IT NEWS

Android malware turns phones into malicious tap-to-pay machines

Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data and send it to cybercriminals half a world away. All you have to do is install the software and tap your card to your phone – and criminals excel at persuading you to do just that.

The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC). This enables your phone to read the data on a supporting payment card when it comes close enough. It’s how tap-to-pay machines found in retailers and ATMs work their magic.

Attackers get the malicious software via a malware-as-a-service model. This enables them to become affiliates for the developers of the software, who typically offer it for a percentage of the attackers’ takings. They can then focus on finding and targeting victims with social engineering attacks, which Cleafy says they’ve been doing in Italy.

How the attack works

First the attackers have to get the malware onto someone’s Android phone. That starts with a fraudulent ‘smishing’ message sent via SMS or WhatsApp, often impersonating a bank and asking the user to call.

The telephone number connects the victim to the attacker, who then persuades them to give up their PIN and log into their bank account. From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. This contains the SuperCard X malware.

Finally comes the payoff. The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. The malware then captures the card details, which it then sends to the attacker’s own Android phone. They can then use the phone as a cloned card for contactless payments. If you’ve ever tapped your phone instead of your card to pay for something, you’ll know how easy that is to do.

Where did SuperCard X come from?

Like much malware, SuperCard X didn’t come out of nowhere. Cleafy says that it shares code with another piece of malware called NGate, discovered last year. Both of these are likely built on concepts first outlined in NFCGate, a freely available open-source NFC software tool developed by German’s Technical University of Darmstadt.

SuperCard X’s developers have focused on making this software as stealthy as possible. Most antivirus programs for Android fail to spot it, says Cleafy. That’s because it asks for as few privileges as possible on the phone, and it doesn’t include many of the features that other malware has. In short, the less that a malicious program does on a phone, the smaller its footprint is and the more silent it can be.

This malware is a cybercriminal’s favorite for several reasons. Rather than attacking people with accounts at a particular bank, it works against anyone with a payment card, increasing the attacker’s scope. It’s also instant, compared to thefts by wire transfer, which can take days to complete.

It is important to note that payment frameworks like Google Pay, Apple Pay, Samsung Pay, and som bank-specific wallet apps  use dynamic cryptographic tokens — which are similar in concept to the “rolling codes” often used in car keyless entry systems — to prevent signal replay attacks.

How to protect yourself

But, as with many things, the best defense is you. In this case, protection is simple. The cybercriminals behind this attack can’t do anything unless you install the software on your phone, and so they go through several steps to convince you to do so.

Be skeptical of text messages from people you don’t know, especially those claiming to be urgent. Scammers typically try and panic you into a fast response. When they get you on the phone, they can befriend you, further impeding your ability to think critically and say “no”.

If you can’t help yourself and feel compelled to take action, check in with a trusted family member if available to get their perspective. If you’re still convinced, then at least verify the message first. Call your financial institution through an official number – not through the one in the text message. We’ll bet a steak dinner that they won’t know what you’re talking about.

Never give personal details to anyone you don’t know who contacts you via text message, and never change your banking details at their request. And if anyone asks you to install software sent via text message, refuse and end the communication.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

4.7 million customers’ data accidentally leaked to Google by Blue Shield of California

Blue Shield of California leaked the personal data of 4.7 million people to Google after a Google Analytics misconfiguration. The tech giant may have used this data for targeted advertising, according to Blue Shield, which is one of the largest health insurers in the US.

In a data breach notice on its website, Blue Shield says it had begun notifying “certain members of a potential data breach that may have included elements of their protected health information.”

Blue Shield a nonprofit health insurer serving nearly 6 million members, used Google Analytics to monitor how customers interacted with its websites to improve services. However, a configuration error in Google Analytics allowed sensitive member data to spill to Google Ads, potentially exposing customer data for almost three years. This likely included protected health information.

Blue Shield stated, “Google may have used this data to show targeted ad campaigns to individual members.”

The transmission of data took place between April 2021 and January 2024. The leaked information includes various details such as the type of health insurance plan, postal code and city, gender, family size, account IDs, names of insured persons, and search queries related to finding a doctor, which could reveal members’ health concerns or needs.

