IT NEWS

Researchers found a set of vulnerabilities in Apple’s AirPlay SDK that put billions of users at risk of their devices being taking over.

AirPlay is Apple’s proprietary wireless technology that allows you to stream audio, video, photos, and even mirror your device’s screen from an iPhone, iPad, or Mac to other compatible devices like Apple TV, HomePod, smart TVs, or speakers. It works over Wi-Fi, so you don’t need cables.

Apple added the necessary updates on April 28 to the March 31 update. The update—iOS 18.4 and iPadOS 18.4—was initially issued on March 31, but the additional security fixes were delivered through Rapid Security Responses, or minor patches that Apple incorporated after the initial release. Rapid Security Response (RSR) is a type of software patch delivering security fixes between Apple’s regular, scheduled software updates.

The good news is if you installed the March 31 update, you should be fine. Otherwise, check manually if any updates are available.

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

• The latest version of macOS is 15.4.1. Learn how to update the software on your Mac and how to allow important background updates.
• The latest version of tvOS is 18.4.1. Learn how to update the software on your Apple TV.
• The latest version of watchOS is 11.4. Learn how to update the software on your Apple Watch.
• The latest version of visionOS is 2.4.1. Learn how to update the software on your Apple Vision Pro.

The AirPlay SDK (Software Development Kit) is a set of programming tools Apple provides to app developers to integrate AirPlay functionality into their apps. Using the AirPlay SDK, developers can add features that allow their apps to stream audio or video content wirelessly to AirPlay-compatible devices. This makes apps “AirPlay-ready” by handling the streaming and control behind the scenes.

Combining vulnerabilities allows an attacker on the local network to potentially take control of devices that support AirPlay—both Apple devices and third-party devices that leverage the AirPlay SDK.

Apple released updates to fix the vulnerabilities on April 29 for members of the Apple MFi Program, who are developers of Apple-compatible accessories or software.

The researchers who found and reported these flaws warn they can be exploited without any user interaction—or with just a single click—to execute remote code. Attackers could also use them for man-in-the-middle interceptions, denial-of-service disruptions, and to bypass access controls and user prompts. On top of that, these vulnerabilities may allow unauthorized access to sensitive data and local files, making them a serious risk that demands immediate attention.

Technical details

In total, the researchers responsibly disclosed 23 vulnerabilities to Apple, leading to 17 CVEs being issued. A complete list and description of these CVEs, as well as specific attack scenarios they enable, can be found on their blog.

The most important vulnerabilities are:

CVE-2025-24252: Successful exploitation of the use-after-free vulnerability could allow a remote attacker to execute arbitrary code. When exploited together with CVE-2025-24206, the attacker is able to perform zero-click remote code execution on other vulnerable AirPlay-enabled devices in the same network, without any user interaction. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

CVE-2025-24206: Successful exploitation of the vulnerability could allow an attacker to bypass authentication and conduct malicious activities without user interaction when exploited with other vulnerabilities.

CVE-2025-24132: Successful exploitation of the stack-based buffer overflow vulnerability could allow an attacker to perform zero-click remote code execution on vulnerable AirPlay SDK devices and potentially leak sensitive information by eavesdropping.

That the attacker does need to be on the same network, but exploitation require minimal to no interaction of the target.

Possible protective actions

These depend very much on the types of devices you are using, so I will try to give some general guidance and the reasons behind them.

• As we said above, make sure your devices are fully updated
• Use up-to-date and active malware protection
• Disable AirPlay if you’re not using it, or set it to Ask as a minimum

• Disable AirPlay Receiver if it is not in use.
• Be extra careful on public networks. This vulnerability could theoretically spread in airports, offices, hotels, or conferences where many Apple devices are in close proximity. In such cases, avoid using unsecured Wi-Fi.
• Restrict AirPlay settings: Change the Allow AirPlay for to Current User. While this does not prevent all of the issues, it does reduce the protocol’s attack surface.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

In an online world filled with extraordinarily sophisticated cyberattacks—including organized assaults on software supply chains, state-directed exploitations of undiscovered vulnerabilities, and the novel and malicious use of artificial intelligence (AI)—small businesses are forced to prioritize a different type of cyberattack: The type that gets through.

