IT News

The Common Vulnerability Scoring System (CVSS) provides software developers, testers, and security and IT professionals with a standardized way to assess vulnerabilities. You can use CVSS to assess the threat level of each vulnerability and then prioritize mitigation accordingly.

This article explains how the CVSS works, reviews its components, and describes why using a standardized process helps organizations assess vulnerabilities consistently.

A software vulnerability is any weakness in the codebase that can be exploited. Vulnerabilities can result from a variety of coding mistakes, including faulty logic, inadequate validation mechanisms, or lack of protection against buffer overflows. Attackers can exploit these weaknesses to gain unauthorized access, execute arbitrary code, or disrupt system operations.

Why use a standardized scoring system?

With thousands of vulnerabilities disclosed each year, organizations need a way to prioritize which ones to address first. A standardized scoring system like CVSS helps teams:

• Compare vulnerabilities objectively
• Prioritize patching and mitigation efforts
• Communicate risk to stakeholders

CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST) and is widely used by organizations and vulnerability databases, including the National Vulnerability Database (NVD).

CVSS v3.x metric groups

CVSS v3.x included three main metric groups:

1. Base metrics: Intrinsic characteristics of a vulnerability that are constant over time and across user environments.
2. Temporal metrics: Characteristics that change over time, but not among user environments.
3. Environmental metrics: Characteristics that are relevant and unique to a particular user’s environment.

What’s new in CVSS v4.0?

The CVSS v4.0 update, released in late 2023, brings several significant changes and improvements over previous versions (v3.0/v3.1). Here’s what’s new and what’s changed:

1. Expanded metric groups

• Base metrics now include more granular distinctions, such as the new Attack Requirements (AT) metric and improved definitions for Privileges Required and User Interaction.
• Threat metrics are a new, optional metric group for capturing real-world exploitation and threat intelligence, helping to prioritize vulnerabilities based on active exploitation.
• Supplemental metrics, provide additional context—such as safety, automation, and recovery—to tailor scoring for specific industries or use cases.

2. Refined scoring and terminology

• Attack Vector (AV) introduced a clearer distinction between network, adjacent, local, and physical vectors, with improved definitions.
• Attack Requirements (AT) is introduced to capture conditions that must exist for successful exploitation, but are outside the attacker’s control.
• Privileges Required (PR) and User Interaction (UI) have been clarified and expanded to reflect modern attack scenarios.
• The scope is now called “vulnerable system,” providing more precise language about what is affected.

3. Greater flexibility and customization

• Modular scoring allows organizations to use the base, threat, and supplemental metrics independently or together.
• Industry-specific extensions let sectors like healthcare, automotive, or critical infrastructure apply more tailored scoring.

4. Improved guidance and usability

• Clearer documentation: The new specification now includes better examples and more detailed guidance to reduce ambiguity in scoring.
• Backwards compatibility: CVSS v4.0 scores are not directly comparable to v3.x scores, but the new system was designed to coexist during the transition period.

How the CVSS scoring process works (v4.0)

1. Assess the base metrics
   • Evaluate the exploitability and impact of the vulnerability using the updated metric definitions.
2. Incorporate threat metrics (optional)
   • If there’s intelligence about active exploitation, adjust the score accordingly to reflect real-world risk.
3. Add environmental and supplemental metrics
   • Tailor the score to your organization’s environment and industry-specific requirements.
4. Calculate the final score
   • The CVSS calculator (now updated for v4.0) combines the selected metrics to produce a score between 0.0 (no risk) and 10.0 (critical risk).

Example of a CVSS v4.0 score

Suppose a newly discovered vulnerability allows remote code execution over the network with no privileges required and no user interaction. Under CVSS v4.0, you would:

• Assign the appropriate base metrics (e.g., Network, Low complexity, No privileges, No user interaction).
• If there is evidence of active exploitation, use the threat metric to increase the urgency.
• Add any environmental or supplemental metrics relevant to your organization.

The resulting score helps you prioritize remediation efforts based on both the technical details and the real-world threat landscape.

Why the update matters

The improvements in CVSS v4.0 reflect the changing nature of software vulnerabilities and the need for more nuanced, actionable risk assessments. By incorporating real-world threat intelligence and industry-specific context, organizations can make better-informed decisions about vulnerability management.

Key takeaways:

• CVSS v4.0 provides more accurate, flexible, and actionable vulnerability scoring.
• New metric groups allow for customization and real-world prioritization.
• Organizations should transition to CVSS v4.0 for a more comprehensive approach to vulnerability risk management.

