IT NEWS

These cars want to know about your sex life (re-air) (Lock and Code S05E25)

This week on the Lock and Code podcast

Two weeks ago, the Lock and Code podcast shared three stories about home products that requested, collected, or exposed sensitive data online.

There were the air fryers that asked users to record audio through their smartphones. There was the smart ring maker that, even with privacy controls put into place, published data about users’ stress levels and heart rates. And there was the smart, AI-assisted vacuum that, through the failings of a group of contractors, allowed an image of a woman on a toilet to be shared on Facebook.

These cautionary tales involved “smart devices,” products like speakers, fridges, washers and dryers, and thermostats that can connect to the internet.

But there’s another smart device that many folks might forget about that can collect deeply personal information—their cars.

Today, the Lock and Code podcast with host David Ruiz revisits a prior episode from 2023 about what types of data modern vehicles can collect, and what the car makers behind those vehicles could do with those streams of information.

In the episode, we spoke with researchers at Mozilla—working under the team name “Privacy Not Included”—who reviewed the privacy and data collection policies of many of today’s automakers.

To put it shortly, the researchers concluded that cars are a privacy nightmare

According to the team’s research, Nissan said it can collect “sexual activity” information about consumers. Kia said it can collect information about a consumer’s “sex life.” Subaru passengers allegedly consented to the collection of their data by simply being in the vehicle. Volkswagen said it collects data like a person’s age and gender and whether they’re using your seatbelt, and it could use that information for targeted marketing purposes. 

And those are just the highlights. Explained Zoë MacDonald, content creator for Privacy Not Included: 

“We were pretty surprised by the data points that the car companies say they can collect… including social security number, information about your religion, your marital status, genetic information, disability status… immigration status, race.”

In our full conversation from last year, we spoke with Privacy Not Included’s MacDonald and Jen Caltrider about the data that cars can collect, how that data can be shared, how it can be used, and whether consumers have any choice in the matter.

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

A week in security (November 25 – December 1)

Printer problems? Beware the bogus help

Anyone who has ever used a printer likely has had a frustrating experience at some point. There always seems to be some kind of issue with the software not responding, paper getting jammed or one of many other possible failures.

When people need help, they often turn to Google (and now AI) to look for an answer. This is where scammers come in, preying on unsuspecting and irate users ready to throw their printer out the window.

After clicking on a malicious Google ad, victims are redirected to a fraudulent site often using official brand names and logos. The crooks’ end goal is to get people to call them, and they achieve that by tricking them with fake printer drivers that always fail to install.

In this blog post, we review how this scam works and how to stay away from it.

Malicious Search Ads

Two of the most popular printer brands are HP and Canon. If you were to Google for help related to either of those brands right now, you would likely see sponsored results at the top of the search results page.

Unfortunately, in the majority of cases these ads are not from trusted providers but instead from tech support scammers. In the image below, you can see 4 ads shown for the query ‘hp printer help‘. It’s only after those that the official HP website appears.

image cbdf1a

If you were to say that consumers stand no chance, you’d be right. Unless you clicked on the official (organic search results), you’d end up getting scammed.

The list of sites includes:

megadrive[.]solutions
geeksprosoftwareprints[.]org
select-easy123print[.]com
printcaretech[.]com

The driver scam

A driver is a software program that your computer uses to talk to physical hardware (i.e. your printer). In the early Microsoft Windows days, drivers were very important to get printers, monitors and other peripherals working. Today, the operating system is usually good at detecting new hardware and installing the required drivers automatically. There are some exceptions, not to mention that some manufacturers like to package additional software with their drivers.

After clicking on a malicious ad, the website instructs you to enter your printer’s model number in order to download the required driver, which it proceeds to “install”. This is entirely fake, and the only thing the website displays is a recorded animation that will always end up with the same error message.

This type of error is very similar to those seen in the “Microsoft tech support scam”, typically done via a browser hijack. Scammers want to scare and then get their victims to contact them directly, via phone or live chat.

Remote access and extortion

There are many people that fall for these types of scams and entire armies of tech support agents working in poor conditions ready to defraud them. The script is usually standard across scams, with the support agent impersonating a popular brand and requesting personal information from the victim.

