IT NEWS

Back in January 2020, we blogged about a tech support scam campaign dubbed WoofLocker that was by far using the most complex traffic redirection scheme we had ever seen. In fact, the threat actor had started deploying infrastructure in earnest as early as 2017, about 3 years prior to our publication.

Fast forward to 2023, another 3 years have gone by and this campaign is still going as if nothing has happened. The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts. This change may have been in response to the work we did with web hosting companies and registrars, which only put this operation out of business temporarily.

It is just as difficult to reproduce and study the redirection mechanism now as it was then, especially in light of new fingerprinting checks. By connecting previous indicators of compromise we were able to expand our knowledge about the first iteration of WoofLocker and its new setup.

While we still do not know a lot about who is behind this scheme, we believe it may be the work of different threat actors that specialize in their area of expertise. WoofLocker may very well be a professional toolkit built specifically for advanced web traffic filtering and used exclusively by one customer. Victims that fall for the scam and call the phone number are then redirected to call centres presumably in South Asian countries.

This blog post summarizes our latest findings and provides indicators of compromise that may be helpful to the security community.

Overview

Contrary to other tech support scam campaigns that often rely on malvertising as a delivery vector, we only observed WoofLocker being distributed via a limited number of compromised websites. The threat actor appears to have gained access to two categories: non adult traffic and adult traffic. That distinction can be seen in the unique redirection URL created for each victim with a parameter called “nad” and “ad” respectively.

Malicious JavaScript embedded in the compromised websites is used to retrieve the WoofLocker framework directly into the DOM from one of a handful of domain names. The code used by WoofLocker is highly obfuscated and makes use of steganography, a technique that embeds data inside of images.

Each victim that visits the compromised site is fingerprinted to determine if they are legitimate or not. Numerous checks are performed to detect the presence of virtual machines, certain browser extensions and security tools. Only genuine residential IP addresses are considered, provided they have not already been fingerprinted.

Figure 1: WoofLocker version 2 diagram

The information from victims is sent back to the server as a PNG image (the data is hidden inside thanks to steganography) and followed by two possible outcomes. Users deemed not interesting will not see anything further, while potential victims will get redirected to another domain via a URL generated on the fly, with a unique ID only valid for this specific session.

This redirection shows the familiar browser locker screen with a fake warning about computer viruses. That part of the code is relatively straightforward and inspired by existing templates.

Compromised sites

As mentioned earlier, the threat actor is using two different types of traffic: adult and non adult. The majority of websites loading WoofLocker are adult sites and this is not a coincidence as it plays into the scam’s social engineering tactics.

Originally, the injected code was not obfuscated and contained the fingerprinting checks but in 2021 the threat actors changed it, to simply the injection and move some of the logic outside:

Figure 2: Code injected into compromised sites (comparison)

In the image below, we are using Chrome’s Developer Tools to see malicious code dynamically injected into the DOM. As a website administrator going directly to the raw HTML page, you might not see anything injected.

Figure 3: Code viewed in developer tools

This code allows the threat actor to connect with their fingerprinting and redirection infrastructure, which in this case is located at cdncontentstorage[.]com.

Fingerprinting

We previously described the fingerprinting mechanism in detail and it remains very similar. There were a few additions though, such as the check for specific Chrome extensions (GeoEdge, Kaspersky, McAfee). There also seems to be some kind of proxy detection, or perhaps detection specific to web debugging tools like Fiddler. This makes it much harder for security researchers to get a traffic capture as evidence of malfeasance.

Figure 4: Chrome extensions checks

URL redirection

We were able to identify the redirection URL this time, after numerous replays and debugging attempts:

Figure 5: Browser locker URL is sent hidden in PNG image

Again, the threat actor uses steganography to include JavaScript code inside of an image. The browser reads that response via the getImageData function and executes it. Here, we can see the URL that is unique to this session (uid) and used for the redirect to the browser locker page.

Web traffic

We were able to record a full traffic capture despite WoofLocker’s evasion techniques. As mentioned previously, it appears that certain tools that involve proxying traffic may be detected. We had to use a different mechanism to get this traffic without being detected.

Sequentially, we see the fingerprinting checks being done with the use of steganography. The absence of the specific Chrome extensions the threat actor is looking for also generates some traffic. The final part is the user data validation and creation of a unique id (uid). The code once again uses steganography to load the malicious URL corresponding to the browser locker page.