Without robust IT budgets or fully staffed cybersecurity departments, small businesses often rely on their own small stable of workers (including sole proprietors with effectively zero employees) to stay safe online. That means that what worries these businesses most in cybersecurity is what is most likely to work against them.

Here are the three biggest cybersecurity threats to small businesses right now. They may sound basic or even crude, but they are the biggest threats precisely because they are so effective.

1. Phishing

In phishing scams, cybercriminals trick people and businesses into handing over sensitive information like credit card numbers or login details for vital online accounts.

Cybercriminals do this by sending messages—like emails and texts—disguised as legitimate communications from major businesses (think Slack, Uber, FedEx, and Google). These messages frequently warn recipients about a problem with their accounts, like a password that needs to be updated, a policy change that requires a login, or a delayed package that has to be approved.

But when victims follow the links within these malicious messages, they are brought to a website that, while appearing genuine, is completely controlled by cybercriminals. Lured in by similar color schemes, company logos, and familiar layouts, victims “log in” to their account by entering their username and password. In reality, those usernames and passwords are delivered directly to cybercriminals on the other side of the website.

In phishing attacks, there never is a genuine problem with a user’s account, and there never is a real request for information from the company. Instead, the entire back-and-forth is a charade.

As devastating as this is, the more complex threat of phishing lies in its adaptability. Whereas early phishing scams arrived almost entirely through emails, modern phishing scams can reach victims through malicious websites, text messages, social media, and even mobile app downloads.

In 2024, Malwarebytes found more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Disguised as apps such as TikTok, Spotify, and WhatsApp, these Android apps can trick victims into handing over their associated usernames and passwords when asking them to login.

Understandably, some small business owners might discount the threat of losing their login credentials to consumer tools like Spotify and TikTok. But here, the threat of phishing is compounded by another enormous problem in cybersecurity, which is that too many individuals and businesses reuse passwords across multiple accounts. That means that email login credentials that were successfully stolen in a phishing scam could also provide access to a small business’s financial accounts, payroll services, and even tax info.

Further, if a hacker were to use their wrongful access to steal customer data, then a small business might also have to front the cost for sending out data breach notifications, per their state’s regulations.

How to protect your business:

• Use unique, strong passwords for each online account and store and create these passwords using a password manager
• Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords
• Do not click on links from unknown senders
• If you’re asked for login information through an email or online message, do not input your login info in the email or through whatever link you’re directed towards. Instead, navigate to the site directly.

2. Social media account takeover

Social media is not just a vital tool for promoting many small businesses, it can often be the entire business itself.

YouTube video creators, Twitch streamers, and lifestyle influencers on TikTok and Instagram are effectively small business owners. They make a product and they earn revenue just like many online businesses—through ads and sponsored partnership deals.

If any of these social media business owners lost their login credentials through a phishing scam or data breach, they could potentially lose access to their entire operation.

In 2023, famous YouTube tech personality Linus Sebastian suffered a hack of three different YouTube channels associated with his company, Linus Media Group. The hackers hijacked the channels to spread cryptocurrency scams, while deleting some of the group’s old videos in the process. The attack was largely reminiscent of a 2022 YouTube account hack that repurposed a 2018 interview with Apple CEO Tim Cook to fool viewers into following a separate cryptocurrency scam.

Both incidents reveal the real threat to small businesses everywhere.

Social media account hacks are not only a risk to content creators—they’re a risk to any business with a legitimate online audience. Once scammers have control of any business’s social media account, they can send fraudulent messages to people on the business’s behalf and promote online scams that could tarnish the business’s reputation for years to come. Hackers could even swipe sensitive information before access is restored.

While social media hacks are often the byproduct of successful phishing attacks, cybercriminals can also gain wrongful access to a social media account through separate data breaches.

Hackers frequently buy usernames and passwords on the dark web from prior data breaches. They then use those login credentials on a variety of online accounts that belong to the same owner—entering the username and password for, say, a breached LinkedIn account into the username and password fields for QuickBooks, Shopify, and Hubspot. When people and businesses reuse passwords across accounts, hackers find an easy way in.

How to protect your business:

• Use unique, strong passwords for each account and store and create these passwords using a password manager
• Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords
• Avoid phishing attacks by refusing to click on links from unknown senders
• Do not download any attachments from unknown senders or from unexpected emails. These attachments could contain malware that steals passwords, data, and multifactor authentication codes.