Blue Shield said there was no leak of other types of personal information, such as Social Security numbers, driver’s license numbers, or banking or credit card information.

After discovering the leak, Blue Shield said it reviewed all its websites to ensure no other tracking software was sharing protected health information with third parties.

Usually in a data breach we can point at cybercriminals that went out of their way to obtain the data. In this case, a simple misconfiguration shared data with an entity—that already knows so much about us—that then used the information for targeted advertising.

Maybe this case can serve as a cautionary tale about using analytics tools in areas where misconfigurations can lead to severe privacy violations, especially when sensitive data is involved.

Blue Shield is notifying all customers who may have accessed their member information on the potentially impacted Blue Shield websites during the relevant time frame.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Shopify faces privacy lawsuit for collecting customer data

Shopify faces a data privacy class action lawsuit in the US that could change the way globally active companies can be held accountable.

The proposed class action is a revival of a case that had been dismissed by a lower court judge and a three-judge 9th Circuit Court of Appeals panel. But now it’s been brought back after a decision by the full 9th Circuit.

Shopify is a global commerce platform headquartered in Ottawa, Canada. It provides the infrastructure and tools that businesses of all sizes use for retail operations, both online and offline.

To provide these services, Shopify collects personally identifiable information (PII) from buyers, primarily to facilitate and improve their commerce experience. This data includes names, email addresses, phone numbers, shipping and billing addresses, IP addresses, device information, and behavioral data. That is, all the information needed for processing orders, managing payments, shipping products, and communicating with end customers effectively.

With this collection of PII comes responsibility. Shopify acknowledges the data belongs to the users and is collected only to the extent necessary to provide its services. It claims to implement robust security measures to protect this data from unauthorized access and complies with relevant privacy laws such as GDPR.

But Brandon Briskin, a California resident claims Shopify installed tracking cookies on his iPhone without his consent when he bought athletic wear from a retailer, and used his data to create a profile it could sell to other merchants.

The case was at first dismissed after Shopify argued it should not be sued in California because it operates nationwide and did not aim its conduct toward that state.

The dismissal was revoked because the judges found that:

“Shopify deliberately reached out … by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous.”

A Shopify spokesman told Reuters that the decision makes online retailers vulnerable to lawsuits anywhere and “attacks the basics of how the internet works,” and that it drags entrepreneurs who run online businesses into distant courtrooms regardless of where they operate.

Briskin’s lawyer said the court bolstered accountability for internet-based companies by rejecting the argument that a company is jurisdictionally ‘nowhere’ because it does business ‘everywhere.’

And many US states agreed they need an ability to enforce their own consumer protection laws against companies that avail themselves of local marketplaces through the internet.

The general expectation is that this decision could make it easier for American courts to assert jurisdiction over internet-based platforms. The majority of the 9th Circuit, which includes nine western US states, Guam, and the Northern Mariana Islands, adhered to the “traveling cookie rule” because it “impermissibly manufactures jurisdiction wherever the plaintiff goes.”


We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

All Gmail users at risk from clever replay attack

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials.

This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS).

Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did.

Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email.

If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials.

Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account.

The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

How to avoid scams like this

  • Don’t follow links in unsolicited emails or on unexpected websites
  • Carefully look at the email headers when you receive an unexpected mail
  • Verify the legitimacy of such emails through another, independent method
  • Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

Technical details

Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb.

DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication.

So, what the cybercriminals did was:

  • Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.”
  • Register an OAuth app and set the app name to match the phishing link
  • Grant the OAuth app access to their Google account which triggers a legitimate security warning from no-reply@accounts.google.com
  • This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name.
  • Forward the message untouched which keeps the DKIM signature valid.

Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com.

Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A week in security (April 12 – April 18)

Last week on Malwarebytes Labs:

Last week on ThreatDown:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Did DOGE “breach” Americans’ data? (Lock and Code S06E08)

This week on the Lock and Code podcast…

If you don’t know about the newly created US Department of Government Efficiency (DOGE), there’s a strong chance they already know about you.

Created on January 20 by US President Donald Trump through Executive Order, DOGE’s broad mandate is “modernizing Federal technology and software to maximize governmental efficiency and productivity.”

To fulfill its mission, though, DOGE has taken great interest in Americans’ data.