Figure 6: Traffic capture showing the fingerprinting and redirection mechanisms

Infrastructure comparison

Since our original blog post, we were able to identify additional parts of the WoofLocker infrastructure. What is most interesting is how the threat actors completely changed it and went with hosting providers that appear to give them stronger protection against takedowns.

Figure 7: WoofLocker version 1

The ASNs are located in Bulgaria and Ukraine:

Figure 8: WoofLocker version 2

Conclusion

WoofLocker is an advanced fingerprinting and redirection toolkit that appears to have been built for a single customer. While it could be used for any web threat as an evasion framework, it has been pushing tech support scams for the past 6 years.

Unlike other campaigns that rely on purchasing ads and playing whack-a-mole with hosting providers and registrars, WoofLocker is a very stable and low maintenance business. The websites hosting the malicious code have been compromised for years while the fingerprinting and browser locker infrastructure appears to be using solid registrar and hosting providers.

Malwarebytes users have always been protected against this threat thanks to our heuristic detection engine.

Indicators of Compromise

Fingerprinting and redirection infrastructure:

api[.]cloudcachestels[.]com
api[.]cloudseedzedo[.]com
api[.]imagecloudsedo[.]com
appcloudzedo[.]com
cdn[.]contentob[.]com
cdncontentstorage[.]com
cdnpictureasset[.]com
cloudcusersyn[.]com
cloudgertopage[.]com
cloudlogobox[.]com
csscloudstorage[.]com
datacloudasset[.]com
logosvault[.]com
miniassetcloud[.]com

Recent browser locker domains:

furakelw[.]com
gopilofan[.]com
zemolist[.]com
besoliza[.]com
vedopixt[.]com
defolis[.]com
somawan[.]com
vulidoc[.]com
barustan[.]com
semilupa[.]com
bopiland[.]com
somalics[.]com
sebasong[.]com
molesanu[.]com
xepilondi[.]com
malubana[.]com
beeronas[.]com
lobosixt[.]com
gomoyad[.]com

Discord.io was/is a third party service that enables owners of Discord servers to create customized, personal Discord invites. After a preview of Discord.io’s users database was posted on BreachForums, the owners have decided to shut down all Discord.io services “for the foreseeable future.” Existing premium subscriptions have been canceled and discord.io promised to reach out as soon as possible on an individual basis.

The site confirms that there has been a data breach

The stolen information could include your discord.io username and your Discord ID, your email-address, your billing address, and a salted and hashed password if you signed up in 2018 or earlier. (In 2018 discord.io started to exclusively offer Discord as a login option.)

Payment details are said to be safe because those are stored safely by the payment partners, Stripe and PayPal. Discord.io has confirmed the authenticity of the breach, by an entity acting under the name Akhirah.

It is important to know that Discord is not affiliated with discord.io, a spokesperson from Discord told Stackdiary:

“Discord is not affiliated with Discord.io. We do not share any user information with Discord.io directly and we do not have access to or control of information in Discord.io’s custody.”

Discord has revoked the oauth authentication tokens for any Discord user that has used Discord.io, so that app can no longer perform actions on behalf of those users until they re-authenticate. Affected Discord users should change their passwords and enable multi-factor authentication (MFA).

To enable MFA on Discord:

• Open the Discord desktop app or go to discord.com/login and enter your credentials to log in.
• Go to the second vertical tab, and then click the gear icon beside the Mute and Deafen options to open user settings.
• In the My Account tab, scroll down and click Enable Two-Factor Auth.
• Enter your Discord password and open the authenticator app of your choice on your device.
• Scan the QR code and enter the six-digit code to enable 2FA. You may want to write down the key and store it in a secure space, in case you should somehow lose access to your account.
• Click Enable SMS Authentication to enable 2FA on Discord via SMS.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The FBI has issued a warning that cybercriminals are embedding malicious code in mobile beta-testing apps in attempts to defraud potential victims. The victims are typically contacted on dating sites and social media, and in some cases they are promised incentives such as large financial payouts.

Beta-testing apps are new versions of software that are undergoing their final tests and aren’t quite ready to be officially released. In the legitimate software ecosystem, beta testing gives users a chance to improve their favorite apps and get early access to new features. For criminals, “beta-testing” apps offer a plausible reason for vicitms to donwload software from unsafe places, away from the usual app stores, without raising their suspicions.

