IT News

Senators introduced a bill on Tuesday that would prohibit data brokers from selling or transferring location and health data.

Data brokers have drawn attention this year by leaking several large databases, with the worst being the National Public Data leak. The data breach made international headlines because it affected hundreds of millions of people, and it included Social Security Numbers.

All this when data brokers had already been faced with reforms in the shape of the American Privacy Rights Act (APRA). Hwoever, APRA is not expected to pass before Congress wraps up for the year, and some lawmakers feel the need for extra data regulations.

The newly introduced “Health and Location Data Protection Act of 2024” would provide the Federal Trade Commission (FTC) with $1 billion for enforcement and give the FTC, state attorneys general and victims of data broker abuses the right to sue brokers for violating the law.

Location data are considered extra sensitive because they can be abused by stalkers. Health information often includes highly personal and intimate details about an individual’s life, such as medical history, mental health status, substance abuse, family planning, and genetic testing results.

The bill also mentions a third category which includes other categories of data that address or reveal location or health data.

Data brokers come in different shapes and sizes. What they have in common is that they gather personally identifiable data from various sources. These sources can range from publicly available data to data sets stolen in cybercrimes. They then sell the gathered data for several purposes.

Background checks are required for specific jobs, as well as some insurance policies, loans, and other financial transactions, but some data brokers just deal in marketing and advertising related information.

One of the main dangers of all these data brokers is that they trade amongst themselves. Because of this they not only gather information about more and more people, but also get their hands on information that isn’t even relevant to their field of expertise.

To the victims of a data breach at one of these companies the origin of the stolen data is often a mystery. They have no direct contact with the companies and are usually unaware that they have information about them in the first place.

So, we can only hope that the senators get at least this bill passed prior to the end of the current Congress, or else it will all have to start over again in the next year.

We don’t just talk about your data, we help remove it from broker sites

Cybersecurity risks should never spread beyond a headline. Clean up your data using Malwarebytes Personal Data Remover (US only).

Test page heading

TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

Back in March, the House of Representatives passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance agreed to give up its share of the immensely popular app.

TikTok claims this is censorship and collides with the principle of free speech. However, the company’s post on X got a lot of responses from people who feel TikTok itself banned them for no clear reason.

On Friday, December 6, a federal appeals court panel unanimously upheld the law that gave ByteDance, TikTok’s Chinese parent company, nine months to either get a new owner or be banned in the US. The deadline is looming; unless the courts stop it, it will go into effect January 19, 2025.

Free speech advocates agree with TikTok that a ban would violate First Amendment rights to free speech, mainly because it would set a precedent. The American Civil Liberties Union said to Reuters:

“Banning TikTok blatantly violates the First Amendment rights of millions of Americans who use this app to express themselves and communicate with people around the world.”

Ever since a former executive at TikTok’s parent company ByteDance claimed in court documents that the Chinese Communist Party (CCP) had access to TikTok data, despite the data being stored in the US, TikTok has been battling to convince politicians that it operates independently of ByteDance, which has deep ties to the CCP.

As early as in 2022, the FCC called TikTok an unacceptable security risk which should be removed from app stores, saying it had referred a complaint against TikTok and parent company ByteDance to the Department of Justice for collecting personal information from children without parental consent.

Since 2020, several governments and organizations have banned, or considered banning, TikTok from their staff’s devices. And during a US Senate hearing, General Paul Nakasone, Director of the National Security Agency (NSA) stated that “America’s TikTok-addicted youth is playing with a loaded gun.”

Meanwhile TikTok also received orders to close its offices in Canada following a national security review. The app has already completely been banned in India, Kyrgyzstan, Uzbekistan, Nepal, and Somalia.

According to TikTok, a ban on the platform would cause small businesses to lose over $1 billion in revenue within just one month, while creators would suffer $300 million in lost earnings.

TikTok’s petition has requested that the Court of Appeals make a decision on the injunction by December 16, 2024.

We will keep you posted.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

European law enforcement agencies have taken down yet another encrypted messaging service mainly used by criminals.

The Matrix encrypted messaging service was an invite-only service which was also marketed under the names Mactrix, Totalsec, X-quantum, or Q-safe. Dutch and French authorities started an investigation when the service was found on the phone of a criminal convicted for the murder of Dutch journalist Peter R. de Vries in 2021.

The investigators soon found Matrix was technically more complex than previous platforms such as Sky ECC and EncroChat, which were earlier subjects of law enforcement eavesdropping.