For more information and to access the latest CVSS v4.0 calculator and documentation, visit the FIRST CVSS v4.0 page.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A nationwide cyberattack against the OnSolve CodeRED emergency notifications system has prompted cities and counties across the US to warn residents and advise them to change their passwords.

CodeRED is used by local governments to deliver fast, targeted alerts during severe weather, evacuations, missing persons, and other urgent events. Both the data breach and the service outage have serious implications for communities.

The OnSolve CodeRED system is a cloud-based platform used by city, county, and state agencies to send emergency alerts via voice calls, SMS, email, mobile app notifications, and national alerting systems. Because of the incident, some regions temporarily lost access to the system and had to rely on social media or other methods to reach the public.

To avoid confusion: CodeRED is not the same as the Emergency Alert System (EAS), which is the federal government-managed emergency notifications system. The CodeRED emergency notification system is a voluntary program where residents can sign up to receive notifications and emergency alerts affecting the city they live in.

What’s happened?

Among the many affected municipalities, the City of Cambridge’s Emergency Communications, Police, and Fire Departments issued an alert urging users to change their passwords, especially if they reused the same password elsewhere. Similar advisories have been published by towns and counties in multiple states as the scale of the attack became clear.

The City of University Park, Texas, also warned residents:

“As a precaution, we want to make residents aware of a recent cybersecurity incident involving the City’s third-party emergency alert system, CodeRED. We were notified that a cybercriminal group targeted the system, which caused disruption and may have compromised some user data. This incident did not affect any City systems or services and remains isolated to the CodeRED software.”

The cause is reportedly a ransomware attack claimed by the INC Ransom group. The group posted screenshots that appear to show stolen customer data, including email addresses and associated clear-text passwords.

The INC Ransom group also published part of the alleged ransom negotiation, suggesting that Crisis24 (the provider behind CodeRED) initially offered $100,000, later increasing the offer to $150,000, which INC rejected.

The incident forced Crisis24 to shut down its legacy environment and rebuild the system in a new, isolated infrastructure. Some regions, such as Douglas County, Colorado, have terminated their CodeRED contracts following the outage.

Why this matters

Cyberattacks happen, and data breaches are not always preventable. But storing your subscriber database—including passwords in clear text—seems rather careless. Providers should assume people reuse passwords, especially for accounts they don’t view as very sensitive.

Not that ransomware groups care, of course, but systems like CodeRED genuinely saves lives. When that system goes down or cannot be trusted, communities may miss evacuation orders, severe weather warnings, or active-shooter alerts when minutes matter.

Users are now being told to change their passwords, sometimes across multiple websites. But has everyone been notified? And even if they have, will they actually take action?

Protecting yourself after a data breach

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for impersonators. The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

The FBI has issued a public service announcement warning about a surge in account takeover (ATO) fraud, and the timing lines up with a major alert Amazon has just sent to its 300 million customers about brand impersonation scams.

How ATO fraud works

Account takeover fraud is just what it says: Scammers figure out a way to hijack your account and use it for their own gain. It affects everything from email and social media to retailer, travel, and banking accounts. Criminals use plenty of tactics, including malware on your computer or phone, or “credential stuffing,” where they try compromised passwords across lots of sites.

The FBI’s new alert focuses on attackers who impersonate customer support or tech support from your bank. Amazon’s warning describes almost identical techniques, but aimed at Amazon shoppers instead of banking customers.

Attackers send texts, emails and make phone calls designed to fool you into giving away your username and password, and even your multi-factor authentication (MFA) codes. Once they’re in the account, scammers quickly reset passwords or other access controls, locking you out of your own account.

Fake websites, fake alerts, and fake customer support

The FBI highlights another technique used for similar purposes: website-based phishing. The scammer will direct you to a fake site that looks just like your bank’s login page. The moment you enter your details, the criminals steal them and use them on the real banking site.

Amazon says the same thing is happening to its customers. In a warning email sent November 24, it listed the attacks it is seeing most often:

• Fake delivery notices or account-issue messages
• Third-party ads offering unbelievable deals
• Messages via unofficial channels requesting login or payment information
• Links to look-alike websites
• Unsolicited “Amazon support” phone calls

One of the FBI’s examples mirrors this almost exactly: Attackers claim there has been fraudulent activity on your account and urge you to click a link to “fix” it, but it sends you straight to a phishing site.

How do the scammers get you to these sites?

Search engine optimization (SEO) poisoning is one common technique, the FBI says. Scammers buy ads with search engines that direct users to their malicious sites. Many mimic household names with tiny variations that are easy to miss when you’re in a hurry.

Amazon’s warning is backed up by research from FortiGuard Labs, which found that 19,000+ new domains set up to imitate major retail brands. 2,900 of those were proven to be malicious.