To make the apps look legitimate the criminals use familiar looking names, images, or descriptions that are similar to popular apps. Embedded in the apps  is malicious code used to defraud the victim or compromise the device. According to the FBI:

“The malicious apps enable theft of personally identifiable information (PII), financial account access, or device takeover.”

The agency says it’s aware of fraud schemes where the victims are contacted and directed to download mobile beta-testing apps, such as cryptocurrency exchanges, that steal money instead of investing it.

In an earlier warning the FBI focused on scammers that haunt forums and comments sections, looking for victims who have lost cryptocurrency to fraud, scams, and theft. The scammers claim to provide cryptocurrency tracing and promise to recover lost funds.

Example of an (intercepted) attempt to post recovery a advertisement in our blog comments

These recovery scheme fraudsters will charge an up-front fee and either cease communication after receiving the initial deposit, or they will produce an incomplete or inaccurate tracing report and claim they need additional fees to recover the funds.

The fraudsters will even go as far as to claim they are affiliated with law enforcement or legal services to appear legitimate. It is important to realize that private sector recovery companies cannot issue seizure orders to recover cryptocurrency.

Stay safe

Beta-testing can be fun and rewarding, but check that you are testing the app from a legitimate source and trusted developer. For example, Malwarebytes offers their beta downloads on their own forums.

Do not send payment to someone you have only spoken to online, even if you believe you have established a relationship with them. Scammers specialize in making you think that.

Do not provide personal or financial information in email or messages, and do not respond to email or message solicitations, including links.

Do not download or use suspicious looking apps as a tool for investing unless you can verify the legitimacy of the app.

Shy away from advertisements for cryptocurrency recovery services. Research the advertised company and beware if the company uses vague language, has a minimal online presence, and makes promises regarding an ability to recover funds. Do not make things even worse.

Law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm.

As the FBI pointed out:

“Cryptocurrency exchanges only freeze accounts based on internal processes or in response to legal process.”

We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Threat actors constantly take notice of the work and takedown efforts initiated by security researchers. In this constant game of cat and mouse chasing, tactics and techniques keep evolving from simple to more complex, and more covert.

This is a trend we have observed time and time again, no matter the playing field, from exploit kits to credit card skimmers. As defenders, we may have mixed reactions: on the one hand, as technical people we naturally appreciate a well-written exploit or piece of code and the challenge it creates. There is something about it that sparks our interest and curiosity. On the other hand, we know that the people behind it have bad intentions and intend on doing harm.

In today’s blog post, we look at a recent malvertising chain that started using a more advanced cloaking technique to remain under the radar. Based on our tracking, it is a new trend for these malvertising campaigns dropping infostealers and other malware used by initial access brokers in ransomware operations.

Malicious ad and cloaking

Threat actors continue to target certain IT programs such as remote access programs and scanners by creating ads that are displayed on popular search engines such as Google. The ad below is for the Advanced IP scanner tool and was found when performing a Google search from a US IP address.

Figure 1: Malicious ad on Google for Advanced IP Scanner

The domain name advnced-lp-scanner[.]com may look legitimate but it is not. It was registered on Jul 30 2023 and is hosted on a server in Russia at 185.11.61[.]65.

If you were to investigate this ad, you would likely open it up in a virtual machine and see what it leads to. One of the most common checks that is done by threat actors is a simple server-side IP check to determine whether you are running a VPN or proxy or have visited the site before. That means that as researchers we need to constantly find new IP addresses that look legitimate and then revisit the page again.

Interestingly, even with a fresh IP address the landing page looked innocent. This can happen for different reasons, for example if the threat actor is in the process of setting up the site and hasn’t finished swapping it to the malicious version. Or it could also be that the time of day is not in line with when the attacker is making the switch.

Figure 2: Decoy page without any malware to download

Advanced fingerprinting

Looking closer at the network requests from the ad to the web server we saw new code that looked suspicious. This is Base64 encoded JavaScript that is loaded before anything else on the page.

In fact, this client-side request was performed after a server-side IP check to determine if your IP address was clean. In other words, this is another layer that needs to be processed before we get to see what we are looking for.