Eventually the authorities were able to intercept the messaging service’s traffic and monitor the activity for three months. The authorities intercepted and deciphered over 2.3 million messages in 33 languages during the investigation.

The intercepted messages mostly dealt with serious organized crimes such as international drug trafficking, arms trafficking, and money laundering. Now, visitors to the the messaging service are alerted to the takedown through a splash page telling them the platform has been disabled by international law enforcement:

“It’s not the first time and will not be the last time we are able to read the messages in real time. We gained access to data related to this service and our investigation does not end here.”

These services don’t come cheap. We don’t know the exact pricing of Matrix, but similar services cost several thousands of dollars per year. Which explains why law enforcement seized four cars, 970 phones, and a house, along with over half a million in crypto and over $150,000 in cash.

With the takedown of Matrix, the encrypted communication landscape for criminals has lost yet another significant player.

Europol stated:

“Criminals, in response to the disruptions of their messaging services, have been turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity.”

This offers both a challenge and opportunities for law enforcement, since the smaller fish are less tasty, but easier to catch if you’ll pardon me that analogy.

The Matrix messaging service is in no way related to the legitimate Matrix messaging protocol. We don’t want US citizens looking for an encrypted messaging service to shy away from apps built on the Matrix protocol just because it has the same name.

Although I appreciated the hint of the splash page to the media franchise The Matrix.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Last week on Malwarebytes Labs:

• Europol takes down criminal data hub Manson Market in busy month for law enforcement
• Americans urged to use encrypted messaging after large, ongoing cyberattack
• Crypto’s rising value likely to bring new wave of scams
• AI chatbot provider exposes 346,000 customer files, including ID documents, resumes, and medical records
• Repeat offenders drive bulk of tech support scams via Google Ads
• No company too small for Phobos ransomware gang, indictment reveals
• These cars want to know about your sex life (re-air) (Lock and Code S05E25)

Last week on ThreatDown:

• What is Cross-Site Scripting (XSS)?

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

A coordinated action between several European law enforcement agencies shut down an online marketplace called Manson Market that sold stolen data to any interested cybercriminal.

What made this market attractive for cybercriminals was that they could buy data sorted by region and account balance with advanced filtering options. This allowed the criminals to carry out targeted fraud with greater efficiency.

The law enforcement investigation started in 2022 when investigators were able to track very specific information used by scammers to the specialized marketplace. The scammers participated in fraudulent phone calls in which they impersonated bank employees to extract sensitive information, such as addresses and security answers, from their victims.

A network of fake online shops set up to phish for payment information provided one of the sources of stolen data.

Coordinated by Europol, the police in Germany, Finland, the Netherlands, and Norway seized the infrastructure of over 50 servers. With this, more than 200 terabytes of digital evidence have been collected.

Two main suspects were arrested in Germany and Austria on European arrest warrants and are currently awaiting their trials.

The operators of the Manson Market also ran Telegram channels, with one of the channels sharing credit card details, such as the number, expiration date, and the CVC code, for free every day.  

The seized website currently warns visitors that:

“All transactions, communications, and user information associated with this site are now in the custody of law enforcement.

If you have engaged in any illegal activity, you are under investigation.

Criminals are neither anonymous nor safe!

Justice is coming…”

And we can’t deny that European law enforcement had a fruitful week in the fight against online crime.

Earlier this week the German police shut down the servers and arrested one of the administrators of the country’s largest German-speaking online marketplaces for illegal goods and services, including stolen data, drugs, and forged documents.

Europol also published how French and Dutch authorities shut down an encrypted messaging service called MATRIX, which was used by criminals to commit serious crimes, including international drug trafficking, arms trafficking, and money laundering.

The Manson Market case shows once more how important it is to be vigilant with your online purchases. Make sure you are protected, be weary of search results for goods that are in high demand, and keep your personal information safe.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A years-long infiltration into the systems of eight telecom giants, including AT&T and Verizon, allowed a state sponsored actor to steal vast amounts of data on where, when and who individuals have been communicating with.

Speaking to Reuters, a senior US official said the attack telecommunications infrastructure was broad and that the hacking was still ongoing.

The state-sponsored actor behind the attack is an Advanced Persistent Threat (APT) group known as Salt Typhoon, believed to be tied to the People’s Republic of China (PRC).

Sophisticated state-sponsored campaigns from China are constantly targeting network appliances and devices. Among the culprits are four major APT groups: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant. Volt Typhoon made headlines earlier this year when the FBI removed their malware from hundreds of routers across the US.