3. Ransomware

Ransomware is more than a cyberthreat—it is an existential one, threatening to lock down computer systems, remove vital data, and waste potentially hundreds of thousands of dollars in recovery.

But because most ransomware news coverage focuses on major, multibillion dollar corporations that get hit with disruptive attacks, many boutique businesses might assume that ransomware gangs would never bother with a small outfit like theirs.

In reality, ransomware gangs do not care about the size, budget, or resources of their victims, because ransomware itself has become increasingly easy to scale and deploy.

Modern gangs operate on a “Ransomware-as-a-Service” model, where ransomware developers lease out their malicious software to “affiliates” who, if successful in launching an attack, return a small portion of their ill-gotten gains back to the ransomware developers at the top. LockBit, which was once the most active ransomware gang in history, had at least 194 affiliates doing its dirty work.

While LockBit most frequently attacked large conglomerates and governments, another Ransomware-as-a-Service group called Phobos was more than happy to prey on smaller organizations.

In 2024, when the US Department of Justice charged a Russian national named Evgenii Ptitsyn for his alleged involvement into running Phobos, its indictment revealed that one of the ransomware gang’s affiliates allegedly extorted a Maryland-based healthcare provider out of just $2,300. Other victims cited in the indictment included a marketing and data analytics firm in Arizona, a Connecticut public school system, and an automotive company out of Ohio.

According to data analyzed by Malwarebytes’ business unit ThreatDown, these smaller victims were the bread and butter of Phobos. Unlike other ransomware gangs that demanded up to $1 million or more from each victim in 2023, Phobos operators demanded an average of $1,719 from victims, with a median demand of just $300.

How to protect your business:

• Block common forms of entry. Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
• Prevent intrusions and stop malicious encryption. Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google’s security team this week. While most attacks do still target personal technology like smartphones and browsers, the focus is moving increasingly to enterprise tech.

Zero-day vulnerabilities are those that are exploited before vendors have a chance to patch them – and often before they even know about them. Attackers using these flaws to compromise systems are still primarily espionage groups, says the Google Threat Intelligence Group in its annual analysis of zero-day exploits.

Government-backed groups and customers of commercial surveillance vendors (that’s sanitized corporate-speak for spyware) were responsible for over half the attacks that the researchers were able to attribute. Spyware continues to be a much bigger factor in zero-day exploits today than it was before 2023.

The Chinese government exploited five zero-day flaws that Google knows of, while for the first time North Korea equaled that number. Spyware customers used eight zero-day exploits.

But state and private espionage-focused attackers aren’t the only ones using zero-days. Google also sees crime groups using them to come after your data. However, as it points out, some of these groups involved in cybercrime also maintain strong links to the Russian government.

While the number of zero-day exploits that Google identified dipped to 75 from last year’s 98, the trend is still moving slowly upward, the company says. In 2022, it found 63 zero-day exploits, and the year before that it was 95, but 2019 and 2020 both showed just 31 zero-day exploits each.

Vendors are also doing better at protecting at least some of their products, found the research. Google said attackers are having less success targeting browsers and mobile operating systems. Attackers traditionally use these technologies to get at consumer users.

Perhaps that increased protection is one reason behind another key fact: The proportion of zero-day exploits targeting end-user technologies was lower this year at 56% than those targeting enterprise tech. That’s a consistently falling number; 90.32% of zero-day exploits targeted end-user tech in 2019, followed by 70.97%, 74.74%, 63.49%, and 63.27% respectively through 2023.

In particular, exploitation of browsers and mobile devices was far lower this year than last. Browsers saw a third fewer zero-day exploits than last year, with most targeting Chrome due to its popularity, while mobile device zero-day attacks halved.

This doesn’t mean attackers won’t continue trying their best to infiltrate end-user products. “Phones and browsers will almost certainly remain popular targets, although enterprise software and appliances will likely see a continued rise in zero-day exploitation,” Google said.

When spyware attackers do target mobile devices, they will chain together multiple vulnerabilities in complex attacks on mobile devices to get around mobile vendors’ security practices.