This wave of impersonation attacks isn’t limited to search ads and look-alike domains. Researchers have also uncovered a system called Matrix Push C2 that abuses browser push notifications to deliver fake alerts designed to look like they’re from trusted brands such as Netflix, PayPal, and Cloudflare. Once clicked, those alerts lead victims to phishing pages or malware, giving attackers yet another path to steal login details or take over accounts.

A growing epidemic

This type of fraud is on the rise. According to TransUnion, digital account takeover climbed 21% from H1 2024 to H1 2025, and 141% since H1 2021. It’s big business; the FBI has received over 5,100 complaints since January, and says that losses have hit $262 million.

This is a popular time for scammers to ramp up ATO fraud. Amazon’s alert comes at one of the busiest online shopping periods of the year—Black Friday and the run-up to the holidays.

And while MFA is important, it doesn’t always save you. Proofpoint found that 65% of compromised accounts had MFA enabled. But if you give up your secrets to a scammer, they have the keys to the kingdom.

Passwordless options such as passkeys promise better security because then there’s no MFA code to give up (you just use biometric access or click on a browser prompt to log in). However, those are still relatively uncommon compared to passwords, and when they do exist, people don’t often use them.

How to protect yourself

Cybercriminals prey on the vulnerable and the distracted. Brand impersonation works because attackers lean hard on urgency. They claim your account has been breached, or a large transaction has gone through, or a delivery can’t be completed.

Scammers are experts at using fear to get past your emotional defenses. In one inventive twist highlighted by the FBI, scammers told victims their details were used for firearms purchases, then transferred them to a fake “law enforcement” accomplice. Once fear kicks in, people act fast.

Whether the scammer is posing as Amazon, your bank, or a courier service, the same rules apply:

• Bookmark your bank and retailer login pages. Don’t search for them, as results can be spoofed.
• Use official apps. Download your bank or Amazon app directly from an official link, not through a search engine.
• Be stingy with personal info. Pet names, schools, and birthdays can help criminals with “security questions.”
• Be skeptical of caller ID. It can be spoofed. Hang up, then call back using a verified number.
• Use passkeys if offered. They cut out SMS codes entirely and help prevent phishing.
• Never share one-time codes. No legitimate company will ask.

Amazon also reminds users:

• It will never ask for payment information over the phone.
• It will never send emails asking customers to verify login details.
• All account changes, tracking, and refunds should go through the Amazon app or website only.

If you do think you’ve been hit by an ATO scam, contact your bank immediately to try and recall or reverse any fraudulent transactions. It might still not be too late, but every second counts. Also, file a complaint with the FBI’s IC3 online crime unit.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Researchers have discovered a new attack targeting Mac users. It lures them to a fake job website, then tricks them into downloading malware via a bogus software update.

The attackers pose as recruiters and contact people via LinkedIn, encouraging them to apply for a role. As part of the application process, victims are required to record a video introduction and upload it to a special website.

On that website, visitors are tricked into installing a so-called update for FFmpeg media file-processing software which is, in reality, a backdoor. This method, known as the Contagious Interview campaign, points to the Democratic People’s Republic of Korea (DPRK).

Contagious Interview is an illicit job-platform campaign that targets job seekers with social engineering tactics. The actors impersonate well-known brands and actively recruit software developers, artificial intelligence researchers, cryptocurrency professionals, and candidates for both technical and non-technical roles.

The malicious website first asks the victim to complete a “job assessment.” When the applicant tries to record a video, the site claims that access to the camera or microphone is blocked. To “fix” it, the site prompts the user to download an “update” for FFmpeg.

Much like in ClickFix attacks, victims are given a curl command to run in their Terminal. That command downloads a script which ultimately installs a backdoor onto their system. A “decoy” application then appears with a window styled to look like Chrome, telling the user Chrome needs camera access. Next, a window prompts for the user’s password, which, once entered, is sent to the attackers via Dropbox.

The end-goal of the attackers is Flexible Ferret, a multi-stage macOS malware chain active since early 2025. Here’s what it does and why it’s dangerous for affected Macs and users:

After stealing the password, the malware immediately establishes persistence by creating a LaunchAgent. This ensures it reloads every time the user logs in, giving attackers long-term, covert access to the infected Mac.

FlexibleFerret’s core payload is a Go-based backdoor. It enables attackers to:

• Collect detailed information about the victim’s device and environment
• Upload and download files
• Execute shell commands (providing full system control)
• Extract Chrome browser profile data
• Automate additional credential and data theft

Basically, this means the infected Mac becomes part of a remote-controlled botnet with direct access for cybercriminals.

