IT News

Phishers and scammers can’t get enough of sending their feeble attempts to Malwarebytes’ employees. For which we can’t thank them enough because it means we can warn you, our readers.

This time the scammers tried to impersonate Best Wallet—an app that lets people store, send, and receive cryptocurrencies like Bitcoin and Ethereum directly on their own device, without needing a middleman or a bank.

The aim of this scam: to trick people into connecting their cryptocurrency wallets to a fake site, giving scammers a way to steal private keys, seed phrases, or other payment details.

There are many cryptocurrency-based scams around, but this one is a little different.

“BestWallet : You are eligible for our event !”

The shortened URL leads to https://bestwallet-event[.]com/.

To avoid detection by bots and researchers, the website is behind a Captcha—which also builds a bit of false trust, since it’s something visitors expect to see.

Solving the Captcha brings the target to a rather convincing copy of the real bestwallet(.com) website, featuring the so-called event.

For those new to cryptocurrencies, an “airdrop” is a giveaway of a new or existing cryptocurrency to promote awareness or reward supporters of a project or platform.

On the surface the site looks very similar to the legitimate one, right down to the branding, visual assets, and even the FAQ content. But one thing stood out: the “Connect a Wallet” button in the top right-hand corner.

The real site only provides links to official app stores for downloads. It doesn’t include wallet connect options or payment forms.

If you were to tap that “Connect a Wallet” button, you’ll see these options:

This is the same menu you’ll see if you click the “Claim Token” or “Check Eligibility” buttons, by the way.

The code on the fake website also includes JavaScript elements that could copy/paste or intercept user inputs during wallet connections or transactions—unlike the official site, which directs users to app stores for all sensitive actions.

From all this it seems obvious the scammers’ goal is to phish wallet credentials, private keys, seed phrases or steal payment details. These attacks are often disguised in interactive buttons/forms that the real site never uses outside the regulated app or store environments.

How to stay safe

Besides the golden rule–that when it sounds too good to be true, it probably is, or at least deserves extra scrutiny–there are a few other tips to stay out of the scammers’ claws:

• Don’t respond to unsolicited text messages.
• Never click on links in messages before verifying the destination. Scammers use shortened URLs to hide impersonation domains.
• Use up-to-date real-time protection on your devices, preferably with a web protection component:
  
• If you see any prompt for wallet connection, seed phrase, or card details directly in the browser, close the tab immediately. That’s a strong sign the site is fake and attempting to steal your cryptocurrency.
• If you’re unsure whether a message is a scam, submit it to Malwarebytes Scam Guard and it will help you decide and provide advice.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

In December 2024, CPAP Medical Supplies and Services Inc. (CPAP), a Jacksonville—a Florida-based provider of sleep therapy services and CPAP machines—experienced a cybersecurity incident that compromised the personal data of over 90,000 patients.

Since CPAP Medical specializes in tailored sleep apnea equipment for the US military, most of the patients are military members, veterans, and their families.

An unauthorized actor accessed CPAP’s network between December 13 and December 21, 2024. The breach wasn’t discovered until late June 2025, and affected parties were notified by mid-August. The stolen data includes:

• Full names
• Birth dates
• Social Security numbers
• Health insurance information
• Medical history
• Treatment plans

The impact is particularly severe for military personnel and their families, many of whom rely on medical equipment and services like those CPAP provides. Exposure of personal and health data can have serious consequences, including risks to personal security, eligibility for benefits, future job applications, and trust in healthcare providers.

CPAP says it is unaware of any misuse of patient data as a result of the incident, but the affected individuals have been offered free credit monitoring and identity theft protection as a precaution.

Healthcare data breaches are unfortunately common, often affecting tens or even hundreds of thousands of people each year. Cybercriminals frequently target healthcare organizations because of the sensitive data they store—information that can be exploited for identity theft, fraud, or blackmail.

Protecting yourself after a data breach

CPAP has sent personalized notifications to the affected patients. If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Popular social platform Discord has suffered a data breach—though technically, it wasn’t Discord itself that was hacked. A third-party customer support provider was compromised, allowing attackers to access Discord’s user data. Either way, it’s Discord users who feel the impact.

