IT News

After using passwords obtained from one of the countless breaches as a lure to trick victims into paying, the “Hello pervert” sextortion scammers have recently introduced two new pressure tactics: Name-dropping the infamous Pegasus spyware and adding pictures of your home environment.

They do this to add credibility to the false claims that the scammers have been watching your online behavior and caught you red-handed during activities that you would like to keep private amongst your friends and family.

The email usually starts with “Hello pervert” and then goes on to claim that the target has been watching pornographic content. The scammers often claim to have footage of what you were watching and what you were doing while watching.

To stop the sender from spreading the incriminating footage, the target will have to pay the scammer, or else they will send it to everyone in their email contacts list.

More recently, scammers have started increasing their threats by mentioning a powerful spyware called “Pegasus.” Several versions of these scam emails have included the following text:

Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, and Windows.

Though Pegasus is indeed a powerfully invasive spyware tool, the threat of its use, as included in these scam emails, is entirely empty. This is because Pegasus has never been observed outside of a surveillance campaign carried out, specifically, by governments. Time and time again, Pegasus has been used by oppressive government regimes to spy on political dissidents, human rights activists, and watchdog journalists. There is essentially no proof that such a closely-guarded spyware has ended up in the hands of everyday scammers.

But the pressure tactics don’t end with Pegasus, as many of these emails include an old (or active) password that a scam target has used in the past. Here, this isn’t some act of advanced hacking. Instead, it is likely that the scammers bought your password from other cybercriminals that obtained them during one of the countless data breaches that hit company after company every week.

When scammers have access to such data, it may also include your physical address. With that knowledge, scammers have increased their threats by simply adding a photograph of your personal neighborhood by looking it up online. For most places in inhabited areas, you can grab such pictures from Google Maps or similar apps.

A Reddit user demonstrated this by finding that such a scammer used an old PO box address. But it’s true that this adds a convincing argument to the claim that the sender has been spying on you.  

As an extra threat the email may include something like:

“Or is visiting [your physical address] a more convenient way to contact if you don’t take action. Nice location btw.”

Implying that they know where you live and threatening to stop by and create a scene.

How to recognize “Hello pervert” emails

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

• They often look as if they came from one of your own email addresses.
• The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
• In the email the scammer claims to have used Pegasus or some Trojan to spy on you through your own computer.
• The scammer says they know “your password.”
• You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
• The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

How to react to “Hello pervert” emails

First and foremost, never reply to emails of this kind. It may tell the sender that someone is reading the emails sent to that address and they will repeatedly try new and other methods to defraud you.

• If the email included a password, make sure you are not using it any more and if you are, change it as soon as possible.
• If you are having trouble organizing your password, have a look at a password manager.
• Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.
• Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.
• For your ease of mind, turn of your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

With the US election campaigns at full throttle, scammers have taken a renewed interest in the ways this can be used to defraud people, often using the same tactics legitimate campaigns leverage for support (emails, text messages, phone calls, and social media pleas).

The lure that we have seen the most involves asking people to donate to a campaign. Whether that comes in by mail, text, phone call, or on social media, that money isn’t going to any of the candidates.

If those scam campaigns aren’t directly after your money, they might well be phishing for personal information.

These phishers also use fake surveys pretending to be a volunteer for one of the political parties and will ask you for personal information directly or get on your nerves by engaging in discussions about controversial subjects.

Another method besides surveys are voter registration scams where the scammer poses as an election official and asks you to update your voter registration, or tell you that you can register to vote over the phone. Reminder, here is how you can securely register to vote.

These scams are not only after your personal information but sometimes have the audacity to ask you to pay for completing your voter registration paperwork—something that is never asked in legitimate voter registration.

How to stay safe

Watch out for fake emails

With the increasing use of AI by cybercriminals, it has become more difficult to spot fake emails. Looking for spelling errors is of no use anymore, but a few golden rules still apply to unsolicited emails:

• Don’t open attachments.
• Hover over the link(s) in the email. If they are different from the one that is displayed this is a red flag.
• Don’t let any sense of urgency expressed in the email rush you into a hasty decision.
• Check the sender’s email address is what you’re expecting. Note: these can be spoofed so this is not a guarantee, but anything that doesn’t look genuine definitely won’t be.

Donate safely

If you decide to sponsor a candidate, do not follow any links provided in text messages, emails, or on social media.