How to stay safe

While this campaign targets Mac users, that doesn’t mean Windows users are safe. The same lure is used, but the attacker is known to use the information stealer InvisibleFerret against Windows users.

The best way to stay safe is to be able to recognize attacks like these, but there are some other things you can do.

• Always keep your operating system, software, and security tools updated regularly with the latest patches to close vulnerabilities.
• Do not follow instructions to execute code on your machine that you don’t fully understand. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Use a real-time anti-malware solution with a web protection component.
• Be extremely cautious with unsolicited communications, especially those inviting you to meetings or requesting software installs or updates; verify the sender and context independently.
• Avoid clicking on links or downloading attachments from unknown or unexpected sources. Verify their authenticity first.
• Compare the URL in the browser’s address bar to what you’re expecting.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Several researchers have flagged a new development in the ongoing ClickFix campaign: Attackers are now mimicking a Windows update screen to trick people into running malware.

ClickFix campaigns use convincing lures, historically “Human Verification” screens, and now a fake “Windows Update” splash page that exactly mimics the real Windows update interface. Both require the user to paste a command from the clipboard, making the attack depend heavily on user interaction.

As shown by Joe Security, ClickFix now displays its deceptive instructions on a page designed to look exactly like a Windows update.

In full-screen mode, visitors running Windows see instructions telling them to copy and paste a malicious command into the Run box.

“Working on updates. Please do not turn off your computer.
Part 3 of 3: Check security
95% complete

Attention!
To complete the update, install
the critical Security Update

[… followed by the steps to open the Run box, paste “something” from your clipboard, and press OK to run it]

The “something” the attackers want you to run is an mshta command that downloads and runs a malware dropper. Usually, the final payload is the Rhadamanthys infostealer.

Technical details

If the user follows the displayed instructions this launches a chain of infection steps:

• Stage 1: mshta.exe downloads a script (usually JScript). URLs consistently use hex-encoding for the second octet and often rotate URI paths to evade signature-based blocklists
• Stage 2: The script runs PowerShell code, which is obfuscated with junk code to confuse analysis.
• Stage 3: PowerShell decrypts and loads a .NET assembly acting as a loader.
• Stage 4: The loader extracts the next stage (malicious shellcode) hidden within a resource image using custom steganography. In essence, we use the name steganography for every technique that conceals secret messages in something that doesn’t immediately cause suspicion. In this case, the malware is embedded in specific pixel color data within PNG files, making detection difficult.
• Stage 5: The shellcode is injected into a trusted Windows process (like explorer.exe), using classic in-memory techniques like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
• Final payload: Recent attacks delivered info-stealing malware like LummaC2 (with configuration extractors provided by Huntress) and the Rhadamanthys information stealer.

Details about the steganography used by ClickFix:

Malicious payloads are encoded directly into PNG pixel color channels (especially the red channel). A custom steganographic algorithm is used to extract the shellcode from the raw PNG file.

• The attackers secretly insert parts of the malware into the image’s pixels, especially by carefully changing the color values in the red channel (which controls how red each pixel is).
• To anyone viewing the picture, it still looks totally normal. No clues that it’s something more than just an image.
• But when the malware script runs, it knows exactly where to “look” inside the image to find those hidden bits.
• The script extracts and decrypts this pixel data, stitches the pieces together, and reconstructs the malware directly in your computer’s memory.
• Since the malware is never stored as an obvious file on disk and is hidden inside an innocent-looking picture, it’s much harder for anti-malware or security programs to catch.

How to stay safe

With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.

• Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
• Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
• Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
• Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Messaging giant WhatsApp has around three billion users in more than 180 countries. Researchers say they were able to identify around 3.5 billion registered WhatsApp accounts thanks to a flaw in the software. That higher number is possible because WhatsApp’s API returns all accounts registered to phone numbers, including inactive, recycled, or abandoned ones, not just active users.

If you’re going to message a WhatsApp user, first you need to be sure that they have an account with the service. WhatsApp lets apps do that by sending a person’s phone number to an application programming interface (API). The API checks whether each number is registered with WhatsApp and returns basic public information.

WhatsApp’s API will tell any program that asks it if a phone number has a WhatsApp account registered to it, because that’s how it identifies its users. But this is only supposed to process small numbers of requests at a time.

In theory, WhatsApp should limit how many of these lookups you can do in a short period, to stop abuse. In practice, researchers at the University of Vienna and security lab SBA Research found that those “intended limits” were easy to blow past.