As Google points out, it’s difficult to separate attacks against enterprise and end-user technology because enterprises often use these technologies too. Nevertheless, it has seen a 9% rise in zero-day attacks using purely enterprise tech, namely security and network products. They comprised 60% of all zero-day attacks on enterprise technologies, the company said.

What does all this mean for you? Just keep on doing what you already should be, applying basic cyber hygiene when using your devices. Admittedly, keeping your system up to date won’t help against a zero-day, but patching quickly could stop attacks reaching you if vendors see them and issue updates in time. In addition, some technologies use heuristics to try and stop software they haven’t seen before which look suspicious. And of course, avoiding opening links and files that you’re not sure about can stop zero-day exploits hitting your device in the first place.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Fake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install ScreenConnect, a remote access tool.

This campaign was flagged and investigated by the Malwarebytes Customer Support and Research teams.

ScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely used by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to users’ computers to perform tasks such as software installation, system configuration, and to resolve issues.

Because ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate your computer as if they were physically present. This includes running scripts, executing commands, transferring files, and even installing malware—all potentially without you realizing.

This makes ScreenConnect a dangerous tool in the hands of cybercriminals. A phishing group dubbed Molatori—because of the domains they use to host the ScreenConnect client—has been found to lure their targets into installing the ScreenConnect clients by sending emails pretending to come from the Social Security Administration (SSA):

“Your Social Security Statement is now available
Thank you for choosing to receive your statements electronically.
Your document is now ready for download:

• Please download the attachment and follow the provided instructions.
• NOTE: Statements & Documents are only compatible with PC/Windows systems.”

There are some variations to this mail in circulation but the example above shows how legitimate these emails look.

The link in the email leads to the ScreenConnect support.Client.exe, but was found under several misleading names like ReceiptApirl2025Pdfc.exe, and SSAstatment11April.exe.

After cybercriminals install the client on the target’s computer, they remotely connect to it and immediately begin their malicious activities. They access and exfiltrate sensitive information such as banking details, personal identification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial fraud, and other harmful acts. Experts have identified financial fraud as the primary objective of the Molatori group.

There are several circumstances that make this campaign hard to detect:

• The cybercriminals send phishing emails from compromised WordPress sites, so the domains themselves appear legitimate and not malicious.
• They often embed the email content as an image, which prevents email filters from effectively scanning and blocking the message.
• ScreenConnect is a legitimate application which happens to be abused because of its capabilities.

What we can do

When receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for phishing:

• Verify the source of the email through independent sources.
• Don’t click on links until you are sure they are non-malicous.
• Don’t open downloaded files or attachments until you are sure they are safe.
• Use an up-to-date and active anti-malware solution.
• If you suspect an email isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.

Malwarebytes users are protected

Malwarebytes will detect suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.

And blocks connections to these associated domains:

• atmolatori[.]icu
• gomolatori[.]cyou
• molatoriby[.]cyou
• molatorier[.]cyou
• molatorier[.]icu
• molatoriist[.]cyou
• molatorila[.]cyou
• molatoriora[.]cyou
• molatoriora[.]icu
• molatoripro[.]cyou
• molatoripro[.]icu
• molatorisy[.]cyou
• molatorisy[.]icu
• onmolatori[.]icu
• promolatori[.]icu
• samolatori[.]cyou
• samolatori[.]icu
• umolatori[.]icu

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

A former Disney employee, Michael Scheuer, will serve three years in prison for computer fraud and aggravated identity theft after a digital sabotage campaign against his ex-employer. In addition to his sentence, he must pay nearly US$688,000 in restitution.

Scheuer, a former menu production manager at Walt Disney World, launched his campaign after being fired for misconduct in June 2024. He broke into the internal menu creation system for Disney park restaurants, falsely labeling certain foods as allergy-safe when they weren’t. This included changing items with peanuts to be listed as peanut-free, which could be fatal for individuals with peanut allergies. In some cases, he altered wine region labels to reference locations of recent mass shootings.

He also tampered with prices, inserted profanity, switched QR codes to link to a site promoting a boycott of Israel over its invasion of Gaza, and changed the menu font to Wingdings — a symbol-based typeface instead of standard letters and numbers.

Fortunately, Disney detected the changes before they reached customers.

