IT NEWS

Last week on Malwarebytes Labs:

• Law enforcement reels in phishing-as-a-service whopper
• Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million
• Cannabis investment scam JuicyFields ends in 9 arrests
• Should you share your location with your partner?
• Giant Tiger breach sees 2.8 million records leaked

Last week on ThreatDown:

• What makes some zero-day vulnerabilities more valuable than others?
• Turning back the clock on encryption: How to perform ransomware backups in one-click
• ThreatDown earns highest ratings across EDR and MDR categories in G2 Spring 2024 results
• K-12 district hit with $500k Medusa ransomware attack
• FakeBat campaign continues, now also targeting VMware users

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A major international law enforcement effort involving agencies from 19 countries has disrupted the notorious LabHost phishing-as-a-service platform.

Europol reports that the organization’s infrastructure has been compromised, its website shut down, and 37 suspects arrested, including four people in the UK linked to the running of the site, which also allegedly included the original developer of the service.

Europol’s announcement also hints that this isn’t the end of the story, and users of the platform should ready themselves for some uncomfortable encounters with law enforcement in the future. As Europol said in its release:

A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

The UK’s Metropolitan Police (“The Met”), which spearheaded the operation, says it has already contacted the criminals who used the site:

Shortly after the platform was disrupted, 800 users received a message telling them we know who they are and what they’ve been doing. We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months.

In a phishing attack, criminals use emails to trick users into entering details like passwords or credit card numbers into fake websites. The emails and websites typically mimic popular brands like UPS, Amazon, or Microsoft, and copy the format of emails sent by those companies, luring victims with things like fake security alerts.

Phishing-as-a-Service (PaaS) provides the tools and infrastructure criminals need to carry out phishing attacks on a subscription basis, so they don’t have to create and run it themselves. This lowers the barrier to entry for these kinds of crimes and puts sophisticated tools in the hands of people who wouldn’t otherwise have access to them.

LabHost was set up in 2021 and grew to become one of the largest PaaS vendors. Europol says that “with a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks.” Those services reportedly included a menu of over 170 fake websites for users to choose from, and a campaign management tool called “LabRat” that could capture two-factor (2FA) authentication codes.

The phishing platform is reported to have had 2,000 registered users and was used to create “more than 40,000 fraudulent sites.” The Met says that around 70,000 individual UK victims have been phished using the service, and that globally, it swallowed up 480,000 card numbers, 64,000 PIN numbers, and more than one million passwords.

Victims in the UK have been contacted by the Met to inform them that some of their data has been compromised. Ironically, thousands of victims being contacted in this way creates an opportunity for copycat phishing emails with Met branding. For that reason, the Met has been careful not to include any links in its communications and warns potential victims that:

…if you receive any contact from the Met with links in, this will be fraudulent so please do not engage with this.

If you’ve been contacted by the Metropolitan Police about the LabHost breach you can find some useful guidance and support on its LabHost Disruption page.

The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive consumer data, as well as require it to provide consumers with a simple way to cancel services.

After a data breach in 2023 Cerebral disclosed that it had been using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 2019.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the combined information of all these pixels potentially provides a company with an almost complete picture of your browsing behavior and a lot of information about you.

The FTC statement claims that by using these tracking pixels, which are invisible to the website visitor unless they look at the underlying code, Cerebral provided the sensitive information of nearly 3.2 million consumers to these third parties.

The complaint points out that to get consumers to sign up for Cerebral’s services and to provide detailed personal data, the company claimed to offer “safe, secure, and discreet” services, saying that users’ data would be kept confidential.

Also, according to the complaint, the company specifically claimed in many instances that it would not share users’ data for marketing purposes without obtaining people’s consent.

Many organizations are unclear about how much information the social media companies behind the tracking pixels can gather. In the Notice of HIPAA Privacy Breach Cerebral disclosed that the following data were potentially exposed:

• Full name
• Phone number
• Email address
• Date of birth
• IP address
• Cerebral client ID number
• Demographic information
• Self-assessment responses and associated health information
• Subscription plan type
• Appointment dates
• Treatment details and other clinical information
• Health insurance/pharmacy benefit information

Among other penalties, Cerebral has to refund $5.1 million to customers who were impacted by deceptive cancellation practices and pay a $10 million civil penalty, limited to $2 million due to Cerebral’s inability to pay the full amount.