Find the official site for your favorite candidate and follow the instructions there. If you use Google or any other search engine to find the official site, do not click on the links in the sponsored ads. We have found too many cases where these went to false sites.

Ignore text messages

This is an easy one: just ignore them. Honest. Anyone texting me requests out of the blue will find my cold shoulder. Do not even respond, because that will tell them you read the message.

Avoid robocalls

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall. Here’s what to do:

1. Hang up as soon as you realize that it is a robocall.
2. Don’t follow any instructions or give away personal information. In fact, don’t engage with the call at all.
3. Report the robocall.
   • If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
   • If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
   • If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It’s important to not engage in any conversation or respond to any prompts in order to minimize the risk of fraud. Even the smallest snippets of your voice being recorded can be used in scams against you or your loved ones.

If you have an iPhone, let Malwarebytes intercept your robocalls (by installing our app).

Don’t give away personal information when filling in surveys

Don’t engage in surveys that ask for personal information. And when giving out information remember what they already know about you. How did they contact you? If by email that means they already have your email address and your responses can be combined with the information they already have based on that.

Consider your payment method

There are two major considerations to make when you decide on a payment method for donating to a political campaign.

• How much of your donation ends up at the right place? Most payment providers charge transaction fees that decrease the amount of the actual contribution, and  the fee amount is not the same for all of them.
• When making a donation, consider which payment method offers you the best protection. Credit cards are better than debit cards because they offer more protection against things like identity theft and fraud. E-checks are another popular payment option that can be an alternative, but e-checks require your routing number and account number, which could leave you more exposed.

The old-fashioned way of sending a check in the mail is not as popular but covers both transaction fees and security worries. Although for a small amount, the time needed to process them is a new factor.

Always monitor your accounts

Monitoring your account activity is one of the most effective ways to protect yourself from fraud. Especially when you’re in doubt about a recent transaction like a donation that doesn’t sit right in retrospect. The sooner you notice unauthorized activity, the sooner you can intervene and prevent further damage.

Some things you can do are:

• Daily checks on your account activity through online banking.
• Many banks offer the opportunity to send you notifications of larger or unusual transactions. Turn those on, preferably by email or text so you’ll see them as soon as possible.
• When you see something suspicious, notify your financial institution immediately so they can assist you in keeping your money safe.

Transport for London (TfL), the city’s transport authority, is fighting through an ongoing cyberattack. TfL runs three separate units that arrange transports on London’s surface, underground, and Crossrail transportation systems. It serves some 8 million inhabitants of the London metropolitan area.

In a public notice Transport for London stated:

“We are currently dealing with an ongoing cyber security incident. At present, there is no evidence that any customer data has been compromised and there has been no impact on TfL services.

The security of our systems and customer data is very important to us, and we have taken immediate action to prevent any further access to our systems.”

The incident does have some impact though, as TfL took the contactless website for purchasing tickets offline for “maintenance.” This maintenance was not announced earlier though, which they likely would have done under normal circumstances.

The contactless website is used to purchase online tickets, upgrade travelcards (Oystercards), check travel history, and request refunds.

In a short thread on X, TfL said it is working with the National Crime Agency and the National Cyber Security Centre to investigate and respond to the incident.

Hi, thanks for getting in touch. We are working to resolve this as soon as possible. We need to complete our full assessment, but there is currently no evidence that any customer data has been compromised, or impact on TfL services. We are working closely with the

National Crime Agency and the National Cyber Security Centre to respond to the incident. We are continuing to work to assist our customers here in the usual manner. Thanks, SW.

According to security researcher Kevin Beaumont:

“Transport for London have a genuine internal security incident running and are reverting to paper processes.”

Since TfL is keeping rather quiet about the incident it is hard to asses whether this disruption is the result of a ransomware attack or something else.

We’ll keep you posted if we learn more.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The City of Columbus, Ohio is suing a security researcher for sharing stolen data.

All the complaint will accomplish, we imagine, is spotlight the ignorance of certain city officials in handling a common security matter.

What happened is that the City of Columbus was attacked by a ransomware group on July 18, 2024. Due to the timing, it was at first unclear whether the disruption in the public facing services was caused by the CrowdStrike incident or if it was in fact an attack. The attack was later claimed by the Rhysida ransomware group on their leak site, where the group posts information about recent victims that are unwilling to pay.

The City of Columbus said that the city’s Department of Technology quickly identified the threat and took action to significantly limit potential exposure. Due to the swift action no systems had been encrypted, but they were looking into the possibility that sensitive data might have been stolen in the attack.

