IT NEWS

This week on the Lock and Code podcast…

You’ve likely felt it: The dull pull downwards of a smartphone scroll. The “five more minutes” just before bed. The sleep still there after waking. The edges of your calm slowly fraying.

After more than a decade of our most recent technological experiment, in turns out that having the entirety of the internet in the palm of your hands could be … not so great. Obviously, the effects of this are compounded by the fact that the internet that was built after the invention of the smartphone is a very different internet than the one before—supercharged with algorithms that get you to click more, watch more, buy more, and rest so much less.

But for one group, in particular, across the world, the impact of smartphones and constant social media may be causing an unprecedented mental health crisis: Young people.

According to the American College Health Association, the percentage of undergraduates in the US—so, mainly young adults in college—who were diagnosed with anxiety increased 134% since 2010. In the same time period for the same group, there was in increase in diagnoses of depression by 106%, ADHD by 72%, bipolar by 57%, and anorexia by 100%.

That’s not all. According to a US National Survey on Drug Use and Health, the prevalence of anxiety in America increased for every age group except those over 50, again, since 2010. Those aged 35 – 49 experienced a 52% increase, those aged 26 – 34 experienced a 103% increase, and those aged 18 – 25 experienced a 139% increase.

This data, and much more, was cited by the social psychologist and author Jonathan Haidt, in debuting his latest book, “The Anxious Generation: How the Great Rewiring of Childhood Is Causing an Epidemic of Mental Illness.” In the book, Haidt examines what he believes is a mental health crisis unique amongst today’s youth, and he proposes that much of the crisis has been brought about by a change in childhood—away from a “play-based” childhood and into a “phone-based” one.

This shift, Haidt argues, is largely to blame for the increased rates of anxiety, depression, suicidality, and more.

And rather than just naming the problem, Haidt also proposes five solutions to turn things around:

• Give children far more time playing with other children. 
• Look for more ways to embed children in stable real-world communities.  
• Don’t give a smartphone as the first phone.
• Don’t give a smartphone until high school.  
• Delay the opening of accounts on nearly all social media platforms until the beginning of high school (at least).

But while Haidt’s proposals may feel right—his book has spent five weeks on the New York Times Best Seller list—some psychologists disagree.

Writing for the outlet Platformer, reporter Zoe Schiffer spoke with multiple behavioral psychologists who alleged that Haidt’s book cherry-picks survey data, ignores mental health crises amongst adults, and over-simplifies a complex problem with a blunt solution.  

Today, on the Lock and Code podcast with host David Ruiz, we speak with Dr. Jean Twenge to get more clarity on the situation: Is there a mental health crisis amongst today’s teens? Is it unique to their generation? And can it really be traced to the use of smartphones and social media?

According to Dr. Twenge, the answer to all those questions is, pretty much, “Yes.” But, she said, there’s still some hope to be found.

“This is where the argument around smartphones and social media being behind the adolescent mental health crisis actually has, kind of paradoxically, some optimism to it. Because if that’s the cause, that means we can do something about it.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• You get a passkey, you get a passkey, everyone should get a passkey
• Dropbox Sign customer data accessed in breach
• Watch out for tech support scams lurking in sponsored search results
• Psychotherapy practice hacker gets jail time after extorting patients, publishing personal therapy notes online
• Wireless carriers fined $200 million after illegally sharing customer location data
• Malwarebytes Premium Security earns “Product of the Year” from AVLab
• FBI warns online daters to avoid “free” online verification schemes that prove costly
• Kaiser health insurance leaked patient data to advertisers

Last week on ThreatDown:

• ThreatDown earns “Product of the Year” from AVLab
• Gitlab zero-click vulnerability under active exploitation
• Nitrogen threat profile
• London Drugs closes retail stores after ransomware attack
• CISA pilot has sent 2,000 alerts to organizations at risk of ransomware
• LockBit Black threat profile
• The anatomy of a Medusa ransomware attack: ThreatDown MDR team investigates
• Medusa ransomware: What organizations need to know
• Corporate users targeted via malicious ads and modals

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Microsoft is rolling out passkey support for all consumer accounts.

Passkeys are a very secure replacement for passwords that can’t be cracked, guessed or phished, and let you log in easily, without having to type a password every time.

After enabling them in Windows 11 last year, Microsoft account owners can now generate passkeys across multiple platforms including Windows, Android, and iOS. You can create passkeys for your Microsoft account, and you can choose your face, fingerprint, PIN, or a security key to secure it.