They generated billions of phone numbers matching valid formats in 245 countries and fired them at WhatsApp’s servers. The contact discovery API replied quickly enough for them to query more than 100 million numbers per hour and confirm over 3.5 billion active accounts.

The team sent around 7,000 queries per second from a single source IP address. That volume of traffic should raise the eyebrows of any decent IT administrator, yet WhatsApp didn’t block the IP or the test accounts, and the researchers say they experienced no effective rate-limiting:

“To our surprise, neither our IP address nor our accounts have been blocked by WhatsApp. Moreover, we did not experience any prohibitive rate-limiting.”

Data-palooza at WhatsApp

The data exposed goes beyond identification of active phone numbers. By checking the numbers against other publicly accessible WhatsApp endpoints, the researchers were able to collect:

• profile pictures (publicly visible ones)
• “about” profile text
• metadata tied to accounts

Profile photos were available for a large portion of users–roughly two-thirds are in the US region–based on a sample. That raises obvious privacy concerns, especially when combined with modern AI tools. The researchers warned:

“In the hands of a malicious actor, this data could be used to construct a facial recognition–based lookup service — effectively a ‘reverse phone book’ — where individuals and their related phone numbers and available metadata can be queried based on their face.”

The “about” text, which defaults to “Hey there! I’m using WhatsApp,” can also reveal more than intended. Some users include political views, sexual identity or orientation, religious affiliation, or other details considered highly sensitive under GDPR. Others post links to OnlyFans accounts, or work email addresses at sensitive organisations including the military. That’s information intended for contacts, not the entire internet.

Although ethics rules prevented the team from examining individual people, they did perform higher-level analysis… and found some striking things. In particular, they found millions of active registered WhatsApp accounts in countries where the service is banned. Their dataset contained:

• nearly 60 million accounts in Iran before the ban was lifted last Christmas Eve, rising to 67 million afterward
• 2.3 million accounts in China
• 1.6 million in Myanmar
• and even a handful (five) in North Korea

This isn’t Meta’s first time accidentally serving up data on a silver platter. In 2021, 533 million Facebook accounts were publicly leaked after someone scraped them from Facebook’s own contact import feature.

This new project shows how long-lasting the effects of those leaks can be. The researchers at the University of Vienna and SBA Research found that 58% of the phone numbers leaked in the Facebook scrape were still active WhatsApp accounts this year. Unlike passwords, phone numbers rarely change, which makes scraped datasets useful to attackers for a long time.

The researchers argue that with billions of users, WhatsApp now functions much like public communication infrastructure but without anything close to the transparency of regulated telecom networks or open internet standards. They wrote,

“Due to its current position, WhatsApp inherits a responsibility akin to that of a public telecommunication infrastructure or Internet standard (e.g., email). However, in contrast to core Internet protocols which are governed by openly published RFCs and maintained through collaborative standards — this platform does not offer the same level of transparency or verifiability to facilitate third-party scrutiny.”

So what did Meta do? It began implementing stricter rate limits last month, after the researchers disclosed the issues through Meta’s bug bounty program in April.

In a statement to SBA Research, WhatsApp VP Nitin Gupta said the company was “already working on industry-leading anti-scraping systems.” He added that the scraped data was already publicly available elsewhere, and that message content remained safe thanks to end-to-end encryption.

We were fortunate that this dataset ended up in the hands of researchers—but the obvious question is what would have happened if it hadn’t? Or whether they were truly the first to notice? The paper itself highlights that concern, warning:

“The fact that we could obtain this data unhindered allows for the possibility that others may have already done so as well.”

For people living under restrictive regimes, data like this could be genuinely dangerous if misused. And while WhatsApp says it has “no evidence of malicious actors abusing this vector,” absence of evidence is not evidence of absence, especially for scraping activity, which is notoriously hard to detect after the fact.

What can you do to protect yourself?

If someone has already scraped your data, you can’t undo it. But you can reduce what’s visible going forward:

• Avoid putting sensitive details in your WhatsApp “about” section, or in any social network profile.
• Set your profile photo and “about” information to be visible only to your contacts.
• Assume your phone number acts as a long-term identifier. Keep public information linked to it minimal.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Ahead of the holiday season, people who have bought cheap Amazon Fire TV Sticks or similar devices online should be aware that some of them could let cybercriminals access personal data, bank accounts, and even steal money.

BeStreamWise, a UK initiative established to counter illegal streaming, says the rise of illicit streaming devices preloaded with software that bypasses licensing and offers “free” films, sports, and TV comes with a risk.

Dodgy stick streaming typically involves preloaded or modified devices, frequently Amazon Fire TV Sticks, sold with unauthorized apps that connect to pirated content streams. These apps unlock premium subscription content like films, sports, and TV shows without proper licensing.