On February 1, DOGE team members without the necessary security clearances accessed classified information belonging to the US Agency for International Development. On February 17, multiple outlets reported that DOGE sought access to IRS data that includes names, addresses, social security numbers, income, net worth, bank information for direct deposits, and bankruptcy history. The next day, the commissioner of the Social Security Administration stepped down after DOGE requested access to information stored there, too, which includes records of lifetime wages and earnings, social security and bank account numbers, the type and amount of benefits individuals received, citizenship status, and disability and medical information. And last month, one US resident filed a data breach notification report with his state’s Attorney General alleging that his data was breached by DOGE and the man behind it, Elon Musk.

In speaking with the news outlet Databreaches.net, the man, Kevin Couture, said:

“I filed the report with my state Attorney General against Elon Musk stating my privacy rights were violated as my Social Security Number, banking info was compromised by accessing government systems and downloading the info without my consent or knowledge. What other information did he gather on me or others? This is wrong and illegal. I have no idea who has my information now.”

Today on the Lock and Code podcast with host David Ruiz, we speak with Sydney Saubestre, senior policy analyst at New America’s Open Technology Institute, about what data DOGE has accessed, why the government department is claiming it requires that access, and whether or not it is fair to call some of this access a “data breach.”

“[DOGE] haven’t been able to articulate why they want access to some of these data files other than broad ‘waste, fraud, and abuse.’ That, ethically, to me, points to it being a data breach.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Text scams grow to steal hundreds of millions of dollars

Text scams alone cost US citizens at least $470 million in 2024, according to new data from the US Federal Trade Commission (FTC).

Because many scams go unreported, though, this dollar amount might be considerably more. The FTC illustrated this with a graph comparing the reported losses to the number of reports.

reported losses versus number of reports
Graph courtesy of FTC

This demonstrates that not only the damage per reported incident went up considerably, but also the total amount of damage. It also implies that a lot of incidents went unreported since we find it hard to believe that the number of scams might have declined—all it takes is a look at any single week in news coverage on Malwarebytes Labs to find stories on new scams, old scams, repeated scams, and the no-good scammers behind them.

Top 5 text scams

While scams reach us in many ways, the FTC focused on text scams in their report. This are the five main culprits:

  1. Package delivery problems. These are usually phishing expeditions aimed at the target paying a small amount for a redelivery, but while they are paying, their credit card details or other sensitive data are stolen.
  2. Phony job opportunities. These often come in the form of task scams, but the main story line is that a scammer posing as a recruiter gets the victim to pay for something they “need” to get the job done, or to steal the victim’s personal data.
  3. Fake fraud alerts. The fake alerts come as texts about so-called suspicious activity or about a big purchase the victim didn’t make. These texts often look like they’re from a bank or large retailer. The scammers offer help and then pressure people into moving money out of their accounts to supposedly keep it safe, when in reality it goes straight to the scammers.
  4. Toll fee scams. These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, such as E-ZPass. The texts usually create a sense of urgency by telling you there is only a limited time left to act or there will be dire consequences. Typically the scammers are out to steal personal information and/or payment details.
  5. Wrong number scams. An unexpected message that looks innocent enough from someone you don’t know but they act as if they know you. The idea is to get the target to tell them they’ve got a wrong number and with that engage them in a conversation, which may lead to romance scams, pig butchering, or other investment scams.

Let’s work together to bring the numbers down

Malwarebytes Mobile Security offers Text Protection, a feature that alerts users about potentially malicious or scam text messages. This feature works by analyzing incoming messages from unknown senders, checking for signs of scams, phishing links, or other malicious content. If a message is flagged, Android users receive a notification, while iOS users have the message deleted.

iOS

To enable Text Message Filtering on iOS devices, go to the iOS Settings app and explicitly enable it in the under Messages > Unknown & Spam. This is required for iOS to communicate with Malwarebytes about text messages.

Android

  • On the Mobile Security dashboard, toggle On Text Protection.
  • Tap Go to settings to grant Malwarebytes permission to alert over other apps.
  • Tap Give permissions, then tap Allow to allow the app to scan your text messages.
  • Once both permissions are granted, the Text Protection feature is active.