How to set up a passkey

To create a passkey for your Microsoft account, follow these steps on the device where you’d like to create a passkey:

• Sign in to your Microsoft account.
• Navigate to Security  > Advanced Security Options.

• Click on Get started.
• Choose Add a new way to sign in or verify.

Note: Under certain circumstances, somewhere along the way you may end up in this screen which basically offers you the same choices in a prompt.

• To create a passkey: Select Face, fingerprint, PIN, or security key.
• Follow the instructions on your device.
• During this process, you can choose to save the passkey to different devices like your Android, iPad, or iPhone, or a hardware key.
• You’ll be presented with a QR code to scan with the selected device.
• On the selected device you’ll be asked to authenticate.
• When the procedure is successful, you’ll be asked to provide a name for the passkey. A good choice is to use a name that gives away the location where you stored the passkey.

• After confirming the name you’ll see this confirmation.

Removing a passkey

Should you have second thoughts and want to remove a passkey, follow these steps:

• Visit the Advanced Security Options.
• From the list under Ways to prove who you are, select the passkey you’d like to remove.
• Choose Remove.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Dropbox is reporting a recent “security incident” in which an attacker gained unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. During this access, the attacker had access to Dropbox Sign customer information.

Dropbox Sign is a platform that allows customers to digitally sign, edit, and track documents. The accessed customer information includes email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The access is limited to Dropbox Sign customers and does not affect users of other Dropbox services because the environments are largely separate.

“We believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Even if you never created a Dropbox Sign account but received or signed a document through Dropbox Sign, your email addresses and names were exposed. In a government (K-8) filing about the incident, Dropbox says it found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information. 

The attacker compromised a back-end service account that acted as an automated system configuration tool for the Dropbox Sign environment. The attacker used the privileges of the service account for the production environment to gain access to the customer database.

To limit the aftermath of the incident, Dropbox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.

For customers with API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach.

Dropbox says it has reported this event to data protection regulators and law enforcement.

Recommendations

Dropbox expired affected passwords and logged users out of any devices they had connected to Dropbox Sign for further protection. The next time these users log in to their Sign account, they’ll be sent an email to reset the password. Dropbox recommends users do this as soon as possible.

If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. Here is how you can easily create a new key.

API customers should be aware that names and email addresses for those who received or signed a document through Dropbox Sign, even if they never created an account, were exposed. So, this may impact their customers.

Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and use multi-factor authentication when available.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

This blog post was written based on research carried out by Jérôme Segura.

A campaign using sponsored search results is targeting home users and taking them to tech support scams.

Sponsored search results are the ones that are listed at the top of search results and are labelled “Sponsored”. They’re often ads that are taken out by brands who want to get people to click through to their website. In the case of malicious sponsored ads, scammers tend to outbid the brands in order to be listed as the first search result.

The criminals that buy the ads will go as far as displaying the official brand’s website within the ad snippet, making it hard for an unsuspecting visitor to notice a difference.

Who would, for example, be able to spot that the below ad for CNN is not legitimate. You’ll have to click on the three dots (in front of where we added malicious ad) and look at the advertiser information to see that it’s not the legitimate owner of the brand.

Only then it becomes apparent that the real advertiser is not CNN, but instead a company called Yojoy Network Technology Co., Limited.

Below, you can see another fake advertisement by the same advertiser, this time impersonating Amazon.

In our example, the scammers failed to use the correct CNN or Amazon icons, but in other cases (like another recent discovery by Jerome Segura), scammers have even used the correct icon.

The systems of the people that click one of these links are likely to assessed on what the most profitable follow-up is (using a method called fingerprinting). For systems running Windows, we found visitors are redirected to tech support scam websites such as this one.

Tech Support Scam site telling the visitor to call 1-844-476-5780

You undoubtedly know the type. Endless pop-ups, soundbites, and prompts telling the visitor that they should urgently call the displayed number to free their system of alleged malware.

These tech support scammers will impersonate legitimate software companies (i.e. Microsoft) and charge their victims hundreds or even thousands of dollars for completely bogus malware removal.

Getting help if you have been scammed

Getting scammed is one of the worst feelings to experience. In many ways, you may feel like you have been violated and angry to have let your guard down. Perhaps you are even shocked and scared, and don’t really know what to do now. The following tips will hopefully provide you with some guidance.

If you’ve already let the scammers in

• Revoke any remote access the scammer has (if you are unsure, restart your computer). That should cut the remote session and kick them out of your computer.
• Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes to quickly identify and remove threats.
• Change all your passwords. (Windows password, email, banking, etc.)

