, most of its users aren’t at any more risk than they were before.

“While it’s always the case that phishers are looking for ways to infiltrate inboxes, our protections continue to block more than 99.9% of phishing and malware attempts from reaching users,” the company said in its refutation.

The cybersecurity press is prone to sensational headlines. But publishing clickbait helps no one in the end, of course, because people can only stand so much panic. Eventually they’ll switch off, making it more difficult for legitimate, measured security alerts to make it through.

The fact that Google users aren’t in imminent elevated danger doesn’t change the need for basic cybersecurity hygiene. As Google points out, potential attackers are always rattling our digital doorknobs. We should always be on our guard and make it more difficult for them to get in.

“As best practices for additional protection, we encourage users to use a secure password alternative like Passkeys, and to follow these best practices to spot and report phishing attacks,” it concluded.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Why you should upgrade to Windows 11 now, and how to do it

I know many of us love(d) Windows XP and Windows 7 almost as much as we dislike Windows 10 and 11, but if you want to stay secure on Windows, the time to bite the bullet is closing in fast.

Support for Windows 10 will end on October 14, 2025, which means the only Windows version that will continue to receive updates after that date is Windows 11.

Why you should upgrade

Using an out‑of‑date Windows version leaves you exposed to threats designed for yesterday’s flaws. Each Windows update patches known vulnerabilities, some of which might already be used by cybercriminals, so closing those gaps as soon as possible is important. When official support ends, so do the security updates that help keep criminals out.

Through its updates, Microsoft also steadily adds new protection features, like better firewalls and improved warnings, which will never make it to older versions of Windows.

Security software is built for the latest, safest codebase. While programs may support older Windows versions, you may be missing out on some of the options, simply because the older Windows version does not support them.

Other programs may also be unavailable if you are sticking to an old Windows version.

How to upgrade

If you’re on Windows 10 than the upgrade to the equivalent version of Windows 11 is free, but that only works if your computer meets the minimum system specifications. If not you’ll either need another computer or you can explore other options.

You can check if your Windows 10 computer is eligible to upgrade for free to Windows 11 by selecting the Start button, then going to Settings > Update & Security > Windows Update. If your system isn’t compatible with Windows 11, there’ll be a big box letting you know, along with the option to grab the Microsoft PC Health Check App. This will explain in more detail why you may not be able to meet system requirements for Windows 11.

Before upgrading or switching, always do a complete backup of your system and all personal files. If something goes wrong, you’ll be glad you took this extra step.

Windows does retain your old operating system (OS) for up to 10 days after upgrading, letting you revert if problems pop up. After that period, rolling back means a clean install and restoring from backup.

At Malwarebytes, we want you to stay safe and secure, regardless of which operating system you use. While Malwarebytes continues to support Windows 7 and higher at this time, we strongly recommend updating to the latest operating system to ensure you receive the full protection and latest features we offer.

Make sure to have a plan ready before October 14, 2025 and be aware that doing nothing is also a choice, even though it may not be the best one.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Update your Android! Google patches 111 vulnerabilities, 2 are critical

Google has patched 111 vulnerabilities in Android, including two critical flaws, in its September 2025 Android Security Bulletin.

While the last few months have been quite calm regarding the number of vulnerabilities, this month is a real whopper with 111, compared to 6 in August and none in July.

The September updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version you’re on.

If your Android phone shows patch level 2025-09-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

Technical information

Google notes that:

“there are indications that the following may be under limited, targeted exploitation.

CVE-2025-38352

CVE-2025-48543”

But it doesn’t provide any details about how and against whom these vulnerabilities were used. So, let’s have a closer look at those two first.

CVE-2025-38352 is a race condition vulnerability in the Linux kernel time subsystem, which may allow a local attacker to gain an elevation of privilege (EoP).

A race condition vulnerability means that during a moment where different threads (processes or programs) use the same resource,  but they are not synchronized, it creates a brief period during which an attacker could exploit the race window.

In this case the resource is the CPU time, the amount of time that a central processing unit (CPU) was used for processing instructions of a computer program or operating system.

A “local attacker” which can also be an installed app or shell could exploit this vulnerability to gain permissions it would normally not get or have.

CVE-2025-48543 is a vulnerability in Android runtime. The Android Runtime (ART) is the system responsible for running applications on Android devices. Basically it translates instructions into machine code which the processor understands. The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

And then there is the vulnerability tracked as CVE-2025-48539. This critical vulnerability was found in the System component and could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed and no user interaction required.

The part where the description says remote (proximal/adjacent) is a bit of a mystery, but our best guess is this means an attacker could compromise a device from a short distance, so it might be by means of Bluetooth, NFC, or Wi-Fi Direct.

This type of vulnerability always makes researchers nervous, because they could be “wormable,” meaning they can spread from one device to the next. And if that is true, they can spread like wildfire in crowded environments like concerts and conferences.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

PayPal users targeted in account profile scam

A co-worker forwarded this rather convincing PayPal scam to me. Thanks Elena.