Figure 3: Suspicious Base64-encoded code

We can deobfuscate this code using CyberChef and further beautify it to see what it does. Here are some of those checks:

• browser properties such as window and screen size
• time zone (difference between UTC and local time)
• browser rendering capabilities related to video card driver
• MIME type for MP4 file format 

Figure 4: Decoded fingerprinting script

Many tools used by researchers are scripted in Python and will fail the test. Same goes for virtual machines, the WEBGL_debug_renderer_info API can help to detect if you are using virtualization such as VMware or VirtualBox.

The data that is collected from visitors is then sent back to the attacker’s website via a POST request for further parsing and to determine what action to take next.

Figure 5: POST request sending victim’s details to attacker

Below is the web traffic view of a successful redirection to the malicious page where the victim can download the malware payload.

Figure 6: Web traffic from malicious ad to payload page

And this is the malware landing page:

Figure 7: Malware landing page after successfully passing the fingerprinting checks

We can now collect the payload and make sure that it is detected.

Conclusion

By using better filtering before redirecting potential victims to malware, threat actors ensure that their malicious ads and infrastructure remain online longer. Not only does it make it more difficult for defenders to identify and report such events, it also likely has an impact on takedown actions. In the majority of cases where we have reported malvertising incidents, the abused platform needs to validate the information before taking action against the advertiser.

This makes sense as reports could be erroneous and lead to advertising accounts being suspended unjustly. However, it also means that while an incident is being investigated and reproduced (which could take hours), people will click on those ads and download malware.

As we continue to report malvertising campaigns, we improve our understanding of the threat actors’ TTPs and adjust our toolsets accordingly. Any intelligence gathered is shared within our products and ultimately delivered to Malwarebytes customers via web and malware protection updates to ensure they remain protected.

Do you know how many see-everything-you’re-doing-on-the-web trackers get loaded into your browser when you watch a YouTube video? Would you care to guess?

It’s about sixty.

Sixty. Six zero. Sixty trackers when you load one video. I know this because I decided to take Browser Guard, the Malwarebytes’ browser extension that blocks ads and keeps you safe from trackers, scams, malvertising, and other online threats, for a wander through the web’s top 25 sites.

Web users have always spent a disprorportionate amount of their time on the web’s most popular sites, and websites like Facebook, Twitter, and Twitch are designed to keep you hanging around for as long as possible. So what happens on the top sites has an outsized effect on users because the top sites don’t just reach more people, they also keep people for longer.

Before I get into the why I was counting how many things Browser Guard blocks, take a look at the numbers in the table below.

The table shows the number of items—ads, cross-site trackers etc—that Browser Guard blocked on a single page on each of the top 25 most visited websites. I looked at one page on each site, and chose pages that were broadly representative of what somebody might go there to do. So, on Google I looked at a search results page, on YouTube I looked a page displaying a video, and so on. Where I was asked to log in and I had an account, I logged in, and where I was asked to accept cookies I did.

Browser Guard blocked a total of 172 items across the 25 pages tested. That’s a mean average of seven on each site, and a median of two. The mean average is heavily skewed by YouTube and Samsung, which accounted for 100 items between them.

(Note that if you try to repeat this experiment you might get slightly different results, although we expect them to be similar to ours. Because of the way that ad tech works, different numbers of items may be downloaded for apparently identical page loads.)

How tracking affects security and privacy

So why does it matter?

Cross-site ad tracking follows you from site to site and builds up a rough picture of your likes, dislikes, and demographics, which is then used to help ad providers choose relevant, targeted ads to show you (or at least, that’s the theory.)

This model comes with advantages, but it also comes with significant risks to both your privacy and security.

You are the product

The price you pay for the popular, free-to-use-websites like Facebook and YouTube is that somewhere, somebody is amassing a whole lot of data about you. You likely don’t know who they are, what they know or how much, how securely the data is stored, how long it’s kept, or who it’s been shared with, sold to, or stolen by.

Some people see this kind of tracking as benign, or at least a necessary evil. The ad economy is what keeps sites like Facebook and YouTube free after all, and they would rather see ads that might at least appeal to them than something chosen at random. For others, the targeted ad economy and the cross-site tracking it relies upon are an unacceptable violation of their privacy.

But that’s not the whole story. Ads and trackers aren’t just a privacy problem, they come with a pair of security problems too.