If you’ve already paid

• Contact your financial institution/credit card company to reverse the charges and keep an eye out for future unwanted charges.
• If you gave them personal information such as date of birth, Social Security Number, full address, name, and maiden name, you may want to look at some form of identity theft protection.

Reporting the scam

File a report

• In the US: File a complaint (FTC)
• In Canada: Contact law enforcement
• In the UK: Report fraud | Report a cold call
• In Australia: Report a scam

Shut down their remote software account

• Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support. They can later use the information you provide to block people/companies.
• LogMeIn: Report abuse

Spread the word

You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although sharing your experience of falling victim to these scams may be embarrassing, educating other people will help someone caught in a similar situation and deter further scam attempts.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

On October 30, 2020, I started a article with the words:

“Hell is too nice a place for these people.”

The subject of this outrage focused on the cybercriminals behind an attack on Finnish psychotherapy practice Vastaamo. Because it was a psychotherapy practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Sadly, the attacker did not stop at extorting the clinic but also sent extortion messages to the patients, asking them to pay around $240 to prevent their data from being published online. And that was a first, as far as we know—not just demanding a ransom from the breached organization, but also from all those that were unlucky enough to have their data on record there.

The attacker demanded a €400,000 ($425,000) ransom from the company. When it refused to pay, he emailed thousands of patients asking for €200 and threatening to publish their therapy notes and personal details on the dark web if they didn’t pay. He ended up publishing it anyway.

As a result of this cyberattack and the extortion attempts:

• Vastaamo’s board fired the CEO because they held him responsible for knowing about the breaches and of the shortcomings in the psychotherapy provider’s data security systems.
• Vastaamo’s owner, who bought the practice a few months after the second breach but was not informed about it, began legal proceedings related to its purchase.
• Vastaamo had to shut its doors because it could not meet its financial obligations.
• The Finnish government contemplated expanding the options for individuals to change their social security number in certain circumstances, such as the aftermath of a hacking incident.
• At least one suicide has been linked to the case.

Now the attacker has been convicted. 26-year-old Julius Kivimäki has been sentenced to six years and three months in prison. Kivimäki, known online as Zeekill, was one of the leading members of several groups of teenage cybercriminals which caused chaos between 2009-2015. One of those groups was the infamous Lizard Squad.

At the age of 17, Kivimäki was convicted of more than 50,000 computer hacks and sentenced to a two-year prison sentence, which was suspended because he was 15 and 16 when he carried out the crimes in 2012 and 2013.

Despite the conviction, the Vastaamo case is not over as civil court cases are now likely to begin to seek compensation for the victims of the hack.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

After four years of investigation, the Federal Communications Commission (FCC) has concluded that four of the major wireless carriers in the US violated the law in sharing access to customers’ location data.

The FCC fined AT&T, Sprint, T-Mobile, and Verizon a total of almost $200 million for “illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The fines are divided up into $12 million for Sprint, $80 million for T-Mobile (which has now merged with Sprint), more than $57 million for AT&T, and an almost $47 million for Verizon.

From the press release it becomes apparent that the FCC considers real-time location data some of the most sensitive data in a carrier’s possession. Each of the four major carriers was found to be selling its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers.

The investigation by the FCC was set in motion by public reports like the ones in the New York Times, Vice.com, and a letter from Sen. Ron Wyden to the FCC. All pointed out that anyone could get location information about almost any US phone if they were willing to pay an unauthorized source.

The FCC press release specifically mentions a location-finding service operated by Securus, a provider of communications services to correctional facilities, as a source that provided the possibility to track people’s location.

The US law, including section 222 of the Communications Act, requires carriers to take reasonable measures to protect certain customer information, including location information.

The wireless carriers attempted to offload their obligation to obtain customer consent onto the downstream recipients of the location information. The end result was a failure in which no valid customer consent was obtained. And even though the carriers were aware of this, they continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.

As reported by Krebs on Security, one of the data aggregation firms, LocationSmart, had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

Spokespersons of Verizon and AT&T both indicated to BleepingComputer that they felt as if they were taking the blame for another company’s failure to obtain consent.

T-Mobile said in a statement to CNN that it discontinued the location data-sharing program over five years ago. The company wanted to make sure first that critical services like roadside assistance, fraud protection, and emergency response would not suffer any negative consequences if it did.

All three companies indicated they will appeal the order. We’ll keep you posted on any new developments.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

After blocking 100% of “in-the-wild” malware samples that were deployed in multiple, consecutive third-party tests conducted by the AVLab Cybersecurity Foundation, Malwarebytes Premium Security has earned “Product of the Year.”