The breach, which happened on September 20, didn’t involve a direct attack on Discord’s servers. Instead, attackers gained access through a customer support partner. Criminals claimed they breached Zendesk, the help desk service Discord uses for customer support, according to reports.

Attackers stole data including real names, Discord usernames, email addresses, and other contact details provided to customer support. The breach appears to have been financially motivated and included a ransom demand.

In some cases, “limited billing information” was also taken—including payment type, the last four digits of credit card numbers, and purchase histories. Customer IP addresses and messages with support agents were also exposed.

More concerning is that some users had especially sensitive information stolen. Discord said in its advisory:

“The unauthorized party also gained access to a small number of government-ID images (e.g., driver’s license, passport) from users who had appealed an age determination. If your ID may have been accessed, that will be specified in the email you receive.”

Attacks like this show how large the fallout can be when consumer-focused services are hit.

Discord, once known mainly for gaming communities, now hosts more than 200 million monthly active users and is widely used by companies to host customer and community channels.

According to vendor risk management firm Rescana, the attackers identified themselves as Scattered Lapsu$ Hunters (SLH). BleepingComputer reported this too, but later said SLH changed its story, pointing to another group it knows and interacts with.

The problem with these kinds of groups is that they often share techniques and even members, muddying the waters.

Rescana described SLH as a coalition—combining tactics from Scattered Spider, Lapsu$, and ShinyHunters: groups known for stealing data from third-party partners like support vendors or software suppliers. The attacks relied on social engineering rather than malware.

Discord disclosed the incident 13 days later, on October 3. It has since revoked its support provider’s access, launched an internal investigation with a forensics firm, and notified affected users.

The company reminded users that any communication about the breach will come only from noreply@discord.com and that it will never call users directly.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

In a very recent and well-targeted phishing attempt, scammers tried to get hold of the 1Password credentials belonging to a Malwarebytes’ employee.

Stealing someone’s 1Password login would be like hitting the jackpot for cybercriminals, because they potentially export all the saved logins the target stored in the password manager.

The phishing email looked like this:

“Your 1Password account has been compromised

Unfortunately, Watchtower has detected that your 1Password account password has been found in a data breach. This password protects access to your entire vault.

Take action immediately

To keep your account secure, please take the following actions:

– Change your 1Password account password

– Enable two-factor authentication

– Review your account activity

Secure my account now

If you need help securing your account, or have any questions, contact us. Our team is on hand to provide expert, one-on-one support.”

While the email looks convincing enough, you can spot a few red flags.

• The sender’s address watchtower@eightninety[.]com does not belong to 1Password, which typically use the domain @1password.com.
• If you hover over the “Secure my account now” button you’ll notice that it points to: https://mandrillapp[.]com/track/click/30140187/onepass-word[.]com?p={long-identifier}

Although 1Password’s Watchtower feature can send alerts about compromised passwords, it does so by checking its database of known data breaches and then notifying you directly within the 1Password app or through very specific emails about the breach—not by sending a generic message like this.

Obviously, the onepass-word[.]com is a feeble attempt to make it look legitimate. I guess all the good typosquats were already taken or protected. What’s interesting is that the “Contact us” link goes to the legitimate support.1password.com, although it also flows through a redirect through mandrillapp.

Mandrillapp is a transactional email API and delivery service provided by Mailchimp. It enables organizations to send automated, event-driven emails like order confirmations, password resets, and shipping notifications. Mandrill also provides delivery tracking and statistics to their customers.

What the scammers may not have realized is that Mandrillapp doesn’t forward people to known phishing websites.

Shortly after the emails went out on October 2, the domain was already classified as a phishing site by several vendors. By October 3, anyone that clicked the button would end up viewing an error message on mandrillapp[.]com saying bad url - reference number: {23 character string}.

But early birds would have seen this form:

Anyone who fell for this scam would have sent their 1Password credentials straight to the phishing crew.