Efficient threat distribution

The first is that ad distribution networks—the amazingly efficient, just-in-time auction houses that fill ad slots as a page loads—are just as good at distributing scams, links to phishing sites, and malware downloads, as they are at distributing ads. Ad companies don’t encourage this, but despite their efforts malicious advertising—malvertising—is resurgent in 2023. A lot of malvertising works by impersonating well known brands, and the scammers do it so well that you have almost no chance of spotting it.

Simply, the more ads and ad networks you’re interacting with, the more likely you are to encounter something bad. And if you do, you probably won’t spot it until it’s too late.

Criminals with “God mode” access

The second problem is that ad networks and cross-site tracking generally rely on components pulled from third-party websites as a page is loaded. This means that when you visit a page with a single tracker on it, your browser is actually talking to two websites: The website you’re looking at and the website it’s loading the tracking code from.

But lots of sites have far more than one tracker. If you visit a page with 20 trackers, your browser could be assembling the page you’re looking at from as many as 21 different websites. Scarily, each website you load a component from gets full access to the page the component is included in. FULL access.

Among many other things, the third-party components are allowed to alter the code of the page you’re looking at in any way they like, they can all see anything you type into a form on that page, even if you don’t submit it, and they can copy any authentication cookies you have for that site too, which effectively means they can steal your password.

In other words, any site that suppliies any content for the page you’ve loaded gets “God Mode” on that page. So if you’re looking at a page with 20 trackers, that’s as many as 21 sites with God Mode on that page.

That’s bad enough if you trust everyone concerned, because even legitimate companies have been known to play fast and loose with that level of access. But it gets really serious if any of those organisations are compromised, because now you’re giving God Mode to a malicious hacker.

Browser Guard

There is simply no way for an individual, even a highly skilled one, to know when they’re using a website that includes a third-party component compromised by criminal hackers or operated by a company prepared to bend the rules at the expense of your privacy and security. And while legitimate ad companies offer opt outs from tracking, staying on top of them is unworkably hard.

Technologies like Browser Guard fill the gap, staying on top of the known nasties and blocking ads that can harbour malvertising, scams, and other threats, even on the biggest websites.

If you want to find out how much Browser Guard can block for you, download it today.

Ford has released information about a buffer overflow vulnerability in its SYNC 3 infotainment system.

Ford learned from a supplier that a security researcher had discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. The company said it started an investigation and subsequently decided that the vulnerability does not affect vehicle driving safety.

Ford’s SYNC 3 system exists in Ford models from 2015 onward. Other than recent vehicles that have the newest version, most Ford vehicles have SYNC 3. If you have a Ford Owner account, you can go to the Vehicle Dashboard to see what version of SYNC your car has.

Lincoln drivers can check their version on the Lincoln Support site (you will need to enter your VIN number).

The SYNC 3 vulnerability is CVE-2023-29468: a vulnerability in the TI WiLink WL18xx MCP driver. An attacker within wireless range of a potentially vulnerable device can gain the ability to overwrite memory of the host processor executing the MCP driver. Exploiting this vulnerability involves a malicious actor crafting a specific frame to trigger a buffer overflow, potentially leading to remote code execution (RCE).

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

Ford’s assessment of the vulnerability is that it is highly unlikely to be exploited, since it requires a highly skilled attacker within close proximity of the target vehicle, and the vehicle need to have the engine running and WiFi support enabled. Ford said it isn’t aware of any instances of exploitation.

And even if an attacker were to gain RCE on the SYNC 3 system using this vulnerability, the potential damage would be limited, since the system is isolated from critical control functions like steering, throttling, and braking.

Ford says that if drivers are worried, they can disable the WiFi support in the SYNC 3 infotainment system in the Settings menu, which will stop an attacker from being able to exploit the vulnerability.

Ford is still working on a patch, which is expected in the coming weeks and will be presented including instructions how to manually install the patch using a USB flash drive.

We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

PCMag, one of the most trusted publications by IT professionals, named Malwarebytes the #1 most-recommended security software vendor on its list of Best Tech Brands for 2023. 

The ranking is based on a Net Promoter Score (NPS), a composite rating based on customer reviews from PCMag’s Reader’s Choice and Business Choice surveys, meaning the score reflects real user feedback.

Malwarebytes ranked #3 out of ALL tech brands, ahead of Apple and Bose, with a NPS score shooting up from 77 in 2022 to 83 in 2023 for security suites, demonstrating the growing trust IT teams and MSPs place in our EDR and MDR solutions.