The main risks of using dodgy streaming sticks include:

• Legal risks: Mostly for sellers, but in some cases for users too
• Exposure to inappropriate content: Unregulated apps lack parental controls and may expose younger viewers to explicit ads or unsuitable content.
• Growing countermeasures: Companies like Amazon are actively blocking unauthorized apps and updating firmware to prevent illegal streaming. Your access can disappear overnight because it depends on illegal channels.
• Malware: These sticks, and the unofficial apps that run on them, often contain malware—commonly in the form of spyware.

BeStreamWise warns specifically about “modded Amazon Fire TV Sticks.” Reporting around the campaign notes that around two in five illegal streamers have fallen prey to fraud, likely linked to compromised hardware or the risky apps and websites that come with illegal streaming.

According to BeStreamWise, citing Dynata research:

“1 in 3 (32%) people who illegally stream in the UK say they, or someone they know, have been a victim of fraud, scams, or identity theft as a result.”

Victims lost an average of almost £1,700 (about $2,230) each. You could pay for a lot of legitimate streaming services with that. But it’s not just money that’s at stake. In January, The Sun warned all Fire TV Stick owners about an app that was allegedly “stealing identities,” showing how easily unsafe apps can end up on modified devices.

And if it’s not the USB device that steals your data or money, then it might be the website you use to access illegal streams. FACT highlights research from Webroot showing that:

“Of 50 illegal streaming sites analysed, every single one contained some form of malicious content – from sophisticated scams to extreme and explicit content.”

So, from all this we can conclude that illegal streaming is not the victimless crime that many assume it is. It creates victims on all sides: media networks lose revenue and illegal users can lose far more than they bargained for.

How to stay safe

The obvious advice here is to stay away from illegal streaming and be careful about the USB devices you plug into your computer or TV. When you think about it, you’re buying something from someone breaking the law, and hoping they’ll treat your data honestly.

There are a few additional precautions you can take though:

• Disable auto-run or autoplay features on your computer before inserting a USB stick. This stops programs on the USB from launching automatically.
• Mount the USB device in read-only mode if your operating system supports it (especially on Linux). This prevents any unwanted actions.
• Use an up-to-date anti-malware solution to scan the  external drive with a Custom scan. 

If you have already used a USB device or visited a website that you don’t trust:

• Update your anti-malware solution.
• Disconnect from the internet to prevent any further data being sent.
• Run a full system scan for malware.
• Monitor your accounts for unusual activity.
• Change passwords and/or enable multifactor authentication (MFA/2FA) on the important ones.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Black Friday is supposed to be chaotic, sure, but not this chaotic.

While monitoring malvertising patterns ahead of the holiday rush, I uncovered one of the most widespread and polished Black Friday scam campaigns circulating online right now.

It’s not a niche problem. Our own research shows that 40% of people have been targeted by malvertising, and more than 1 in 10 have fallen victim, a trend that shows up again and again in holiday-season fraud patterns. Read more in our 2025 holiday scam overview.

Through malicious ads hidden on legitimate websites, users are silently redirected into an endless loop of fake “Survey Reward” pages impersonating dozens of major brands.

What looked like a single suspicious redirect quickly turned into something much bigger. One domain led to five more. Five led to twenty. And as the pattern took shape, the scale became impossible to ignore: more than 100 unique domains, all using the same fraud template, each swapping in different branding depending on which company they wanted to impersonate.

This is an industrialized malvertising operation built specifically for the Black Friday window.

The brands being impersonated

The attackers deliberately selected big-name, high-trust brands with strong holiday-season appeal. Across the campaign, I observed impersonations of:

• Walmart
• Home Depot
• Lowe’s
• Louis Vuitton
• CVS Pharmacy
• AARP
• Coca-Cola
• UnitedHealth Group
• Dick’s Sporting Goods
• YETI
• LEGO
• Ulta Beauty
• Tourneau / Bucherer
• McCormick
• Harry & David
• WORX
• Northern Tool
• POP MART
• Lovehoney
• Petco
• Petsmart
• Uncharted Supply Co.
• Starlink (especially the trending Starlink Mini Kit)
• Lululemon / “lalubu”-style athletic apparel imitators

These choices are calculated. If people are shopping for a LEGO Titanic set, a YETI bundle, a Lululemon-style hoodie pack, or the highly hyped Starlink Mini Kit, scammers know exactly what bait will get clicks.

In other words: They weaponize whatever is trending.