Scheuer didn’t stop with menu manipulation. He deployed a bot to repeatedly try logging into at least 14 employee accounts, locking out staff and rendering the accounts unusable. Investigators later found a “dox” folder on his computer, containing personal identifiable information (PII) of his targets. “Doxing” — also spelled “doxxing” — refers to collecting and exposing someone’s personal information to intimidate, shame, or harass them.

After authorities arrested Scheuer in October 2024, he pleaded guilty and expressed remorse. However, prosecutors pushed for a 70-month sentence due to the scope and seriousness of his actions.

Scheuer’s lawyer David Haas said:

“Mr. Scheuer remains remorseful and apologetic to the victims. We are grateful that the Judge heard all of our arguments and mitigation when fashioning a sentence that was half of what the Government was seeking.”

Several cybersecurity mistakes were made both sides of this conflict.

• Disney should have disabled the accounts used by the disgruntled ex-employee, especially when the company was aware his termination was contentious.
• While Scheuer used a VPN, the range of his IP addresses was in the same range as when he still worked for Disney and used the same VPN.
• The use of Wingdings messed up the menu system so bad that the Menu Creator became inoperable and the action was bound to be found out.
• Changing menu items to falsely claim there are no peanuts in them could have had fatal consequences.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

AI search service Perplexity AI doesn’t just want you using its app—it wants to take over your web browsing experience too. The company is planning to launch its own browser, called Comet, next month. But what does this mean for your privacy?

Launched in 2022, Perplexity AI is an AI-powered search engine. It combines web crawling with natural language models to collect and distill data from around the web to answer users’ questions. Its freemium model gives users access to basic features powered by a simpler AI model, while the paid version lets people experiment with different kinds of more powerful AI models from companies including ChatGPT and Anthropic.

The company, which has surfed the enthusiasm over AI to rack up a valuation of $9bn, has big ambitions. In January, it submitted a proposal to merge with TikTok. Now the Comet project sees it tackle a tricky product category.

Browsers are notoriously difficult products to build, which is why so few organizations have done it, and why those that do often use the same underlying Chromium engine. It’s also likely why Perplexity has already delayed and scaled down its browser development. Nevertheless, CEO Aravind Srinivas feels that it’s worth building a product in a category that has mostly been free for users.

One of the main reasons, as he admits, is so Perplexity can get its hands on more data about its users. Simply harvesting your direct queries to the Perplexity AI app isn’t enough, he explained on the TBPN podcast.

“We want to get data even outside the app to better understand you. Because some of the problems that people [solve] in these AIs are purely work related. It’s not that personal.

Taking AI-powered interactions outside the AI app into the browser bridges that chasm, he says:

“On the other hand, like what are the things you’re buying? Which hotels are you going [to]? Which restaurants are you going to? What are you spending time browsing? [These things] tell us so much more about you that we plan to use all the context to build a better user profile.”

That extensive data profile will help it tailor highly targeted advertising to individuals. It would then serve these up via its Discover feed, he said, which is an online news service that the company runs based on surfing other web sites.

This highlights a worrying but unsurprising trend in tech: privacy tends to be a casualty when new technologies emerge. The smartphone (essentially a mobile sensor package in your pocket) is probably the biggest example of this, but we also saw it when researchers caught Apple passing accidentally-captured audio picked up by Siri to third-party contractors, and later keeping snippets of conversations from customers who opted out.

More recently, Meta’s Ray-Ban smart glasses – which capture whatever the wearer is looking at and listening to – has also come under fire. Meta includes a hardware switch to ensure that users can turn recordings off. However, in 2021 Regulators criticized what they felt was a very small indicator light on the glasses to show that they were recording, and multiple EU regulators raised concerns about their privacy.

Tech companies often take a measured approach when describing how they slurp up user data. In a way it’s refreshing that people like Srinivas are at least happy or oblivious enough to say the quiet part out loud. It means that people know what they’re dealing with and can make an informed decision.

Comments on the podcast were limited, but at least one commenter seemed to have done just that. “That’s creepy af,” they posted. “I hope nobody is going to actively use the browser. Screw that!”

The most telling aspect of all this? We searched through the podcast and the word ‘privacy’ didn’t come up once. In an industry that constantly dazzles consumers with new and shiny technology, it’s more important than ever that you keep your eyes open and focused on the financial motives underpinning it all.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Unfortunately, spyware apps with poor reputations and even weaker security practices are all too common.