The number of breaches concerning health information is shocking. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the US Department of Health and Human Services Office for Civil Rights publishes a list of breaches that reveal unsecured protected health information affecting 500 or more individuals.

We have reported about similar cases that involved tracking pixels. Research done by TheMarkup in June of 2022 showed that Meta’s pixel showed up on the websites of 33 of the top 100 hospitals in America.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Europol and its associates have arrested 9 people in conjunction with a cannabis investment scam known as “JuicyFields”.

The suspects used social media to lure investors to their website. There they found information about a “golden opportunity” to invest in the cultivation, harvesting and distribution of cannabis plants to be used for medicinal purposes.

Taken from the JuicyFields website:

Grow cannabis. It’s profitable! Become a potpreneur and benefit from the booming cannabis industry. Be among the first to join the movement.

The scheme looked like a crowdsourcing scheme with a minimal investment of € 50, and played on recent discussions in Europe to liberalize cannabis laws following the example of the United States and Canada. Many European countries such as the Netherlands, Austria, Germany, and Portugal have decriminalized possession of cannabis.

As we often see with these kinds of changes in regulatory frameworks, cybercriminals are the first to spot a window of opportunity and advertise with investment opportunities, promising a high return on low-risk investments.

From a JuicyFields whitepaper:

“21 states in the US have already legalised the adult use of marijuana for recreational purposes and this number continues to grow. Indeed, the U.S., Canada, and the soon-to-be regulated markets of the European Union are spearheading this revolution with unprecedented swiftness. However, the pent-up-demand for such regulationdoesn’t necessarily translate into effective deployment.”

To be one of the first investors in this growth market might have seemed just the thing to invest in for some. The scammers promised to connect investors with producers of medical cannabis. Europol stated:

“Upon the purchase of a cannabis plant, the platform assured investors – also referred to as e-growers – they could soon collect high profits from the sale of marijuana to authorized buyers. While the company pledged annual returns of 100 percent or more, they did not reveal exactly how they would accomplish this, let alone be able to guarantee it.”

The scheme was set up as a Ponzi scheme, which means the scammers paid early investors their return with the money they received from later adaptors.

So, for example, the first-time investor would deposit € 50 and receive a pay-out doubling their money soon after. Motivated by such quick financial gains, many investors would raise the stakes and invest hundreds, thousands, or in many cases even tens of thousands of euros. But that doesn’t mean the scammers forget to pocket the largest part themselves.

During the investigation and on action day, law enforcement seized or froze € 4,700,000 in bank accounts, € 1,515,000 in cryptocurrencies, € 106,000 in cash and € 2,600,000 in real estate assets, which amounts to roughly $ 9.5 Million in total. This came from 186,000 people who transferred funds into the scheme between early 2020 to July 2022.

One of the primary targets in this investigation was a Russian national residing in the Dominican Republic, suspected to be one of the main organizers of the fraudulent scheme.

Don’t fall for scams

Stick with safe investments, it’s easier said than done. But there are a few things you might want to avoid:

• Rushing into an investment. Scammers want you to act urgently, so you spend less time thinking.
• Skipping the fine print. Not knowing what it says in the fine print can turn out to be catastrophic.
• Acting on cold calls. Treat calls, texts, mails, and other advice out the blue with extreme caution.
• Judging a book by its cover. Investment scams are profitable and they can afford to look good.

Still not convinced? I have this piece of land on Venus, that I would be willing to part with for the right price. But you will need to act fast.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Every relationship has its disagreements. Who takes out the trash and washes the dishes? Who plans the meals and writes out the grocery list? And when is it okay to start tracking one another’s location?  

Location sharing is becoming the norm between romantic partners—50% of people valued location sharing in their relationships, according to recent research from Malwarebytes—and plenty of couples have found ways to track one another’s location, with consent, in a respectful and transparent way.

But, as a cybersecurity, privacy, and identity protection company, Malwarebytes is concerned with risk, and location sharing carries significant risks within many types of relationships.