On September 25, 2025, Hoax-Slayer reported about a very similar phishing expedition. This might indicate that this was the first—and probably is not the last—attempt, so be warned.

With the key to your password vault, cybercriminals could take over all your important accounts and potentially steal your identity, so be very careful about where and when you use these credentials.

Our advice:

• Do not click any links or buttons in an unsolicited email
• Do not provide any of your 1Password credentials or personal information.
• If you are concerned about your 1Password account, go directly to the official 1Password website or app and check your account status there.
• Use up-to-date real-time protection which includes a web protection module.

Indicators of compromise (IOCs)

Email address:

watchtower@eightninety[.]com

Domain Phishing website:

onepass-word[.]com

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This week on the Lock and Code podcast…

“Connection” was the promise—and goal—of much of the early internet. No longer would people be separated from vital resources and news that was either too hard to reach or made simply inaccessible by governments. No longer would education be guarded behind walls both physical and paid. And no longer would your birthplace determine so much about the path of your life, as the internet could connect people to places, ideas, businesses, collaborations, and agency.

Somewhere along the line though, “connection” got co-opted. The same platforms that brought billions of people together—including Facebook, Twitter, Instagram, TikTok, and Snapchat—started to divide them for profit. These companies made more money by showing people whatever was most likely to keep them online, even if it upset them. More time spent on the platfrom meant more likelihood of encountering ads which meant more advertising revenue for Big Tech.

Today, these same platforms are now symbols of some of the worst aspects of being online. Nation-states have abused the platforms to push disinformation campaigns. An impossible sense of scale allows gore and porn and hate speech to slip by even the best efforts at content moderation. And children can be exposed to bullying, peer pressure, and harassment.

So, what would it take to make online connection a good thing?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Rabble—an early architect of social media, Twitter’s first employee, and host of the podcast Revolution.Social—about what good remains inside social media and what steps are being taken to preserve it.

“ I don’t think that what we’re seeing with social media is so much a set of new things that are disasters that are rising up from this Pandora’s box… but rather they’re all things that existed in society and now they’re not all kept locked away. So we can see them and we have to address them now.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

While two-factor authentication (2FA) is not completely fool-proof, it is one of the best ways to protect your accounts from hackers. It adds an extra step when logging in, which is a small extra effort for you, but it dramatically boosts your security.

With 2FA, you’ll be asked for a special login code when signing in from a device or browser Facebook doesn’t recognize—even if someone already knows your password.

Here’s how to enable 2FA on Facebook for Android, iOS, and the web.

How to set up 2FA for Facebook on Android

1. Open the Facebook app (make sure you’re signed in).
2. Tap the menu (three horizontal lines).
3. Choose Settings & Privacy > Settings.
4. In the Accounts Center tap Password and security.
5. Tap Two-factor authentication and select your account your want to protect.
6. Re-enter your password. Facebook will send a one-time code to your phone or email to confirm it’s you.
7. Pick your preferred security method:
   • Authentication app (recommended) – such as Google Authenticator or Authy.
   • Text message (SMS) or WhatsApp – codes sent to your phone number.
   • Security key – a USB or Bluetooth device.
   • Recovery codes – backup codes to use if other methods aren’t available.
8. Follow on-screen instructions to complete the setup.

How to set up 2FA for Facebook on iPhone or iPad

1. Open the Facebook app (make sure you’re signed in).
2. Tap your profile picture in the bottom right corner.
3. Go to Settings & Privacy > Settings.
4. Tap on Accounts Center, then Password and security.
5. Tap Two-factor authentication and select your account.
6. Re-enter your password. Facebook will send a one-time code to your phone or email to confirm your identity.
7. Choose your preferred method:
   • Authentication app (recommended) – such as Google Authenticator or Authy.
   • Text message (SMS) or WhatsApp – codes sent to your phone number.
   • Security key – a USB or Bluetooth device.
   • Recovery codes – backup codes to use if other methods aren’t available.
8. Follow on-screen instructions to complete the setup.