I’ve lost count of how many blogs I’ve written about stalkerware-type apps that not only exposed the people they spied on but also ended up exposing the spies themselves.

However, perhaps one would expect an employee monitoring app to be of a higher standard. Not in this case.

Cybernews recently uncovered that employee monitoring app WorkComposer left over 21 million images exposed in an unsecured Amazon AWS S3 bucket. These images show a frame-by-frame activity log of remote workers.

This is not just bad news for those remote workers, it could be even worse for the WorkComposer customers that can see internal communications, confidential business documents, and log in pages exposed to anyone that stumbled over the unprotected bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

The WorkComposer software logs keystrokes, tracks how long an employee spends on each app, and records desktop screenshots every few minutes. This means those 21 million images could reveal everything from work processes to employees’ private information.

Although there are no indications that cybercriminals gained access to the same bucket, WorkComposer has failed to respond to any notifications and queries. It did secure the access after being notified, but did not provide any comments.

This incident echoes a previous Cybernews investigation that found WebWork, another remote team tracker, leaked over 13 million screenshots containing emails, passwords, and other sensitive work data.

What to do if your employer used WorkComposer

There are some actions you can take if you are, or suspect you may have been monitored by WorkComposer.

• Change the passwords that may have been seen. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for phishing attacks. Cybercriminals may use the information to craft convincing phishing emails, SMS, or messages pretending to be from trusted sources. Do not click on suspicious links or respond to unexpected messages requesting personal or work information.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
• Report suspicious activity. If you notice any suspicious emails, messages, or unauthorized access attempts, report them immediately to your IT department or manager. Early reporting can help contain potential damage and prevent further breaches.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• AI is getting “creepy good” at geo-guessing
• Zoom attack tricks victims into allowing remote access to install malware and steal money
• Android malware turns phones into malicious tap-to-pay machines
• 4.7 million customers’ data accidentally leaked to Google by Blue Shield of California
• Shopify faces privacy lawsuit for collecting customer data
• All Gmail users at risk from clever replay attack
• Did DOGE “breach” Americans’ data? (Lock and Code S06E08)

Last week on ThreatDown:

• New in Nebula & OneView: CVE Tags for Ransomware-Linked Vulnerabilities

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

If you are worried about revealing your exact location—or if you maybe even fib about it at times—there are some good reasons to worry about what is visible in background photos, because Artificial Intelligence (AI) is getting very good at guessing where you are based on the smallest of clues. And that might even include audio clues, if given the right data.

Geo guessing

Our curiosity was triggered by this article in TechRadar claiming that ChatGPT o3 can geo-guess your location from almost any photo. So, we decided to do some tests and removed the metadata from a few selected photographs that I took myself and never published anywhere (for quality reasons, obviously).

Metadata can include technical details like camera settings, date and time, location, and descriptive information like captions or keywords. And we wanted to test the AI’s capability on the picture itself—not on additional data included in the file. I also used a VPN so I didn’t give away my current location.

We started with an easy one. A landmark in a relatively large city, but from a strange perspective. The picture was part of a selfie taken through a window of an office building in Cork.

It was no real surprise that ChatGPT got this right.

“Alright, let’s break this one down — this does have some standout features that make it easier to geo-locate. Here’s the reasoning step by step:”

Architectural Clues:

• The old stone building in the foreground has Georgian-style windows and masonry, which are common in parts of the British Isles, especially in Ireland and the UK.
• The clock tower in the back-left with the green copper dome is particularly distinctive and often used in civic buildings in Ireland.
• The mix of historical and modern buildings, with the newer glass-fronted offices across a small river or canal, suggests urban regeneration in a historically rich city.

Infrastructure and Environment:

• The modern bridge with a blue banner advertisement and the tree-lined waterfront hints at a city that integrates riverways into its urban design.
• The road signs and general driving direction suggest left-hand traffic, supporting a guess of Ireland or the UK.

Key Landmark:

The building with the green dome in the background looks very much like the clock tower of Cork City Hall in Ireland. The angle of the shot shows the old Custom House building in front, and the modern offices across the River Lee, which runs through Cork.