Why readers chose Malwarebytes 

There are a number of reasons why PCMag readers ranked Malwarebytes as the #1 cybersecurity brand ahead of vendors like Webroot and Bitdefender. It all starts with superior prevention.

Malwarebytes consistently ranks #1 in third-party evaluations, with a 100% detection rate with zero false positives. For example, we’re the only vendor to win every MRG Effitas certification & award in 2022 and so far in 2023 on the rigorous independent lab tests.

The behavior-based detection techniques and proprietary anti-exploit technology of Malwarebytes EDR is proven to detect and block more malware and advanced threats than any other vendor.

But todays IT constrained organizations need endpoint security solutions that not only prevent the most advanced threats, but that are easy to use as well. Malwarebytes’ customers rank our EDR highly for its ease-of-use, remediation capabilities, and total ROI.

Award-winning EDR Solution 

Malwarebytes EDR has been recognized for having the Best Support, being Easiest to Do Business With, having the Easiest Admin, being the Easiest to Use, Most Implementable, and the Easiest to Set Up.   

“The Nebula console is one of the most user-friendly interfaces we’ve come across. We can’t recommend it enough.” – Justin N. 

“Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so its win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.” – John K. 

We remediate better

Unlike other EDR solutions, Malwarebytes is born out of remediation, with a long history of finding and fixing what other solutions miss—as seen in our Remediation Map of Malwarebytes’ superior detection in action.  

Automated and thorough malware removal is hard, and vendors too often focus only on deleting the active malicious executables. Malwarebytes’ proprietary technology removes dynamic and related artifacts to thoroughly remediate infections and prevent reinfection.

“Prior to Malwarebytes, we spent many hours and days cleaning up viruses and malware that other products failed to identify and remediate. We now have close to zero need for after infection cleanups which frees us up to do other things.” – Ron M.

Highest ROI 

Ranked #1 EDR in G2’s Summer 2023 report, Malwarebytes provides the best estimated ROI of all endpoint protection suites based on a unique combination of rapid implementation and time to ROI. 

“The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.” – Ron M.

“It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.” – Tyson B.

Why organizations choose Malwarebytes MDR 

Customers not only love the easy effectiveness of our  EDR; our Managed Detection and Response (MDR) managed service receives high praise too.  

The powerful and affordable threat detection and remediation services of Malwarebytes MDR has rescued many an IT team member from persistent threats and sleepless nights. Drummond, a Florida-based print company, experienced the benefits of 24×7 monitoring and threats investigation to stop attacks firsthand:

“Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulder and making sure it’s all clear.” – Dennis Davis, IT Systems Manager, Drummond 

Try Malwarebytes for Business today 

Most of all, we appreciate the trust and support of our customers in making Malwarebytes the #1 cybersecurity solution for IT teams and MSPs.  

Interested in seeing why PCMag readers recommend Malwarebytes? Learn more below.

Get a free demo today.

Last week on Malwarebytes Labs:

• Zoom clarifies user consent requirement when training its AI
• Several hospitals still counting the cost of widespread ransomware attack
• Old exploit kits still kicking around in 2023
• YouTube makes sweeping changes to tackle spam on Shorts videos
• Google’s “browse privately” is nothing more than a word play, lawyers say
• Ransomware review: August 2023
• August Patch Tuesday stops actively exploited attack chain and more
• Facial recognition tech lands innocent woman with bogus carjacking charge
• Cloudflare Tunnel increasingly abused by cybercriminals
• Voter data stolen in UK Electoral Commission systems breach
• Server breach could be fatal blow for LetMeSpy
• Digital assets continue to be prime target for malvertisers
• TikTok facing fines for violating children’s privacy
• FCC comes down hard on robocallers with record $300m fine
• 2022’s most routinely exploited vulnerabilities—history repeats
• New Security Advisor amps up security in minutes

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

“Freedom” is a big word, and for many parents today, it’s a word that includes location tracking. 

Across America, parents are snapping up Apple AirTags, the inexpensive location tracking devices that can help owners find lost luggage, misplaced keys, and—increasingly so—roving toddlers setting out on mini-adventures. 

The parental fear right now, according to The Washington Post technology reporter Heather Kelly, is that “anybody who can walk, therefore can walk away.” 