It’s also important to report scams. For US Citizens, report to the FTC at ReportFraud.ftc.gov and forward spam messages to 7726 to help your wireless provider spot and block similar messages.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Apple patches security vulnerabilities in iOS and iPadOS. Update now!

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Both vulnerabilities allowed an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Apple update is available
Update available

Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:

  • CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution due to a memory corruption issue which was addressed with improved bounds checking.
  • CVE-2025-31201: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. This issue was addressed by removing the vulnerable code.

Given that both vulnerabilities were flagged as used in extremely sophisticated attacks and are patched simultaneously, it stands to reason that they were chained for a successful exploitation.

This deserves a bit of an explanation. Apple’s Pointer Authentication (PA) is a hardware security feature designed to detect and prevent tampering with critical pointers (like function addresses or return addresses) in memory. Computers use memory to store and provide information that software programs use as they run.

When creating a pointer (like a return address), the system adds a cryptographic signature (PAC) using secret keys. Before using the pointer, the system checks if the signature still matches.

A memory corruption issue can give an attacker the option to make a change in the device’s memory, but it’s often limited to a very small portion of the memory.

What could have happened here is that the attacker was able to use that ample space to create a pointer that was able to bypass the Pointer Authentication and use this ability to point from a legitimate application to their malicious code.

In the past researchers have already found bypass scenarios for attackers that already have full memory control.

What exactly happened is unknown, because, as a protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Which is also why it’s important to update before other criminals are using the same exploits in less targeted and more widespread attacks. To help with this, the Malwarebytes iOS app will guide you through “how to fix” and assist with similar cases in the future.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Hi, robot: Half of all internet traffic now automated

If you sometimes feel that the internet isn’t the same vibrant place it used to be, you’re not alone. New research suggests that most of the traffic traversing the network isn’t human at all.

Bots (software programs that interact with web sites) have been ubiquitous for years. But in its 2025 Bad Bot Report, application security company Imperva claimed this is the first time traffic from bots became more prevalent than human traffic.

The rise in bots is down to generative artificial intelligence (AI), Imperva said. This is the same technology that now flirts with people online for you and automatically writes heartfelt consolatory emails on behalf of heartless administrators. This tech has made it easier to create bots that do your bidding online. While some of those bots are benign, not all have your best interests at heart.

The rise of bad bots

Traffic from “bad bots”those created with malicious intent—first surpassed good bot traffic in 2016, Imperva’s research said, and it’s been getting worse. Bad bots comprised 37% of internet traffic in 2024, up from 32% the year prior. Good bots accounted for just 14% of the internet’s traffic.

Bad bots do all kinds of unpleasant things. An increasing number try to hijack peoples’ online accounts, which they often do by “credential stuffing.” This is where a bot takes a password and email address that has been stolen and leaked online, and then tries those credentials across a myriad of services in the hope that its owner will have reused the password elsewhere.

These account takeover attacks have skyrocketed lately. December 2024 saw around 330,000 such incidents, up from around 190,000 in December 2023. That could be down to a flood of data breaches that flooded the market with more stolen credentials to try, Imperva said.

Other attacks include scraping data from websites, which is a problem for businesses that don’t want their intellectual property stolen, and also for the individuals who own that data.

Cyber criminals use bots to commit payment fraud by exploiting vulnerabilities in checkout systems. There’s also a thriving business in scalping bots that buy everything from event tickets to new sneakers for high-value resale, denying legitimate customers the opportunity to buy these items for themselves.

The report also found bots targeting specific sectors. The travel industry accounted for 27% of bad bot traffic (the highest by industry) in 2024, up from 21% in 2023. These bots pull tricks such as pretending to book airline seats online and abandoning the purchase at the last minute, which skews seat pricing.

Retail was the second hardest-hit industry in 2024, accounting for 15% of bot traffic, followed by education at 11%.

Stealthy bots stay hidden

Bots are also getting better at evading detection. Faking a browser identity (effectively wearing a digital mask that makes them look like Chrome or Firefox) has been a common tactic for years, but now bots are also using other techniques. These include using IP addresses owned by residential users, which are difficult for web site administrators to spot. Bots are also using virtual private networks to cloak their origin.