This was spot on. But surely ChatGPT is not the only AI good at geo-guessing, so we used the same picture to test Perplexity as well.

“This image provides several strong clues for geo-guessing:

The architecture of the foreground building is classic Georgian or early Victorian, with grey stone and sash windows—styles common in the British Isles, especially Ireland and the UK.

The river, modern glass buildings, and the steel bridge suggest a city that blends historical and contemporary elements.

The most distinctive feature is the clock tower with a green dome in the background. This is a well-known landmark: the Cork Courthouse clock tower in Cork, Ireland.

The bridge over the river and the combination of old and new buildings align with the area around the River Lee in Cork city centre.

Conclusion

This photo was taken in Cork, Ireland, looking out over the River Lee. The stone building in the foreground is part of the historic courthouse complex, and the green-domed clock tower is a prominent feature of Cork’s skyline. The modern glass buildings and bridge further confirm this as central Cork, a city known for its mix of heritage and modern development.”

Perplexity provided almost the same level of accuracy, so we decided to raise the difficulty level. A lot.

You’ll have to agree that this photo doesn’t give away a lot. But the AI tools took some unexpected clues from the picture.

Here is what ChatGPT determined:

Visual Clues:

1. Architecture:
   • The buildings are modular and prefabricated in appearance, with light-colored paneling and dark window/door frames.
   • This type of house is common in northern Europe, especially in the Netherlands, Germany, Denmark, or parts of the UK.
2. Landscape:
   • Very flat terrain with closely trimmed hedges and grassy areas.
   • This suggests low-lying regions—again pointing to places like the Netherlands or Belgium.
3. Infrastructure & Construction Tools:
   • The pavers being laid and the wheelbarrows used (particularly the yellow color and shape) are very common in northern and western European construction.
4. Weather and Lighting:
   • Overcast sky and soft, diffused lighting typical of northern Europe in autumn or early spring.
5. Small Details:
   • The small shed in the back, the organization of tools, and cleanliness/horticulture are consistent with Dutch/German design sensibilities.
   • The wheelbarrow has the brand name “Fort”, which is a Dutch manufacturer—this is a very strong clue.

---

Likely Guess:

The Netherlands

Narrowing it Down:

Given the modular housing, flat landscape, and Fort-brand wheelbarrow, this could be a holiday park, construction site, or suburban area in the Dutch countryside. Possibly in a province like North Holland, South Holland, or Friesland where such structures and environments are typical.

I must admit I was amazed that it mentioned South Holland which is where this photograph was taken.

Perplexity did not come as close as ChatGPT, but the tool did reach this conclusion:

“Based on architectural style, landscaping, and contextual clues, this scene is almost certainly from the Netherlands. It showcases the country’s embrace of modular housing and practical, tidy outdoor spaces, reflecting broader trends in Dutch residential design and sustainable living.”

Which is still a lot better than I expected when I selected that picture.

Bird songs

So, modern AI tools can pick up visible clues. But then I had another idea—call it an epiphany if you will—which deserves a brief explanation. I use an app called Merlin Bird ID which is able to identify birds based on their singing.

Some bird species are a lot more local than others, so I asked Perplexity:

“Would it be possible to do geo-guessing based on bird songs? And how many species do you think it would take to make a good guess?”

The answer:

“How Many Species Are Needed?

One Species: Sometimes, a single species is enough if it’s highly range-restricted (e.g., endemic to an island or a small region). However, this is rare.

A Few Species (3–5): In most cases, hearing three to five distinct species can allow for a strong guess, especially if their ranges only overlap in a limited area.

More Species, More Precision: The more species you can identify, the more precisely you can geo-locate. With about 10–15 species, especially if some are local specialties, you can often narrow it down to a specific region, habitat, or even a particular park or reserve.”

So, I tried an experiment and offered both AI tools (ChatGPT and Perplexity) a list of bird song matches made from my Merlin Bird ID app. Here is the bird list, and what they tell us about where those birds are located:

In analyzing this list, Perplexity was the “winner,” able to more accurately guess my location:

“Given all of these factors, my best guess is that you were somewhere in Northern Europe, likely Germany, Denmark, the Netherlands, or the UK. Without more information about habitat (e.g., forest, farmland, coast), it’s difficult to narrow it down further.”