There are new relationships in which the rules around privacy and sharing are still being agreed upon, old relationships in which power imbalances are deeply entrenched, and, of course, abusive relationships in which non-consensual tracking and surveillance are used as levers of control.

As a company—and not a relationship counselor—Malwarebytes cannot endorse any reasons for location sharing between romantic partners. But Malwarebytes can provide guidance on what safe location sharing looks like, including a requirement for consent.

Importantly, Malwarebytes can also remind readers about one simple, often-forgotten fact in this conversation: You don’t have to engage in location sharing if you do not want to.

It really is as simple as that. Do not agree to location sharing in your relationship if:

• You are being pressured, coerced, or harassed into sharing your location.
• You do not trust or feel comfortable sharing your location with your partner.  
• You do not want to.

As the reasons for location sharing are valid for many couples, the reasons against it are just as valid, too. You have the right to determine the rules in your own relationship, and that includes the digital decisions that impact your feelings of privacy, safety, and trust.

Safety, security, and convenience

According to research conducted last year by Malwarebytes, location tracking among partners is popular in North America—and even more popular amongst younger generations.

When polling more than 1,000 people about their attitudes and behaviors around online privacy and cybersecurity, a full 50% agreed or strongly agreed with the statement that “monitoring my spouse’s/significant other’s online activity and/or location makes me feel they are safer.”

Similarly, 42% agreed or strongly agreed with the statement that “being able to track my spouse’s/significant other’s location when they are away is extremely important to me.” This sentiment was higher amongst Gen Z—49% felt the same way compared to the general population.

As to why location tracking has become so popular, there is little doubt. It’s about safety (or, at least, the feeling of it).

On Reddit, the question of location tracking between partners is frequently posed and is just as frequently answered: “I think it should be fine for safety reasons,” said one user in a the most popular response to a thread.

In writing for the media platform Her Campus, one Pennsylvania State University student said that, if she already shares her location with her friends for safety, “why would I not share it with someone I am involved with romantically?”

For some of the editorial staff at the healthy living brand Poosh, location sharing also provided convenience.  

“If I want to call my boyfriend for something, sometimes I’ll check his location first (if he’s at the office, for example, I won’t call),” wrote Erika Harwood, managing editor. “Or if he tells me he’s on his way home and it seems to be taking unusually long, it’s easier to just check his location and see if he’s stuck in traffic.”

Harwood continued:

“Basically, it all boils down to me trying to eliminate as many phone calls from my day as possible.”

What these explanations all share is purpose and consent. The people featured here have told their partners about location sharing, and they have identified specific reasons to engage in this practice. Because of this, these situations are hardly cause for alarm.

What Malwarebytes hopes to draw attention to, however, are starkly different situations.

Coercion, control, and crisis

Location “sharing” implies two partners who consensually share their locations with one another. But as Malwarebytes discovered last year, location “sharing” isn’t the only activity that some people engage in—it’s also location spying.

According to the same survey last year, 41% of all people admitted to monitoring their partner in some way without their partner’s permission.

That includes 16% of people who non-consensually “tracked my spouse’s/significant other’s location through an app or Bluetooth tracker (like Apple AirTags, Tile, Find My)” and 13% who non-consensually “installed monitoring software/apps on spouse’s/significant other’s devices (e.g., Life360).”

The harms here are obvious.

Non-consensual location tracking in a relationship is a clear invasion of privacy. It puts sensitive information into one partner’s hands without the other partner knowing it, and the nature of the information itself can be used to harass and stalk someone—especially after a breakup.

Non-consensual location tracking is also present in domestic abuse, particularly in instances where one partner is being spied upon with the use of “stalkerware” apps. And while those who deploy these types of invasive apps are not guaranteed to be physically abusive against their partners, several documented cases highlight the risk.

As Danielle Citron, professor of law at UVA, wrote back in 2015 about what she called “cyber stalking apps”:

“A woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.”

These cases may sound extreme, but they should not be ignored. They reveal that it isn’t location sharing itself which is harmful, but rather that harmful relationships will lead to harmful forms of location tracking.

Be sure that, if you do engage in location sharing, it is with someone who you trust, on both of your agreed terms, and in a way that you can turn off the location sharing at any point in the future.

What’s the answer?