It is quite common for scammers to request and be granted remote access to the user’s computer. This gives them leverage to do a number of things, such as stealing data, locking the machine or even using it to log into the victim’s bank account.

This is why it is so important to be extremely cautious with online search ads, and search results in general. Browser extensions such as Malwarebytes Browser Guard will block ads but also the scam or malware sites associated with these schemes.

This won’t help with your printer issues, but at least it’ll save you the trouble of being defrauded. When it comes to such questions, online forums are usually a good place to start, and if you’re lucky to count a computer person in your family, that’s always a good favor to ask for.

Data broker exposes 600,000 sensitive files including background checks

A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.

The 713.1 GB container (an Amazon S3 bucket ) did not have password-protection, and the data was left unencrypted, so anybody who stumbled on them could read the files. The files not only contained thousands of people’s vehicle records (license plate and VIN) and property ownership reports, but also criminal histories, and background checks.

The majority of the records were labelled as background checks which contained full names, home addresses, phone numbers, email addresses, employment history, family members, social media accounts, and criminal record history.

Data brokers collect and sell your information, including financial, personal, behavior and interests, for profit. SL Data Services markets itself as a provider of real estate information reports. But when the researcher contacted its support team, they stated the company also provides criminal checks, division of motor vehicles (DMV) records, death and birth records.

Probably to organize the data to this end, the folders inside the container all had names of separate website domains. The company apparently operates a network of an estimated 16 different websites, offering a range of information services (e.g. PropertyRec).

Background checks can and are often done without the subject’s awareness. But with all the combined information about a person, it paints a very complete picture that insurance companies, advertisers, and even cybercriminals can use to their advantage.

The researcher explained:

“I am not stating nor implying that Propertyrec’s customers or any individuals are at risk of impersonation, spear phishing, or social engineering attacks, I am only providing a real world risk scenario of how this type of information could possibly be exploited by criminals.”

And to make things worse—if possible– the files had names that used the following format: “First_Middle_Last_State.PDF.” Which makes it incredibly easy for anyone, whether they are supposed to have access or not, to find a person of interest and read that file.

It took the researcher quite a few calls and emails to get the exposed data taken out of public sight, and SL Data Services never provided the researcher with a response, let alone an explanation how this could happen.

Don’t give up your information, remove it where you can

Unfortunately, incidents like this are commonplace, so it’s clear that we should take it upon ourselves to make sure our information can’t be found by data brokers.

Removing your personal information from data broker sites can be a complex and time-consuming process. While manual opt-outs are effective, they require considerable effort to keep up with new data entries and the reappearance of your information on various sites. This is where data broker removal services come in handy. 

Data broker removal services are designed to automate the process of finding and removing your personal information from data broker databases. These services regularly scan known databases for your information and submit opt-out requests on your behalf, ensuring a more comprehensive and continuous protection of your privacy. 

Malwarebytes offers a Personal Data Remover service (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.

Medical testing company LifeLabs failed to protect customer data, report finds

In 2019, a ransomware attack hit LifeLabs, a Canadian medical testing company. The ransomware encrypted the lab results of 15 million Canadians, and personally identifiable information (PII) of 8.6 million people was stolen.

After noticing the attack, LifeLabs informed its customers and the Canadian privacy regulators, which immediately announced an investigation.

The privacy commissioners of both British Columbia and Ontario finished writing a report about the incident in 2020 but LifeLabs managed to hold that up in court for four years. Now the report is publicly available and some of the findings are both shocking and unsurprising.

According to the report, LifeLabs had several shortcomings before the breach:

  • LifeLabs failed to take reasonable steps to protect personal information and personal health information in its custody and control from theft, loss, and unauthorized access, collection, use, disclosure, copying, modification or disposal.
  • LifeLabs failed to have in place and follow policies and information practices that comply with PIPA and PHIPA
  • LifeLabs collected more personal information and personal health information than is reasonably necessary to meet the purpose for which it was collected.