How the scam works

1. A malicious ad kicks off an invisible redirect chain

A user clicks a seemingly harmless ad—or in some cases, simply scrolls past it—and is immediately funneled through multiple redirect hops. None of this is visible or obvious. By the time the page settles, the user lands somewhere they never intended to go.

2. A polished “Survey About [Brand]” page appears

Every fake site is built on the same template:

• Brand name and logo at the top
• A fake timestamp (“Survey – November X, 2025 ”)
• A simple, centered reward box
• A countdown timer to create urgency
• A blurred background meant to evoke the brand’s store or product environment

It looks clean, consistent, and surprisingly professional.

3. The reward depends on which brand is being impersonated

Some examples of “rewards” I found in my investigation:

• Starlink Mini Kit
• YETI Ultimate Gear Bundle
• LEGO Falcon Exclusive / Titanic set
• Lululemon-style athletic packs
• McCormick 50-piece spice kit
• Coca-Cola mini-fridge combo
• Petco / Petsmart “Dog Mystery Box”
• Louis Vuitton Horizon suitcase
• Home Depot tool bundles
• AARP health monitoring kit
• WORX cordless blower
• Walmart holiday candy mega-pack

Each reward is desirable, seasonal, realistic, and perfectly aligned with current shopping trends. This is social engineering disguised as a giveaway. I wrote about the psychology behind this sort of scam in my article about Walmart gift card scams.

4. The “survey” primes the victim

The survey questions are generic and identical across all sites. They are there purely to build commitment and make the user feel like they’re earning the reward.

After the survey, the system claims:

• Only 1 reward left
• Offer expires in 6 minutes
• A small processing/shipping fee applies

Scarcity and urgency push fast decisions.

5. The final step: a “shipping fee” checkout

Users are funneled into a credit card form requesting:

• Full name
• Address
• Email
• Phone
• Complete credit card details, including CVV

The shipping fees typically range from $6.99 to $11.94. They’re just low enough to feel harmless, and worth the small spend to win a larger prize.

Some variants add persuasive nudges like:

“Receive $2.41 OFF when paying with Mastercard.”

While it’s a small detail, it mimics many legitimate checkout flows.

Once attackers obtain personal and payment data through these forms, they are free to use it in any way they choose. That might be unauthorized charges, resale, or inclusion in further fraud. The structure and scale of the operation strongly suggest that this data collection is the primary goal.

Why this scam works so well

Several psychological levers converge here:

• People expect unusually good deals on Black Friday
• Big brands lower skepticism
• Timers create urgency
• “Shipping only” sounds risk-free
• Products match current hype cycles
• The templates look modern and legitimate

Unlike the crude, typo-filled phishing of a decade ago, these scams are part of a polished fraud machine built around holiday shopping behavior.

Technical patterns across the scam network

Across investigations, the sites shared:

• Identical HTML and CSS structure
• The same JavaScript countdown logic
• Nearly identical reward descriptions
• Repeated “Out of stock soon / 1 left” mechanics
• Swappable brand banners
• Blurred backgrounds masking reuse
• High-volume domain rotation
• Multi-hop redirects originating from malicious ads

It’s clear these domains come from a single organized operation, not a random assortment of lone scammers.

Final thoughts

Black Friday always brings incredible deals, but it also brings incredible opportunities for scammers. This year’s “free gift” campaign stands out not just for its size, but for its timing, polish, and trend-driven bait.

It exploits, excitement, brand trust, holiday urgency, and the expectation of “too good to be true” deals suddenly becoming true.

Staying cautious and skeptical is the first line of defense against “free reward” scams that only want your shipping details, your identity, and your card information.

And for an added layer of protection against malicious redirects and scam domains like the ones uncovered in this campaign, users can benefit from keeping tools such as Malwarebytes Browser Guard enabled in their browser.

Stay safe out there this holiday season.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Cybercriminals are using browser push notifications to deliver malware and phishing attacks.

Researchers at BlackFog described how a new command-and-control platform, called Matrix Push C2, uses browser push notifications to reach potential victims.

When we warned back in 2019 that browser push notifications were a feature just waiting to be abused, we noted that the Notifications API allows a website or app to send notifications that are displayed outside the page at the system level. This means it lets web apps send information to a user even when they’re idle or running in the background.

Here’s a common example of a browser push notification:

This makes it harder for users to know where the notifications come from. In this case, the responsible app is the browser and users are tricked into allowing them by the usual “notification permission prompt” that you see on almost every other website.

But malicious prompts aren’t always as straightforward as legitimate ones. As we explained in our earlier post, attackers use deceptive designs, like fake video players that claim you must click “Allow” to continue watching.

In reality, clicking “Allow” gives the site permission to send notifications, and often redirects you to more scam pages.