How to set up 2FA for Facebook on the web

1. Go to facebook.com/settings (or from the home screen, click your profile picture and then Settings & privacy).
2. Navigate to Password and security.
   
3. Click Two-factor authentication, then select your account.
4. Facebook will send a one-time code to your WhatsApp or email to confirm it’s you, and may ask you to re-enter your password.
5. Choose your preferred method:
   • Authentication app (recommended) – such as Google Authenticator or Authy.
   • Text message (SMS) or WhatsApp – codes sent to your phone number.
   • Security key – a USB or Bluetooth device.
   • Recovery codes – backup codes to use if other methods aren’t available.
6. Follow on-screen instructions to complete the setup.

Why you should enable it today

Even the strongest password can be stolen. With 2FA, attackers would also need access to your additional factor to be able to log in to your account, whether that’s a code on a physical device or a security key. That makes hijacking your account much harder.

We recommend you set up 2FA on all your important accounts, including messaging and social media accounts. It only takes a few minutes, but can save you from hours or even days of stress later. It’s currently the best password advice we have.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Last week on Malwarebytes Labs:

• From threats to apology, hackers pull child data offline after public backlash
• Your Meta AI conversations may come back as ads in your feed
• Scam Facebook groups send malicious Android malware to seniors
• Sendit tricked kids, harvested their data, and faked messages, FTC claims
• Gemini AI flaws could have exposed your data
• Tile trackers plagued by weak security, researchers warn
• Apple fixes critical font processing bug. Update now!
• 260 romance scammers and sextortionists caught in huge Interpol sting
• Amazon pays $2.5B settlement over deceptive Prime subscriptions
• Sex offenders, terrorists, drug dealers, exposed in spyware breach

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week we yelled at some “hackers” that threatened parents after stealing data from their children’s nursery.

This followed a BBC report that a group calling itself “Radiant” claimed to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India.

To prove their possession of the data, the criminals posted samples on their darknet website, including pictures and profiles of ten children. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid.

A few days later, they added profiles of another ten children and threatened to keep going until Kido paid their ransom demand. The group also published the private data of dozens of employees including names, addresses, National Insurance numbers, and contact details.

The criminals then reportedly contacted parents directly with threatening phone calls whilst pushing to get their ransom paid.

But after massive pushback from the general public and some prominent members of the malware community, the attackers initially blurred the children’s images but left the data online. Soon after, they pulled everything offline and issued an apology.

They even claim to have deleted all the children’s data. One of the cybercriminals told the BBC:

“All child data is now being deleted. No more remains and this can comfort parents.”

But, as we have mentioned many times before, computers—and the internet in particular—are not very good at “forgetting” things. Data tends to pop up in unexpected places. Remember when supposedly deleted iPhone photos showed up again after an iOS update?

And, of course, all we have to go on is the word of a criminal with such a bad reputation that even they seemed ashamed of what they did.

They might be feeling a bit sorry for themselves, as they claim to have paid an initial access broker (IAB) for the access to Kido’s systems and will likely see no return on that “investment”.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Meta has announced that conversations with its AI assistant will soon be used for targeted advertising. If you’re the kind of person that notices ads for products just after you spoke about them, you won’t be happy about this update.

Meta AI is the company’s generative AI assistant, built into Facebook, Instagram, WhatsApp, Messenger, and Threads. It can answer questions, generate text or images, and recommend content.

Users will soon start to receive notifications about how their interactions with Meta’s generative AI features will be used for targeted advertising. So, ask Meta AI about vacations, hobbies, or new gadgets, for example, and you might soon find related ads in your feed.

Certain topics are excluded—religious views, sexual orientation, political views, health, racial or ethnic origin, philosophical beliefs, or trade union membership—but everything else is fair game.

Meta said this update takes effect on December 16, 2025, and will start notifying users on October 7, 2025 through in-product notifications and emails.

Thanks to stricter privacy laws, users in the EU, UK, and South Korea are exempt, The Register reports.

According to Meta, over 1 billion people use its AI every month. And as we all know, targeted ads bring in more money than generic ones. So, this is how Meta plans to earn back all the money it spent on AI development.