Additionally, the investigation found that LifeLabs didn’t comply with its obligation to notify affected people at the first reasonable opportunity. This was because it didn’t implement a process to notify people about the details of what personal health information was compromised without requiring them to make a formal access request.

Patricia Kosseim, Information and Privacy Commissioner of Ontario commented:

“Personal health information is particularly sensitive and privacy breaches can have devastating impacts for individuals.”

The regulator said it was important for the report to be made public after four years of resistance by LifeLabs. We agree that it is important that we know how companies are protecting our data, especially the medical kind. But at the same time we also know that many organizations in the healthcare industry do not have the staff to handle this, not do they have the funding to hire those staff. It’s catch 22.

At the time, LifeLabs wrote in an open letter that the cybersecurity firm it hired to investigate the incident advised it that the risk to its customers in connection with this cyberattack was low. LifeLabs said it hadn’t seen any public disclosure of customer data as part of its investigations, including monitoring of the dark web and other online locations.

Malwarebytes checked up whether that claim still held through and could indeed not find any LifeLabs customer data that came from that breach.

The reason is not a big mystery. Reportedly, LifeLabs paid the ransomware group, which is why it’s still unknown which group was behind the attack. The specific amount of the ransom paid has not been disclosed by the company.

But as ransomware groups are just a gang of criminals, it might be hard to take their word for it that they won’t release the data at some point. We will keep an eye on it.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Explained: the Microsoft connected experiences controversy

Recently we’ve seen some heated discussion about Microsoft’s connected experiences feature. As in many discussions lately there seems to be no room for middle ground, but we’re going to try and provide it anyway.

First of all, it’s important to understand what the “connected experiences” are.

Microsoft describes it like this:

“Connected experiences that analyze your content are experiences that use your Office content to provide you with design recommendations, editing suggestions, data insights, and similar features.”

If that sounds like auto-correct on steroids, you’re close. You like it or you don’t.

But I found that there are two types of connected experiences.

Let’s start with a locally saved document created in Microsoft 365 (Word). To find the connected experiences settings, you’ll need to

  • Click on File > Options
File > Options
Options
  • Select Trust Center and click on Trust Center Settings
Trust Center Settings
Trust Center Settings
  • Select Privacy Options and click on Privacy Settings
Privacy Options > Privacy Settings
Privacy Options > Privacy Settings

Then you’ll see three entries for Connected experiences:

  • Experiences that analyze your content
  • Experiences that download online content
  • All connected experiences

My tinfoil hat warns me that the second one is bound to show up in some vulnerability, but nowhere does it say that anything you produce will be shared with anyone, let alone train an AI model. If anything is worrying in there, it’s the fact that it uses content in your documents to find online information that might be of interest to you.

Connected experiences
Connected experiences

Feel free to turn these options off.

For online documents created with Microsoft 365 apps it’s a different topic, and depends on what the administrator of the organization that provided it has decided to make available to you.

The overview of optional connected services provided by Microsoft says:

“If you have a work or school account, your organization’s admin may have provided you with the ability to use one or more cloud-backed services (also referred to as “optional connected experiences”) while using the Office apps, like Word or Excel, that are included with Microsoft 365 Apps for enterprise.”

It then goes on to list all the possible optional connected experiences. The settings for these are of the type  “all or nothing.”

You can find these settings if you have a document open in your browser by following the path File > About > Privacy Settings > Optional connected experiences.

Optional connected experiences
Optional connected experiences

The official Microsoft 365 account on X tweeted to say it didn’t use customer data to train large language models (LLMs)—a type of artificial intelligence (AI) program—in M365 apps:

“In the M365 apps, we do not use customer data to train LLMs. This setting only enables features requiring internet access like co-authoring a document.”

So, turning that option off might result in some lost functionality if you’re working on the same document with other people in your organization.

If you want to turn these settings off for reasons of privacy and you don’t use them much anyway, by all means, do so. The settings can all be found under Privacy Settings for a reason. But nowhere could I find any indication that these connected experiences were used to train AI models.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Spotify, Audible, and Amazon used to push dodgy forex trading sites and more

Spotify and Amazon services have been flooded with bogus listings that push dubious “forex trading” sites, Telegram channels, and suspicious links claiming to offer pirated software according to our friends over at BleepingComputer.