A highly sophisticated email scam is targeting PayPal users with the subject line of “Set up your account profile.”

We decided to see what the scammers are after. First thing to do is to look at the headers:

email header looks legitimate

The sender address service@paypal.com (sometimes the emails come from service@paypal.co.uk) looks legitimate because it is, but the scammers have spoofed the address.

Basically, when someone sends an email, their computer tells the email system what address to show as the sender. Scammers take advantage of this by using special software or programs that let them type in any “From” address they want. This technique is called spoofing. The scammer sends their email through the internet, and since most email systems aren’t strict about checking this information, the fake sender address is displayed just like a real one would be.

So it’s hard for the everyday user to tell if the email has been spoofed or not.

There are other signs that the email might be a scam though. There is the unusual recipient address, which is nothing like the one of my co-worker. Rather than targeting one individual, scammers set up a distribution list (often using Microsoft 365/Google test domains) with their own domain or, in this case, a compromised one. This allows them to send bulk phishing emails while masking their intent, but does mean that recipients see an unfamiliar address, e.g. {somebody}@{unknow-domain}.test-google-a.com, instead of their own.

The “.test-google-a.com” part of the address refers to a domain often used in testing or in cloud setups through Google Workspace, but in the context of this scam email, it’s a strong indicator of malicious activity or advanced phishing techniques rather than official Google practice. So, that’s red flag #1.

When looking at the email itself, the subject line has nothing to do with what the email is asking the target to do. That’s red flag #2.

The Paypal account profile set up email

Set up your PayPal account profile
New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.
Your user ID: Receipt43535e
Use this link to finish setting up your profile for this account. The link will expire in 24 hours.”

The layout of the email looks convincing enough, likely copied from an actual PayPal email.

The content however is typical for a phishing email:

  • Urgency: The link will expire in 24 hours.
  • Amount: Over $900 dollars to grab your attention
  • Crypto wallet: most people have only a vague notion of how crypto wallets work, so they don’t see the lie immediately. And Kraken.com is a crypto trading platform, so there is no discrepancy there.
  • The phone number listed is known by the Better Business Bureau as related to this type of scam
  • The recipient is not addressed by name in the email. Legitimate PayPal emails will always address you by your full name or business name, never generic greetings like “Dear Customer” or “Dear User”, or none at all as in this example. Red flag #3, 4, 5, 6, and 7.

The language used in the email is not perfect, but also not bad enough to stand out like a sore thumb. We have discussed in the past how AI-supported spear phishing fools more than 50% of targets, so looking for spelling errors is often not helpful these days.

But now comes the part which showcases the sophistication level of this scam. The link the button in the email points to, actually goes to PayPal.

link to paypal.com

However, the effect is different from what the target of the phishing email would expect. They are not going to set up a profile nor dispute a payment.

By clicking the link in the email, the target starts the routine to add a secondary user to their PayPal account. The danger here is that a secondary user can issue payments. In other words, the scammer would be able to clean out your PayPal account.

PayPal has over 434 million active users so for phishers that’s a large target audience. To make their attacks more targeted, some groups of phishers will buy or steal large databases of email addresses that are associated with PayPal accounts or which have previously interacted with PayPal services.

How to stay safe

As far as we could determine this campaign has been running for a month or more. Here are some tips to help you avoid being caught out:

  • Look out for the red flags above.
  • Always search phone numbers and email addresses to look for associations with known scams.
  • Go directly to PayPal.com to see if there are any messages for your account.
  • Enable two-factor authentication (2FA) to add an extra layer of security to your PayPal account and help prevent scammers getting in.
  • Report suspicious emails and phishing emails to phishing@paypal.com. Then delete them.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Tax refund scam targets Californians

The State of California Franchise Tax Board (FTB) recently issued a warning to taxpayers to protect themselves from tax scams. In their warning the FTB states:

“Recently, the FTB received reports of a scam targeting taxpayers through text messages that appear to be from FTB. These text messages contain a link to a fraudulent version of certain FTB web pages, which are designed to steal personal and banking information. The scam aims to trick taxpayers into providing personal details and credit card information.”

As if to prove their point, one of my co-workers received this text message.

example tax scam text

“State of California Franchise Tax Board (FTB)

Your tax refund claim has been processed and approved. Please provide your accurate collection information before September 01, 2025.

We will deposit the money into your bank account or email paper check within 1-2 working days.

{link}

Failure to submit required payment information by September 01, 2025 will result in permanent forfeiture of this refund under California Revenue and Taxation Code Section 19322.

Just reply with ‘Y’, then close and reopen the message to make the link work. If that doesn’t do it, copy the link and paste it straight into Safari.