Granting browser push notifications on the wrong website gives attackers the ability to push out fake error messages or security alerts that look frighteningly real. They can make them look as if they came from the operating system (OS) or a trusted software application, including the titles, layout, and icons. There are pre-formatted notifications available for MetaMask, Netflix, Cloudflare, PayPal, TikTok, and more.

Criminals can adjust settings that make their messages appear trustworthy or cause panic. The Command and Control (C2) panel provides the attacker with granular control over how these push notifications appear.

But that’s not all. According to the researchers, this panel provides the attacker with a high level of monitoring:

“One of the most prominent features of Matrix Push C2 is its active clients panel, which gives the attacker detailed information on each victim in real time. As soon as a browser is enlisted (by accepting the push notification subscription), it reports data back to the C2.”

It allows attackers to see which notifications have been shown and which ones victims have interacted with. Overall, this allows them to see which campaigns work best on which users.

Matrix Push C2 also includes shortcut-link management, with a built-in URL shortening service that attackers can use to create custom links for their campaign, leaving users clueless about the true destination. Until they click.

Ultimately, the end goal is often data theft or monetizing access, for example, by draining cryptocurrency wallets, or stealing personal information.

How to find and remove unwanted notification permissions

A general tip that works across most browsers: If a push notification has a gear icon, clicking it will take you to the browser’s notification settings, where you can block the site that sent it. If that doesn’t work or you need more control, check the browser-specific instructions below.

Chrome

To completely turn off notifications, even from extensions:

• Click the three dots button in the upper right-hand corner of the Chrome menu to enter the Settings menu.
• Select Privacy and Security.
• Click Site settings.
• Select Notifications.
• By default, the option is set to Sites can ask to send notifications. Change to Don’t allow sites to send notifications if you want to block everything.

For more granular control, use Customized behaviors.

• Selecting Remove will delete the item from the list. It will ask permission to show notifications again if you visit their site.
• Selecting Block prevents permission prompts entirely, moved them to the block list.

• You can also check Block new requests asking to allow notifications at the bottom.

In the same menu, you can also set listed items to Block or Allow by using the drop-down menu behind each item.

Opera

Opera’s settings are very similar to Chrome’s:

• Open the menu by clicking the O in the upper left-hand corner.
• Go to Settings (on Windows)/Preferences (on Mac).
• Click Advanced, then Privacy & security.
• Under Content settings (desktop)/Site settings (Android) select Notifications.

On desktop, Opera behaves the same as Chrome. On Android, you can remove items individually or in bulk.

Edge

Edge is basically the same as Chrome as well:

• Open Edge and click the three dots (…) in the top-right corner, then select Settings.
• In the left-hand menu, click on Privacy, search, and services.
• Under Sites permissions > All permissions, click on Notifications.
• Turn on Quiet notifications requests to block all new notification requests. 

• Use Customized behaviors for more granular control.

Safari

To disable web push notifications in Safari, go to Safari > Settings > Websites > Notifications in the menu bar, select the website from the list, and change its setting to Deny. To stop all future requests, uncheck the box that says Allow websites to ask for permission to send notifications in the same window. 

For Mac users

1. Go to Safari > Settings > Websites > Notifications.
2. Select a site and change its setting to Deny or Remove.
3. To stop all future prompts, uncheck Allow websites to ask for permission to send notifications.

For iPhone/iPad users

1. Open Settings.
2. Tap Notifications.
3. Scroll to Application Notifications and select Safari.
4. You’ll see a list of sites with permission.
5. Toggle any site to off to block its notifications.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Last week on Malwarebytes Labs:

• AI teddy bear for kids responds with sexual content and advice about weapons
• Fake calendar invites are spreading. Here’s how to remove them and prevent more
• Budget Samsung phones shipped with unremovable spyware, say researchers
• What the Flock is happening with license plate readers?
• Holiday scams 2025: These common shopping habits make you the easiest target
• [Correction] Gmail can read your emails and attachments to power “smart features”
• Mac users warned about new DigitStealer information stealer
• Attackers are using “Sneaky 2FA” to create fake sign-in windows that look real
• Sharenting: are you leaving your kids’ digital footprints for scammers to find?
• Chrome zero-day under active attack: visiting the wrong site could hijack your browser
• Thieves order a tasty takeout of names and addresses from DoorDash
• Why it matters when your online order is drop-shipped
• The price of ChatGPT’s erotic chat? $20/month and your identity
• Your coworker is tired of AI “workslop” (Lock and Code S06E23)
• Scammers are sending bogus copyright warnings to steal your X login

Stay safe!

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.