Cybercriminals are abusing the options to inject keywords and links into playlist names to make their entries rank high in Google search results.

BleepingComputer found that spammers had posted a lot of links on the content platforms, but that the length of the audio “episodes” published under these “podcasts” was zero seconds.

What you can expect to be offered are cracks, keygens, cheat codes, and other game related content, but also “forex trading” seems to be a popular subject to promote.

The fact that many cracks, keygens, and game mods are often replaced by or come bundled with malware was already known in the previous century, so that shouldn’t surprise anyone.

The “forex trading” part may be a little harder to understand.

Forex related search results on Amazon

On the content platforms we mentioned, links are shared pointing to forex trading platforms where you can trade one currency for another speculating on exchange rate fluctuations. Forex trading is far from illegal, it’s an important part of international trade. But in areas where so much money changes hands, there will always be criminals looking for a piece of the action.

There are two main types of forex trading scams you need to be aware of. Scams performed by external criminals, and unethical forex brokers. Even though management teams within brokers must be vetted by regulators and licensers, there are plenty of incentives for brokers to take advantage of their customers.

The scams themselves can be largely identified as:

  • Signal scams: Signals are data-driven broker-generated information prompts that give traders improved opportunities to make profitable trades. While many of them can be considered legitimate, they do not guarantee success and they can be abused by signal-sellers that prey on our tendency to want to get rich fast and with little effort.
  • Pyramid schemes: The pyramid schemes are in fact private circles run by individuals who seek to profit by charging a subscription fee and encouraging new members to recruit fellow investors for the prize of a small commission payout. The higher up the money-earning pyramid you are, the more subscription fees flow your way.
  • Point-spread scam: As brokers earn their commissions based on the gap between bid and ask prices, they make more money when the gap is bigger. When the natural supply and demand conditions do not create a big enough gap, some brokers have been known to exaggerate the gap by rigging the code that displays the prices.
  • Robot scamming: This is a relative newcomer to the scams. It offers traders the option to earn money while you are not actively trading on your system. The term “robot” refers to the automation of the process with software. Needless to say these robots can be rigged to work for the broker instead of for you.
  • Sale of personal information: Under the rules of Know Your Customer (KYC) legislation, every trader must be able to supply private and confidential information that often includes details like banking information and credit card information. Scam brokers could sell this information to a third party, who may try to lure you into another scheme.

But cybercriminals could also have set up their own fraudulent trading platforms and be phishing for your login credentials to existing platforms.

How to stay safe

If you decide you want to delve in forex trading, there are a few pointers to keep your money safe.

There are some similarities between forex trading and casino gambling, only forex trading involves more skill and analysis than most casino games. Don’t go all-in. Don’t lose your shirt.

  • Get rich quick schemes often work for those offering them, but not for those falling for them.
  • It is vital to research any financial service or platform before investing.
  • As always, if it sounds too good to be true, it probably is.
  • It is crucial to understand what you are doing or what is being done for you.
  • Watch out for clone websites.
  • If you don’t understand how the trader’s robot works, ask until you do or don’t use it.
  • Stay away from forex trading platforms promoted on content platforms that have nothing to do with forex trading.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

“Hilariously insecure”: Andrew Tate’s The Real World breached, 800,000 users affected

Andrew Tate’s online education platform The Real World—formerly known as Hustlers University—has been hacked and user data has been stolen.

Hacktivists flooded the primary chatroom with emojis as proof that they had breached the site. After this they shared approximately 794,000 usernames of, allegedly, the site’s current and former members with the Daily Dot and journalism collective DDoSecrets.

The stolen chat logs originated from the platform’s 221 public and 395 private chat servers. Included in the data are 794,000 usernames for current and former members, and 324,382 unique email addresses that appear to belong to users who were removed from the main database after they stopped paying their subscriptions.

It’s not clear if this set of email addresses came from a less secure environment or whether the hacktivists just stumbled over those first. A source close to the hacktivists say the platform’s security is “hilariously insecure.”