California Franchise Tax Board|Sacramento, CA|Official State Agency”

The links that we found for this campaign are designed to look legitimate by using ftb.ca, ftb.gov, or ftb.cagov in the URL. The sites are designed to mimic the official version of certain FTB web pages, but in reality they are designed to steal your personal and banking information.

How to tell if a message is a scam

This type of scam is not limited to California or even to tax returns, so this advice is good for everyone. Here are some scammy signs to watch out for:

  • Suspicious domain names: Official tax authorities only use domains ending in “.gov”. Any link leading to “ftb.ca-nt.cc” or other odd-looking domains is a major red flag.  
  • Urgent or threatening language: Scammers often try to rush recipients with claims like “permanent forfeiture of your refund” and tight deadlines.
  • Requests for sensitive personal or financial information: Legitimate agencies never ask for bank account info or other private details via text message.
  • Promised instant rewards: Messages offering immediate deposits should not be trusted.
  • Odd instructions for opening links: Watch out for steps like “reply with ‘Y’, then close and reopen the message” or pasting the link into Safari. This is a scam tactic to bypass security features.
  • Foreign phone numbers: US federal and state agencies only use official numbers, not foreign codes. A sender like +63 (Philippines) pretending to be a US state agency is a sure giveaway of fraud.
  • Grammatical mistakes, strange wording, and formatting errors: Even though the use of AI by scammers has reduced the number of these signs, they sometimes occur. “Email paper check” is a good example.
  • Generic sign-offs or incomplete contact details: Real tax authorities provide clear and official contact information.

Spotting any one of these signs should be enough to delete the message. Never click links or provide personal details based on unsolicited texts or emails.

Other tips to stay safe are:

  • Keep your device and the software on it up to date.
  • Use an active anti-malware protection, preferably with a web protection module.
  • If you’re worried something is a scam and want to confirm it, Malwarebytes users can submit suspicious messages to Scam Guard.

You can also visit the FTB Scams page to verify when FTB sends texts and what information is included.

Indicators

We have spotted these subdomains in this campaign:

ftb.gov-ciehka.xmnsia[.]cc

ftb.ca-nt[.]cc

ftb.cagov-Ibh[.]cc

ftb.cagov-tqn[.]cc

ftb.cagov-cg[.]cfd

ftb.cagov-onr[.]cc

ftb.cagov-jme[.]cc

ftb.cagov-etu[.]cc

ftb.cagov-ib[.]cc

ftb.ca-mg[.]cc

ftb.gov-qls[.]help


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

WhatsApp fixes vulnerability used in zero-click attacks

WhatsApp says it has issued an update to patch a vulnerability that has been used in conjunction with an Apple vulnerability to target specific users and compromise their devices.

Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:

First part of notification sent to attacked WhatsApp users

“Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.

While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.”

WhatsApp advised the affected users to perform a full factory reset of their phone in order to make sure they are rid of the malware.

WhatsApp notification fro tagreted users, telling them what to do.

“We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or targeted in other ways.

To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”

According to the Amnesty International Security Lab, the vulnerability was part of a zero-click attack against both iPhone and Android users. A zero-click attack is a type of attack which allows the cybercriminals to break into devices or apps without the victim needing to click, tap, or respond to anything. Unlike classic scams that rely on tricking someone into clicking a sketchy link, zero-click threats can land on a device simply because an app receives a message or notification crafted to exploit a hidden flaw.

Technical details

The zero-click attack required two vulnerabilities.

For iOS and Mac users these vulnerabilities were tracked as CVE-2025-43300 and lie in the Image I/O framework, the part of macOS and iOS that an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, an attacker could construct an image to exploit the vulnerability.  Processing such a malicious image file would result in memory corruption. Attackers can exploit memory corruption flaws to crash important processes or execute their own code.

The second vulnerability, CVE-2025-55177 for WhatsApp users, is caused by incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

What to do

The infection chain described in the security advisories from Apple and WhatsApp relies on two components: an Apple vulnerability (CVE-2025-43300) in the Image I/O framework and a WhatsApp vulnerability (CVE-2025-55177) that allowed the hijacking of devices by synchronizing messages.

Attackers exploited the Apple ImageIO bug via malicious image files, which is dangerous because this core library is used by multiple apps (not just WhatsApp) for opening and previewing pictures. In affected WhatsApp versions for iOS and Mac, the sync message bug could trigger arbitrary URL processing, creating a powerful combo for chaining exploits and compromising devices without any user action.

While Android users were mentioned among potential targets in advanced spyware campaigns reported by Amnesty, the most severe zero-click risk described applies only to Apple devices. For Android, the WhatsApp vulnerability may have exposed users to attacks, but not via the same chained infection vectors. As always, updating WhatsApp and enabling advanced security features (like Google Advanced Protection on Android) is highly recommended. So is using security protection on your devices.

If you’ve received one of the notifications from WhatsApp, we’d advise you to follow the instructions.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.