Because, like it or not, Meta isn’t really about connecting friends all over the world. Its business model is almost entirely based on selling targeted advertising space across its platforms.

Generative AI providers are increasingly weaving advertising into their products, especially in free or freemium offerings. Many companies now use AI to create personalized ads directly within user interactions. For example, AI-powered recommendation engines analyze user data and behavior to deliver highly targeted ads, boosting relevancy and engagement. Done well, this approach makes ads feel less intrusive and more like natural content suggestions tailored to individual preferences.

Still, the industry faces big ethical and privacy challenges. Brands and AI providers must balance personalization with transparency and user control, especially as AI tools collect and analyze sensitive behavioral data. Many are turning to opt-in mechanisms, clearer privacy settings, and responsible data use policies to maintain user trust while taking advantage of AI’s ability to deliver relevant, personalized ads.

Meta promises that affected users can continue to adjust the content and ads they’re seeing at any time with tools like Ad Preferences and other feed controls.

The Register jokingly suggested we start our Meta AI chats with something from the “excluded” list, hoping to keep the whole conversation from being used for targeted advertising. Their example:

“Oh, Lord, Meta really thought this was a good idea?”

In the end, it might be better not to share anything too personal with Meta AI, or any chatbot for that matter, and stick to kittens and puppies instead.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

An infostealer and banking Trojan rolled into one is making the rounds in Facebook groups aimed at “active seniors”.

Attackers used social engineering methods to lure targets into joining fake Facebook groups that appeared to promote travel and community activities—such as trips, dance classes, and community gatherings. Once people joined, they were invited to download an Android app to “register” for those offered activities.

Researchers at ThreatFabric found numerous Facebook groups created under this pretense, stocked with AI-generated content to appear authentic and trick users into downloading the malware. App names included Senior Group, Lively Years, ActiveSenior, and DanceWave. In some cases, victims were also asked to pay a sign-up fee on the same website, leading to phishing and card detail theft.

One of the servers hosting these downloads was located at download.seniorgroupapps[.]com.

Sometimes the cybercriminals sent a follow-up message through Messenger or WhatsApp, sharing the download links for the malicious apps.

Often this would be the Datzbro Trojan, but sometimes victims were hit with Zombinder, a Trojan dropper capable of bypassing the security restrictions Google introduced in Android 13 and later versions.

What Datzbro can do

The researchers found that Datzbro had capabilities similar to both spyware and banking Trojans—specifically designed to drain bank accounts.

Once installed, this Android malware can:

• Record audio and video, and access files and photos.
• Display phishing overlays that mimic other apps to steal passwords and send them to the attackers.
• Let attackers remotely control infected Android devices, including locking or unlocking the screen.

Researchers analyzed the code and suspect that it was likely developed in China, but later leaked and was reused by broader cybercriminal groups. The campaign has reached victims worldwide, including Australia, Singapore, Malaysia, Canada, South Africa, and the UK.

How to stay safe in Facebook groups

Although many of the Facebook groups involved in this campaign have been taken down, there might be others. To protect yourself:

• Check a Facebook group’s history and avoid those might have freshly set up for malicious purposes. Unfortunately, it’s not possible to check the age of a group before you join, but once you’re a member, look at the dates of historical posts or pinned posts.
• Don’t click on links or install apps provided by such groups or by private messages from people you don’t really know.
• Use up-to-date real-time anti-malware protection, especially on your mobile devices.
• Be wary of groups offering suspicious or too-good-to-be-true promises.
• Check a group’s description and rules for professionalism or red flags.

It’s worth noting that many of the groups also included a button to download an “iOS application.” These were just placeholders at the time, but might be an indication that there are plans to target iPhone users as well.

Indicators of Compromise (IOCs)

The malicious app used these names:

Senior Group

Lively Years

ActiveSenior

DanceWave

and these package names:

twzlibwr.rlrkvsdw.bcfwgozi

orgLivelyYears.browses646

com.forest481.security

inedpnok.kfxuvnie.mggfqzhl

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.