The recognition cements Malwarebytes Premium Security’s perfect record of repeatable, trusted, and proven protection for users. It also comes alongside an additional AVLab certification for “Top Remediation Time.”

The latest results are part of AVLab’s regular “Advanced In-The-Wild Malware Test.”

For the March 2024 evaluation, AVLab tested 459 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 459/459 malware samples, with a remediation time of 20 seconds—a full 13 seconds faster than the industry average.

ThreatDown, powered by Malwarebytes, also participated in AVLab’s March evaluation, where it similarly blocked 100% of malware samples with a remediation time of 17 seconds.

Three cybersecurity vendors failed to block 100% of the malware samples deployed: Bitdefender, ESET, and Panda.

AVLab’s evaluations, which are performed every other month by a team of cybersecurity and information security experts, are constructed to test and compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors. To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps:

1. Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
2. Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
3. Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”

Malwarebytes is proud to receive “Product of the Year” and “Top Remediation Time” from AVLab, and is thankful to the third-party tester for its important work in the industry.

The FBI has warned of fraudsters targeting users of dating websites and apps with “free” online verification service schemes that turn out to be very costly.

Instead of being free, as advertised, the verification schemes involve steep monthly subscription fees, and will steal personal information on the side.

The scammers collect the information entered by victims at registrations and use it to commit further fraudulent activity such as identity theft or selling the information on the dark web. The stolen information may include email addresses, phone numbers, and even credit card information.

The scam works like this: The scammer initiates contact on a dating website or app, but then quickly asks the victim to move the conversation to a more private, encrypted platform.

Once there, the scammer will recommend a verification link that supposedly provides protection against predators like sex offenders and serial killers. This verification website asks the victim to provide their name, phone number, email address, and credit card number to complete the process.

After completing the registration, the victim is redirected to a shady dating site that charges hefty monthly fees to the victim’s credit card. These charges show up on the credit card statement as a company the victim has never heard of.

The personal information the victim gives the scammers is useful because it allows them to defraud the victims even more. Whether the scammers are the same ones, or others who have bought the information on the dark web makes no difference to the victims.

Avoid falling victim

There are some pointers that may help you to fall victim to scammers such as these:

• Stay on the platform of your choice. If someone contacts you and wants to continue the conversation elsewhere, that should be a red flag. We saw the same when we discussed scams on Airbnb: It is in the scammers’ interest that the fraud takes place on a platform under their control, where they can’t be as easily tracked.
• Don’t click on links, downloads or attachments sent to you by strangers. Even if you have been in contact with someone for some time on the internet, they are still strangers. Sometimes they will get to the point fast, but in pig butchering scams for example, the contact can be ongoing for quite a while.
• If you are contacted by someone and they come across as untrustworthy or suspicious, report them to the platform’s administrators. You may prevent others from falling victim to the scammers.
• Don’t provide someone you have just met with personal details and information.
• Monitor your credit card statements and bank accounts for irregularities and contact your bank if you see payments you don’t recognise.
• Avoid websites that use scare tactics to trick you into registering for a service. At least do a background check to find out if they are legitimate and live up to their promises.
• Consider identity monitoring. This alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Health insurance giant Kaiser has announced it will notify millions of patients about a data breach after sharing patients’ data with advertisers.

Kaiser said that an investigation led to the discovery that “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

In the required notice with the US government, Kaiser lists 13.4 million affected individuals. Among these third-party ad vendors are Google, Microsoft, and X. Kaiser said it subsequently removed the tracking code from its websites and mobile apps.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the information gathered by these pixels tells them a lot about your browsing behavior, and a lot about you.

This kind of data leak normally happens when a website includes sensitive information in its URLs (web addresses). The URLs you visit are shared with the company that provides the tracking pixel, so if the URL contains sensitive information it will end up in the hands of the tracking company. The good news is that while it’s easy for websites to leak information like this, there is no suggestion that tracking pixel operators are aware of it, or acting on it, and it would probably be hugely impractical for them to do so.

The leaked data includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service, how they interacted with it, how they navigated through the website and mobile applications, and what search terms they used in the health encyclopedia.

A spokesperson said that Kaiser intends to begin notifying the affected current and former members and patients who accessed its websites and mobile apps in May.

Not so long ago, we reported how mental health company Cerebral failed to protect sensitive personal data, and ended up having to pay $7 million. Also due to tracking pixels, so this is a recurring problem we are likely to see lots more of. Research done by TheMarkup in June of 2022 showed that Meta’s pixel could be found on the websites of 33 of the top 100 hospitals in America.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.