Here was ChatGPT’s response to the same bird song list:

My Final Geo-Guess:

You were likely in Germany — possibly in northern or eastern Germany (e.g., Brandenburg or Mecklenburg-Vorpommern), which is:

• On the Grus grus migration route
• Rich in mixed forests and wetlands
• Within the range of Certhia brachydactyla
• Likely to host all the species you heard, in late April

In reality, the birds were recorded near the Dutch-German border, which put ChatGPT off by almost 400 miles, whereas Perplexity mentioned both countries I was in or close to, but covered a large area with its geo-guess.

Conclusion

If you’re making selfies or vlogging and you don’t want to give away your location, you’ll need to be very aware of your visual and auditory surroundings. A wheelbarrow of a specific brand or the sound of a bird with a limited habitat are enough to provide hints about your location. With enough hints, AI can deduce your exact location.

With social media being used for AI training, it is likely that these results will rapidly gain even more in accuracy.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Be careful when talking to people you’ve not met with before over the Zoom video conferencing system; you might get more than you bargained for. Two CEOs were recently targeted by a Zoom-based attack. One spotted it in time – and sadly, one did not.

The attack is by a crime group that the Security Alliance call ELUSIVE COMET in a warning about the threat last month. ELUSIVE COMET targets its victims by luring them into a Zoom video call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

The group typically approaches victims with a supposed media opportunity to get them interested, and then sets up an introductory Zoom call. During that video meeting, the attacker keeps their screen switched off, but sends a remote control request to the victim.

Remote control is a feature in the Zoom app that allows someone else to take control of your PC. It’s great if, for example, you’re not very tech-savvy and you want your grandchild to fix your computer from the other side of the country. It’s less good if you agree to a remote control request from someone you don’t know – especially if you don’t know you’re doing so.

That’s what happens to victims during their fraudulent call from ELUSIVE COMET. When the remote control request comes through to the victim, the notification says “<Participant> is requesting remote control of your system” where <Participant> is the participant’s screen name. In this takeover attempt, the attacker changes their screen name to ‘Zoom’ before sending the remote control request so it appears as though the app itself is requesting control.

Some rushed or distracted people might assume that’s a valid request from the app, perhaps as a precursor to recording a call or displaying new content. If the victim accepts, it’s game over, and the attacker can take full control of the victim’s system.

Zoom takeovers in action

ELUSIVE COMET tried this trick on the CEO of cybersecurity consulting company Trail of Bits, but it didn’t work on him. After receiving an invitation to appear on “Bloomberg Crypto,” he suspected something was amiss.

The attackers approached him via the X social media network and refused to switch to email when asked. Then they used a third-party booking system called Calendly to arrange the call. While Calendly is a legitimate service, the attackers hadn’t branded their Calendly pages with Bloomberg’s logo, which the CEO felt was suspicious. After checking into some of the data gathered on the group in the Security Alliance advisory, the CEO realized what was happening.

Sadly, that wasn’t the case for Jake Gallen, who owns a cryptocurrency company called Emblem Vault. As he describes in a postmortem thread on X earler this month, he also got a media invitation from an X account, this time called @tacticalinvest_, to appear on a podcast. He took the bait.

“While the interview was ongoing @tacticalinvest_ was downloading malware on my computer known as goopdate,” he reports, “which was powerful enough to steal >$100k in digital assets from my Bitcoin and Ethereum wallets, as well as log into my twitter, gmail, and other accounts.”

Gallen did his due diligence. Before he took the meeting, he did some research and found that the account had a large audience, with a history of consistent posts and videos. There was also a YouTube account. This illustrates just how sneaky some of these attackers can be, and how even tech-savvy people can be duped.

While you might not be a business owner or influencer looking for exposure, it’s worth paying attention to who you let into Zoom meetings, and who you give control of the meeting to. Let’s not also forget that there’s an ongoing trend of people ‘Zoombombing’ by infiltrating others’ meetings.

How to stay safe

One of the easiest approaches is to avoid installing Zoom’s app and simply use it in the browser where possible. Running Zoom in the browser limits its functionality, including not allowing remote control of your system. Zoom gives you this option when you attempt to join a meeting without opening the app.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.