“The city is in the process of identifying individuals whose personal information was potentially exposed and will provide notice and additional guidance to all who are impacted in the coming weeks.”

Rhysida started an auction to buy the stolen data with a starting bid of about $1.7 million in bitcoin. When that didn’t render any results, Rhysida published (please note the word “published” here, it’s important) stolen data comprising 260,000 files (3.1 TB) which was almost half of what they claimed to have, on August 8, 2024.

On that same day, the mayor of Columbus stated on local media that the disclosed information was neither valuable nor usable.

“The fact that the threat actor’s attempted data auction failed is a strong indication that the data lacks value to those who would seek to do harm or profit from it.”

This is where an external security researcher comes in. Security researcher David Leroy Ross, aka Connor Goodwolf, shared information with the media about the content of the stolen data. From what Goodwolf shared it became clear that the data contained unencrypted personal information of city employees and residents.

So, the City of Columbus decided to sue Goodwolf for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion.

The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him interacting with the ransomware group and that it required special expertise and tools.

When all he did was use a special browser to visit a website, download a file, and disclose the nature of the data to the local press. These actions, mind you, indistinguishable from the work of many security researchers committed to stopping cyberattacks.

Take, for instance, the means of access for Goodwolf.

If you are willing to consider the Tor Browser to be a special tool, I’ll grant you that one, although grudgingly. If you are a Firefox user, you may see a big resemblance with the Tor Browser, so the browser is not really that special. If visiting a website and downloading a file is a crime, we’re all guilty of said crime. If disclosing that a public official told an untruth (even if it was out of ignorance) is wrong then you probably shouldn’t want to live in a democratic country.

But unfortunately, a Franklin County judge issued the coveted temporary restraining order barring Goodwolf from accessing, downloading, and disseminating the City’s stolen data. The order also requires the defendant to preserve all data that was downloaded to date.

We want to make absolutely clear: Rhysida stole and published the data. And it was spokespeople from The City of Columbus that told everyone not to worry about other criminals using the data for further crimes, instead of warning the people that they should be wary of phishing attempts that could leverage the stolen data against them.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Iranian cybercriminals are targeting WhatsApp users in spear phishing campaign
• Fake Canva home page leads to browser lock
• Telegram CEO Pavel Durov charged with allowing criminal activity
• CODAC Behavioral Healthcare, US Marshalls are latest ransomware targets
• SMS scammers use toll fees as a lure
• TDECU data breach affects half a million people
• PSA: These ‘Microsoft Support’ ploys may just fool you
• Move over malware: Why one teen is more worried about AI (re-air) (Lock and Code S05E18)

Last week on ThreatDown:

• Patch now! Zero-day used to target ISPs and MSPs
• NIS 2 is coming, are you ready?

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

An Iranian state-sponsored group often referred to as Iran’s Islamic Revolutionary Guard Corps (IRGC) is making headlines again this season as Meta disclosed that the cybercriminals targeted WhatsApp users in Israel, Palestine, Iran, the UK, and the US.

Other names for this group—depending on the vendor– are APT42, Storm-2035, Charming Kitten, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda.

Earlier the group was linked to disinformation campaigns around the US elections in a Microsoft threat report, Google research findings, and when OpenAI banned accounts linked to an Iranian influence operation.

It is no surprise that nations like Iran have an interest in influencing elections in the US and the targets in this campaign also included staff members of President Joe Biden and former President Donald Trump.

Meta blocked a small cluster of WhatsApp accounts posing as support agents for tech companies. These accounts used social engineering against political and diplomatic officials, and other public figures. This type of attacks is called spear phishing, as it involves highly targeted phishing attempts.

The fake accounts linked to the Iranian group posed as technical support for AOL, Google, Yahoo, and Microsoft.

The APT in APT42 stands for advanced persistent threat (APT), which signifies a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.

This is exactly the kind of group that you will see involved in spear phishing attacks, that target individuals to collect information about them, or manipulate them into revealing information about their occupation, or compromise their devices and accounts so they can spy on them.

There is no evidence that this group managed to compromise any accounts and Meta praises the targets that reported these suspicious messages using the in-app reporting tools, so WhatsApp could launch an investigation and disrupt the campaign.

Phishers often use technical support accounts in phishing attempts because people tend to trust them with information if they happen to be a customer of the company that the “support agent” claims to represent.