AI-enabled bots are also getting far better at cracking CAPTCHAs—the tests that help you to pass as a human when accessing a web site. And malicious software developers are now coding bots that learn about the environment they’re up against and change how they approach it to fly under the radar.

Another change is in the method that these bots use to communicate with their targets. Traditionally, bots would often browse a web page directly, interacting with it in the same way that a human would. That’s changing as newer bots communicate directly with the servers running the web application behind the scenes in their own language. They do this using application programming interfaces (APIs), which are communication channels that programs can use to retrieve information from a web application.

As the bots get smarter and more ubiquitous, what can you do? Sadly, fighting bad bots is largely the job of the companies operating the web applications that serve you and use your data. However, there are a couple of things you can do as an individual to protect yourself and the community at large.

  • Don’t reuse passwords. Use a different password for every service you use to stop the credential stuffing bots, and make those passwords complex to avoid brute-force attacks. Use a trusted password manager to keep those passwords safe and easily accessible.
  • Protect your PC. Install anti-malware software and follow basic cyber hygiene measures. This will help to prevent attackers from compromising your machine and using it for their own online purposes.
  • Don’t become a proxy. Attackers might be able to use your IP address as a proxy for their bots if you don’t protect it. Avoid using untrusted VPNs from suspicious sources, as these have been known to sell your IP address on for others to use. Similarly, take a minute to update the hardware on your home router, or ensure that your telecommunications provider does it if the router came from them. Attackers will often compromise vulnerable routers and use them for bot attacks.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

“I sent you an email from your email account,” sextortion scam claims

In a new version of the old “Hello pervert”  emails, scammers are relying on classic email spoofing techniques to try and convince victims that they have lost control of their email account and computer systems.

Email spoofing basically comes down to sending emails with a false sender address, a method in use in various ways by scammers. Obviously, pretending to be someone else can have its advantages, especially if that someone else holds a position of power or trust with regards to the receiver.

But sending a message to the victim’s from their own email address might convince the victim that they have lost access over their own account.

The text of the email roughly looks like this:

“As you may have noticed, I sent you an email from your email account

This means I have full access to your account

I’ve been watching you for a few months

The thing is, you got infected with a njrat through an adult site you visited

If you don’t know about this, let me explain

The njrat gives me full access and control over your device.

This means I can see everything on your screen, turn on the camera and microphone, but you don’t know it

I also have access to all your contacts and all your correspondence.

On the left half of the screen, I made a video showing how you satisfied yourself, on the right half you see the video you watched.

With a click of a mouse I can send this video to all your emails and contacts on social networks

I can also see access to all your communications and messaging programs that you use.

If you want to avoid this,

Transfer the amount of 1200 USD to my bitcoin address (“write buy bitcoin or find for bitcoin exchange if you don’t know”)

My Bitcoin address (BTC wallet): 1FJg6nuRLLv4iQLNFPTpGwZfKjHJQnmwFs

After payment is received, I will delete the video and you will not hear from me again

I’m giving you 48 hours to pay

Do not forget that I will see you when you open the message, the counter will start

If I see you’ve shared this message with someone else, the video will be posted immediately”

If the victim decides to search for “njrat” they’ll find that it’s a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, upload/download files, view the victim’s desktop, and more.

Scary stuff, and it supports the claims the scammer makes.

But, as with all sextortion scams, this threat is an entirely empty one. There is more than likely no lurid video, no “njrat,” no list of contacts. Instead, there is just a threat which is meant to drive panic which is meant to drive payment.

When we checked, we were happy to see that the scammers’ Bitcoin wallet is empty, although they could have set up a separate one for each victim.

How to recognize sextortion emails

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

  • The emails often look as if they came from one of your own email addresses.
  • The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
  • In the email, the scammer claims to have used “Pegasus” or some Trojan to spy on you through your own computer.
  • The scammer says they know “your password” or compromised your account.
  • You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
  • The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

What to do when you receive an email like this

First of all, even if it’s only to reassure yourself, scan your computer with an anti-malware solution that can detect and remove njRAT (if present).

Second, if your computer is clean, check if your email account has not been compromised. Change the password and enable 2FA if possible.

Don’t respond to the scammer, since that will confirm that the email address is in use and the mail is read. This could invoke more emails from scammers.

Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.

Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.

For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.