An unpatched vulnerability meant they could “upload emojis, delete attachments, crash everyone’s clients, and temporarily ban people.” All of this must be painful for a platform that claims to teach “all digital skills.”

Highly controversial figure Andrew Tate has not responded to the breach yet.

This could be because he is facing other problems. He’s currently under house arrest in Romania, facing trial after being charged with rape, human trafficking and forming an organised crime group to sexually exploit women. He is also wanted in the UK to face allegations of sexual assault. He denies all the allegations.

Anyway, there are reasons why clients, especially those that stopped payments, would not like to be associated with The Real World.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

A week in security (November 18 – November 24)

Last week on Malwarebytes Labs:

Last week on ThreatDown:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Meta takes down more than 2 million accounts in fight against pig butchering

Meta provided insight this week into the company’s efforts in taking down more than 2 million accounts that were connected to pig butchering scams on their owned platforms, Facebook and Instagram.

Pig butchering scams are big business, with hundreds of millions of dollars involved every year. The numbers are not precise because some researchers see these scams as a special kind of romance scam, while others classify them as investment fraud, muddying the numbers based on which group is counting what type of loss.

Still, the general idea is that scammers use elaborate storylines to fatten up victims into believing they are in a romantic or otherwise close personal relationship. Once the victim places enough trust in the scammer, they bring the victim into a cryptocurrency investment scheme. Then comes the “butchering”—an attempt to “bleed” a target dry of their money.

Pig butchering, however, isn’t always a simple case of cybercriminals preying on unsuspecting victims. As Meta described, sometimes the scammers themselves are victims that work in scam centers, mainly located in Asia.

“These criminal scam hubs lure often unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums, and recruitment platforms to then force them to work as online scammers, often under the threat of physical abuse.”

These workers not only work on pig butchering scams. They are also forced to engage in a wide range of malicious activities that can involve cryptocurrency and gambling, or they can be tasked to carry out impersonation scams.

Working with expert NGOs and law enforcement partners in the US and Southeast Asia, Meta has focused on investigating and disrupting the activities of the criminal scam centers in Southeast Asia. This has led to the take-down of over two million accounts linked to scam centers in Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines.

Despite their location, the targets of the scams can be found all over the globe. The scammers follow playbooks to gain the trust of the targets. Contacting victims initially on social media, dating apps, email, or messaging apps, the scammers later move their interactions to more private channels like scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms. This pushes victims further into a trap and it removes their ability to report their conversations to a platform that takes this type of abuse seriously.

From here, scammers will continue the charade that they’ve set up wise investments for the targets. But once enough trust has been built to seriously rob a victim, scammers will steal what they can and disappear. As Meta said:

“Typical of ‘pig butchering’ schemes, the target may be allowed to withdraw small amounts to build trust, but once they start asking for their ‘investment’ back or it becomes clear that they do not have more funds to send to the scammer, overseas scammers typically disappear with all the money.”

How to avoid becoming the pig

The good thing about pig butchery scams is that they mostly follow a narrow pattern, with few variations. If you recognize the signs, you stand a very good chance of going about your day with a distinct lack of pig-related issues. The signs are:

  • Receiving stray messages for “someone else” that appear out of the blue. This can be a message directed to someone who does not have your name.
  • The profile picture of the person you’re talking to looks like someone who is a model.
  • Common scam opening lines may involve: Sports, golfing, travel, fitness.
  • At some point they will ask you about investments and/or cryptocurrency.
  • They will ask you to invest or take some of their money and use that instead.

As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. This is definitely one of those “If it’s too good to be true” moments, and the part where you make your excuses and leave (but not before hitting block and reporting them).

Here’s what you can do to keep yourself safe:

  • Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in. Use tools such as the Malwarebytes Personal Data Remover to minimize the amount of data accessible through search engine results, spam lists, and people search sites.
  • Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.
  • Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.
  • Never give money to anyone you’ve met online
  • Get a second opinion from someone you trust
  • If in doubt, back away and report the account.

If you’ve been impacted by a romance scam, pig butchering, or crypto investment fraud, you can report the crime to the Internet Crimes Complaint Center (IC3), which is run by the FBI, or the FTC on its reporting and resources page.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.