Your real-time location is extraordinarily sensitive information, and as such, access to it should be understood as a privilege, not a right. No romantic partner has a “right” to your location just because their previous partners practiced location sharing. No romantic partner should coerce or harass you into location sharing. And no, the refusal to share your location, at any stage of the relationship, is not a “red flag.”

If you do decide to share your location with your partner, be sure to follow these guidelines:

• Have an open conversation about location sharing with one another. You must obtain consent from your partner if you’re going to share your locations. Spying on your partner’s location without their consent is a breach of trust.
• Have a reason why you’re engaging in location sharing. Many problems in a relationship will not be solved by location sharing. Have a firm reason why you want to share locations and what value it will provide. If you do not have a good reason, you may not need location sharing at all.
• Set up rules about location sharing. Location sharing can be enabled on a case-by-case basis for, say, music festivals, vacations, or solo hiking trips. It can also be enabled between partners indefinitely.
• Check in periodically about whether it is working. Just because you agreed to location sharing a year ago does not mean you cannot revisit the topic. See how location sharing feels and then see if you still want it later in your relationship.

As every couple has its own rules and behaviors for success, there is no single answer to whether you should share your location with your partner. You know your partner—and yourself—best to answer this question. Be safe, whatever option you choose.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Someone has posted a database of over 2.8 million records to a hacker forum, claiming they originated from a March 2024 hack at Canadian retail chain Giant Tiger.

When asked, they posted a small snippet as proof. The download of the full database is practically free for other active members of that forum.

In March, one of Giant Tiger‘s vendors, a company used to manage customer communications and engagement, suffered a cyberattack, which impacted Giant Tiger, as reported by CBC.

The retailer first learned of the security incident on March 4, 2024, and concluded that customer information was involved by March 15, according to an email the company wrote to customers. Giant Tiger also noted that the security incident only impacted one of its vendors and didn’t affect the chain’s store systems or applications, saying that “there is no indication of any misuse of the information.”

On April 12, 2024, BleepingComputer noticed a post titled “Giant Tiger Database – Leaked, Download!” on the hacker forum. The records contain over 2.8 million unique email addresses, names, phone numbers and physical addresses.

When contacted by BleepingComputer, Giant Tiger said:

“We determined that contact information belonging to certain Giant Tiger customers was obtained without authorization. We sent notices to all relevant customers informing them of the situation.”

and:

“No payment information or passwords were involved.”

Depending on customer’s buying behavior, the data leaked in the breach may vary. Loyalty members and those who placed online orders for in-store pickups might have had their names, emails and phone numbers compromised. Some customers, who placed online orders for home delivery, may have had that same information plus their street addresses compromised.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check if your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Last week on Malwarebytes Labs:

• How to change your Social Security Number
• Apple warns people of mercenary attacks via threat notification system
• How to check if your data was exposed in the AT&T breach
• Microsoft’s April 2024 Patch Tuesday includes two actively exploited zero-day vulnerabilities
• How to protect yourself from online harassment
• Introducing the Digital Footprint Portal
• New ransomware group demands Change Healthcare ransom
• Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla
• 35-year long identity theft leads to imprisonment for victim
• Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

After seeing their Social Security Number (SSN) leaked in the AT&T breach, some US citizens are wondering if and how they can change their SSN.

The good news is that even though it’s a challenging process, it is possible. But if you’ve ever had to abandon an email address that you used for years, imagine all of the hassle that came with that, and then imagine it being about 10 times worse. Governments, your employer, and everyone else that identifies who you are by your SSN will have to be notified. And since it doesn’t happen very often, most of them will not have a streamlined process in place. It will take a lot of time and effort to set every record straight.

All that said, this process is not impossible, and in some cases, it is worth the effort.

When do I qualify?

The first obstacle will be to qualify for a change of your SSN in the first place. You will have to show that you:

• Are the victim of identity theft. Importantly, even if this is true, the US government requires that you first have “attempted to fix problems resulting from the misuse,” but that you’re still encountering issues because of your original SSN. If someone is using your Social Security number for work purposes, you report it to the Social Security Administration (SSA) first. If someone is using your number to open lines of credit, you’ll need to go to identitytheft.gov to report it and establish a recovery plan. If those options didn’t help, then you can apply for a new SSN.
• Were issued a duplicate number or you and a family member have sequential numbers that are causing problems.
• Are facing a serious threat to your safety, like severe harassment, abuse, or potential life endangerment.
• Have religious or cultural objections to the particular number you received. You’ll need to provide documentation from the group you belong to that affirms your objection.