WhatsApp users should remain on the lookout for unsolicited contacts and messages.

• If a message looks suspicious, comes unsolicited, or sounds too good to be true, don’t tap, share, or forward it. Don’t become part of a misinformation campaign.
• Always inspect links and attached files thoroughly before opening them. Ask the known sender through other means what it’s for.
• Do not engage in conversations when you are not sure who the sender is. Even the fact that you respond to them will tell them this is a way to reach you and might lead to more attempts.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

In a previous blog post, we showed how fraudsters were leveraging features from the very company (Microsoft) they were impersonating. We continue this series with another clever trick abusing Canva, a popular online tool for graphic design.

This time, the scammers registered an account on Canva to create a new design that, is in fact, a replica of the Canva home page. As victims come from a malicious ad, they land on this deceiving page that lures them into interacting with it. The result: as soon as you click on the image, your browser is hijacked with a fake Microsoft alert.

In this blog, we share the details of yet another abuse of the online experience. We have reported this malicious campaign to both Google and Canva.

Convincing search ads

We identified two different advertiser accounts involved in creating fraudulent ads for the design platform Canva. The corresponding ads from both advertisers were displayed at the very top of the Google search page results, as seen in the image below.

There is very little that tells you that those ads are fake, and since most people trust what they see, they will likely be inclined to click on them.

Canva home page?

Scammers created a free account on Canva and made a design that looks just like… Canva’s home page. Of all the possible art they could have created, they chose to take a screenshot of Canva’s site and use it as their creation.

This is their “trick”, they want users to think they have landed on the real website and expect them to click on the ‘Start designing’ button:

Malicious URL opens up fake Microsoft alert

If we look at the source code behind that design, we see something rather interesting: a hyperlink to an external site. This means that if you click on the image, a new tab (target=”_blank”) will open at the given URL.

This URL hijacks your browser and claims “Windows locked due to unusual activity”:

Threat actors from different walks of life are leveraging a powerful combo: branded Google ads and decoy pages. This allows them to lure in a large number of potential victims right from search engine to scams or malware.

The bottom line is you simply can’t trust what you see, as everything is made to look legitimate in one way or another. To regain control of their web browsing experience, users need to be more proactive and use any of the tools at their disposal.

Malwarebytes continues to hunt for malvertising schemes and diligently reports them to the platforms that are being abused. For additional protection, we recommend our free Browser Guard extension.

France has indicted the CEO of the popular messaging app Telegram on charges of complicity in the distribution of child sex abuse images, aiding organized crime, drug trafficking, fraud, and refusing lawful orders to give information to law enforcement.

The arrest warrants for Pavel Durov and his brother, co-founder of Telegram Nikolai Durov, reportedly were issued in March. Pavel was arrested on Saturday August 24, allegedly after a female influencer travelling with him posted real-time updates about their location and means of transportation.

At the same time, the Indian government is investigating Telegram for alleged extortion activities on the platform, and over concerns about illegal gambling operations.

Pavel Durov is a French national but was born in Russia. He also holds citizenship of the United Arab Emirates where Telegram is based. He avoided jail by putting up a $5 million bail, but has to stay in France and report to a police station twice a week.

Russian officials claim that Durov’s arrest is politically motivated, a claim strongly denied by French president Emmanuel Macron, who met with Durov on several occasions prior to Durov receiving the French nationality through a special procedure for those deemed to have made a special contribution to France.

There is no reasonable doubt that Telegram as a platform is used for illegal purposes. It’s well known that cybercriminals use it to exchange and sell both malware and information, and the app is banned in several countries.

One of the questions is whether providing the tools for a crime is a crime in itself. Logic dictates that this is not the case, or every crowbar manufacturer would be behind bars. However, the underlying question is: did Telegram do its best to prevent the app from being used for criminal activity?

Telegram commented that its moderation was:

“within industry standards and constantly improving.”

Some are asking whether this arrest is a limitation of the freedom of speech. Telegram is also used by citizens of countries with a totalitarian regime to communicate outside of the government’s reach.

This is considered safe because Telegram shares no information with any authorities about the messages or activities on the app. However, as experts have explained, Telegram is not end-to-end encrypted unless you use the “Secret Chats” feature which is not easy.

End-to-end encryption means that only the person you are sending your messages can read them. This is impossible in Telegram unless it is a one-on-one conversation with Secret Chats enabled, which only works if the other person is online.