Parents wanting to know what their children are up to is nothing new. Before the advent of the Internet—and before the creation of search history—parents read through diaries. Before GPS location tracking, parents called the houses that their children were allegedly staying at. And before nearly every child had a smart phone that they could receive calls on, parents relied on a much simpler set of tools for coordination: Going to the mall, giving them a watch, and saying “Be at the food court at noon.” 

But, as so much parental monitoring has moved to the digital sphere, there’s a new problem: Children become physically mobile far faster than they become responsible enough to own a mobile. Enter the AirTag: a small, convenient device for parents to affix to toddlers’ wrists, place into their backpacks, even sew into their clothes, as Kelly reported in her piece for The Washington Post. 

In speaking with parents, families, and childcare experts, Kelly also uncovered an interesting dynamic. Parents, she reported, have started relying on Apple AirTags as a means to provide freedom, not restrictions, to their children. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kelly about why parents are using AirTags, how childcare experts are reacting to the recent trend, and whether the devices can actually provide a balm to increasingly stressed parents who may need a moment to sit back and relax. Or, as Kelly said:

“In the end, parents need to chill—and if this lets them chill, and if it doesn’t impact the kids too much, and it lets them go do silly things like jumping in some puddles with their friends or light, really inconsequential shoplifting, good for them.”

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

YouTube is rolling out unclickable links. 

Video portals like YouTube have had to deal with spam comments and bogus links for many years. With new additions to a platform come new places for scammers to go about their business. YouTube is now cracking down on links posted to the comments section of Shorts.

Shorts has been around for a few years now, but you may not have noticed the video format up until this point. They’re most commonly found on the frontpage of YouTube, in the form of horizontally framed Tik-Tok style clips. Clicking into a Shorts video will give you an endless, scrolling feed of seemingly random content. Some videos have hashtags you can click into, but for the most part it can feel like a chaotic, non-curated experience.

As with regular YouTube videos, users of the site can leave comments and replies to videos on Shorts, but that’s introduced a new problem. So, YouTube introduced sweeping changes that will affect people who are trying to build out a Shorts platform. From the release detailing the changes:

Since introducing Shorts two years ago, the volume and speed of content published on YouTube has increased in fun and exciting ways. At the same time, this speed and level of engagement has made it easier for spammers and scammers to share links in Shorts comments and Shorts descriptions that harm the community – for example, clickable links that drive users to malware, phishing, or scam-related content.

Essentially: if you build it (and by “it”, I mean “a rapid-fire barrage of non-stop content”) they will come (and by “they”, I mean “a cavalcade of spam the likes of which the moderation team simply cannot police”).

The list of link-related casualties is as follows:

Starting on August 31st, 2023, links in Shorts comments, Shorts descriptions, and links in the vertical live feed will no longer be clickable – this change will roll out gradually. We don’t have any plans to make any other links unclickable. Because abuse tactics evolve quickly, we have to take preventative measures to make it harder for scammers and spammers to mislead or scam users via links.

YouTube also goes on to say that “clickable social media icons from all desktop channel banners will no longer show, as they can be a source of misleading links.” As The Verge notes, these links are used to direct content viewers to their accounts on other websites. Considering the Shorts platform is fairly limited in functionality to others of a similar nature, removing anything along these lines could cause issues for Shorts makers.

There are plans to replace these links with something, though there’s no word yet as to what form this may take. 

In 2022, one of YouTube’s transparency reports showed that a big problem was in the realm of misinformation—122,000 videos (not channels) were removed for violating misinformation policies from an overall total of four million removals in Q2 2022. And 89 of these were removed due to being classed as “Spam, misleading, and scams.” The biggest reason for videos being removed was child safety, clocking 1,383,028 removals (31 percent of the overall tally).

With this in mind, it makes sense that YouTube would be keen to bring the banhammer down on a sudden rise in scams affecting the Shorts platform. The quick-cut video content is geared toward younger users; indeed, it’s popular with the 16 – 24 age group. The last thing YouTube or Google needs is a potential child safety issue spreading wildly out of control with rogue links and dubious comments lurking in potentially blink-and-you’ll-miss-it comments sections.

Ultimately, this could be a burden for Shorts creators, but it is a proactive move and anything which impacts the terrifying volume of spam on one of the biggest video platforms in the world can only be a good thing.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.