Where do I start?

The first step is to contact your local Social Security office. Under normal circumstances, you will have to pay them a personal visit after making an appointment. They will perform all the required checks and assist you in drafting a statement explaining why you need a new number, and fill out an application for a new SSN.

You will need to bring:

Evidence of your age. This is usually a birth certificate, but in some cases, alternatives are allowed, such as a US hospital record of your birth, a religious record established before age 5 showing your age or date of birth, a passport, or a final adoption decree showing the birth information taken from the original birth certificate.

Evidence of identity. A US passport, US driver’s license or state-issued non-driver identity card satisfy this requirement. Alternatives that may be accepted are a US military identity card, a certificate of naturalization, employee identity card, a certified copy of medical record, health insurance card, Medicaid card, or school identity card/record.

Evidence of US citizenship or immigration status. A US birth certificate or US passport are standard for this requirement. Accepted alternatives may be Consular Report of Birth, Certificate of Citizenship, or Certificate of Naturalization.

For all these documents, US citizens will need to show original documents (or documents certified by the issuing agency).

US immigrants requesting a new SSN will need to provide evidence of immigration status by showing an unexpired document issued by Department of Homeland Security (DHS) and additional documents if you are an international student or exchange visitor.

And you will need to provide evidence for the reason you need a new SSN.

Aftermath

Once you have successfully changed your SSN, here is a non-exhaustive list of entities that need to be informed:

• The IRS.
• Your employer.
• Your bank. 
• Your school.
• Your student loan provider.
• Your Medicare or Medicaid provider.
• Any primary care doctors or specialists with your medical records.
• Third-party insurance companies.

What you will not have achieved is also important to know. A Social Security number change doesn’t erase your financial history. So, a new SSN doesn’t absolve you of any debts you have, rectify your credit history, or repair a bad credit score.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

AT&T has notified US state authorities and regulators about its recent (or not) data breach, saying 51,226,382 people were affected.

For those that have missed the story so far:

• Back in 2021, a hacker named Shiny Hunters claimed to have breached AT&T.
• On March 20, 2024, we reported how the data of over 70 million people was posted for sale on an online cybercrime forum. The seller claimed the data came from the Shiny Hunters breach. However, AT&T denied (both in 2021 and in March, 2024) that the data came from its systems.
• On March 30, AT&T reset customer passcodes after a security researcher discovered the encrypted login passcodes found in the leaked data were easy to decipher.
• Finally, on April 2, 2024, AT&T confirmed that 73 million current and former customers were caught up the data leak.

Weirdly enough, in the data breach notification, AT&T says the date of discovery of the breach was March 26, 2024. AT&T has still not disclosed the source of the leak, but says the data appears to be from June 2019 or earlier.

Malwarebytes VP of Consumer Privacy, Oren Arar, describes the AT&T breach as “especially risky” because of the type of data that’s been exposed.

“SSN, name, date of birth—this is personal identifiable information (PII) that cannot be changed, and if scammers get their hands on it, it just makes their work in stealing people’s identities a lot easier. In addition, this exposed data was published on the internet – in a way that anyone could access it, and not on the dark web where you need some expertise to find it”.

Check if your data was exposed

Malwarebytes has a super easy tool—Malwarebytes Digital Footprint Portal—that allows you to check if your data was part of the AT&T breach. Just click the button below, enter your email address, and we’ll let you know what personal information we find.

We will keep you posted of any new developments in this case. Stay tuned!

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against state-sponsored attacks” to “About Apple threat notifications and protecting against mercenary spyware.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

• Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
• Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

How to stay safe

Apple advises iPhone users to:

• Enable Lockdown mode.
• Keep devices up to date.
• Protect devices with a passcode.
• Use Multi-Factor-Authentication (MFA) for your Apple ID.
• Only install apps from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

We’d like to add:

• Use an anti-malware solution on your device.
• If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
• Use a password manager.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.