Undoubtedly this story will develop further, and we will keep you posted about it.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Qilin ransomware group listed CODAC Behavioral Healthcare, a nonprofit health care treatment organization, as one of their latest victims.

Qilin seems to have a preference for healthcare and support organizations. One of their most well-known victims was the pathology lab services provider Synnovis in June 2024, causing chaos across the NHS in London.

CODAC Behavioral Healthcare is Rhode Island’s oldest and largest nonprofit, outpatient provider of treatment for Opioid Use Disorder (OUD) and runs seven community-based locations. CODAC works with individuals, families, and communities and provides comprehensive resources to those living and struggling with the challenges of substance use disorder and behavioral healthcare issues.

Within the stolen data, Malwarebytes Labs noticed financial information, pictures of ID cards, a list of staff members—including their Social Security Numbers (SSNs)—and healthcare cards.

Ransomware attacks are evolving around the world, as cybercriminals have steadily advanced their tactics to not only encrypt and lock up systems once inside an organization, but to also steal sensitive data and then threaten to publish it as a way to add extra pressure to their demands. Attacks are at an all-time high in 2024, and attacks specifically targeting healthcare and support organizations represent a large portion of all attacks in the US.

As ThreatDown reported earlier in 2024, 70% of all known attacks on healthcare happen in the US. This makes healthcare the second most attacked sector in the US, where it accounts for 9% of known attacks.

Sensitive information like the data kept by healthcare organizations obviously increases the amount of leverage for the ransomware group, and despite some gangs promising not to attack healthcare, most of them show no such conscience.

A separate data breach carried out by a ransomware group that Malwarebytes Labs learned about this week was on the US Marshalls Service. Hunters International ransomware group posted 386 GB of data that appears to include files on gangs, documents from the FBI, specific case information, operational data, and more.

The US Marshalls Service said the data comes from a ransomware attack they acknowledged in February of 2023, but which had never been claimed before. Maybe the ransomware group was hesitant to paint a bullseye on their back.

So far, Malwarebytes Labs has not seen any official reaction by CODAC Behavioral Healthcare. If they come out with one or respond to our query, we will keep you posted.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In April 2024, the FBI warned about a new type of smishing scam.

Smishing is the term we use for phishing attacks sent via text message. This particular smishing scam tries to trick users into clicking a link by telling them they owe a “small amount” in toll fees.

The scammers send a text claiming that the recipient owes money for unpaid tolls.

“PA Turnpike Toll Services: We’ve noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00 visit [URL to fake site] to settle your balance.”

It looks as if the targets are chosen randomly, but if you’ve been on a recent summer trip or will be visiting your relatives during the holiday season the chances are higher that you will believe this type of text. Nobody is going to fool you into paying (extra) for your daily commute, right?

Because of the relatively low amount, people may decide to settle the payment before the amount rises.

One of the URLs we tracked for this campaign was myturnpiketollservices[.]com which was active from early April until late May. Some others have only been active for a few days.

On the fake website, which is a really convincing copy of the original, visitors are asked to fill out their details like phone numbers, email addresses, full name, address, and their credit card details. Scammers will happily abuse any information that you enter for other malicious activities like identity theft and financial fraud.

These attacks are not just increasing in numbers in the US, smishing scammers are also targeting people in Australia, Canada, and Japan now.

How to avoid falling for a smishing scam

• Check the phone number that the text message comes from. Some of the scams above were easy to dismiss because they came from telephone numbers outside the US.
• Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
• If you decided to pay, an alarm should go off if you don’t receive confirmation. Official toll agencies will send confirmation after collecting payments. If you don’t receive confirmation, it’s time to investigate and maybe freeze your credit card.
• Never interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
• If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
• The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

Involved domains

myturnpiketollservices[.]com

nytollservices.com

tollsinfosny[.]com

tollsinfonyc[.]com

bayareafastraktollservices[.]com

intollroadacc219[.]com

toll-sunpass[.]com

tollnyezpassweb[.]com

indiana260roadtollac[.]com

inweb-tollroadtrust[.]com

in-tollroadgouv1[.]com

newyorktollroadtrust1[.]com

nyserviceezpass[.]com

intrust-tollroadweb[.]com

sunspass[.]com

sunspasstollsservices[.]com

sunpasstollservices[.]com

tollsbymailsny[.]com

Several of these were hosted at the IP:

45.8.92[.]38

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.