The infrastructure that the US government relies to communicate on is made up of the same private sector systems that everybody else uses. By abusing their components that make up part of the infrastructure, the Chinese are said to have been able to eavesdrop on political and industrial leaders in multiple countries.

Speaking to Reuters, the official said they believed a “large number” of American’s metadata was taken. When asked if that might include every Americans’ phone records, they said:

“We do not believe it’s every cell phone in the country, but we believe it’s potentially a large number of individuals that the Chinese government was focused on.”

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have been investigating the incident since late spring, but admitted that there are still many unanswered questions, including the extent of the breach itself.

They have been working with the telecom companies to remove the intruders, but the companies have not been able to fully remove the hackers from their systems.

Anne Neuberger, the US deputy national security adviser for cyber and emerging technologies stated the “Chinese access was broad in terms of potential access to communications of everyday Americans” but she said the hackers only targeted prominent individuals.

According to NBC news, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at CISA– both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.

If you plan to follow that advice, but are new to encrypted messaging, make sure to use an app that offers E2EE (End-to-end encryption). What that means is only the person sending it and the person receiving it can read it.

To achieve this, a message gets encrypted on your device before it is sent out. During transit the message remains encrypted the entire time it is moving across the internet.  Only when the message reaches the recipient’s device can it be decrypted and read.

You don’t need an expensive app to achieve this. Several popular messaging apps and services support end-to-end encryption, such as WhatsApp, Signal, iMessage, Wire, and Telegram.

The FBI official added:

“People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.”

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

With the value of cryptocurrencies going to the roof, you can expect several attempts to get defrauded if you even show the slightest interest in the topic or not.

Since most cybercriminals lack creativity and are notoriously lazy, we expect to see only slight variations of old tricks. So, we figured if we showed you some old examples, you would know what to expect and hopefully that will assist you in avoiding them. And avoiding them is in everyone’s best interest—the Federal Bureau of Investigation (FBI) reported estimated losses to cryptocurrency related fraud exceeding $5.6 billion in 2023.

Here’s what to look out for:

Pig butchering scams. We have discussed the workings of pig butchering scams several times. Somebody contacts you out of the blue, sometimes pretending to be a friend you haven’t heard of in ages, sometimes a celebrity, and sometimes someone appearing to have the wrong contact details.

Once the conversation starts, the scammer will slowly move to the subject of interesting “investments” with the goal of cleaning out your accounts. The investments, mind you, are always part of the larger scam. By siphoning your money out of your accounts, and by sometimes even fabricating false “returns” on your investments, the cybercriminals are slowly building trust from you, only to yank away all your money at a later date.

Elon Musk livestreams. Scammers have used deepfake videos of Elon Musk and other wealthy celebrities to deceive investors. These scams make it appear as if this celebrity is discussing specific cryptocurrency opportunities and promising doubled returns on cryptocurrency deposits if victims send in their crypto. Remember, if a celebrity or public figure is suddenly making large promises on specific, individual cryptocurrencies, be cautious about their claims.

Fake crypto trading platforms. If you want to invest in cryptocurrency or want to get out now that the price is right for you, be careful where you conduct the trades. Unfortunately, we have seen a number of devastating exit scams and other deceptive operations where people’s life savings disappeared into thin air.

Advance fee scams. These are closely related to the fake crypto trading platform. In advance fee scams a “trader” asks for an upfront payment, promising a future service or huge return on investment. This is sometimes followed by additional requests to complete the promised transaction, which, as it turns out eventually, will never happen.

Fake bonus scams. Similar to pyramid schemes, there are sites where users would supposedly earn more based on the number of referrals and investment amounts made by their referrals. The victims did indeed see the number of tokens grow steadily. But when they tried to withdraw their funds, they got nothing.

Compromised account scams. Cybercriminals will send a warning to the target and claim that their account has been compromised. If the user responds, the scammers will try to obtain additional information such as the owner’s seed phrase, an important piece of information which thieves can use to empty the account.

Typosquatting. Similar to other typosquatting scams, imposters have registered domain names that are similar to or can easily be confused with legitimate cryptocurrency trading platforms. Should you enter your login credentials on such a fake site, the scammers will harvest them and log in on the actual site to take over your account.

How to protect your investments

A good resource for learning about crypto related scams is the Crypto Scam Tracker website of the California Department of Financial Protection and Innovation (DFPI) where you can find examples of the latest scams that are doing the rounds. Here is how you can stay safe from crypto scams (and other types of common scams found online):

• Use a password manager, it will refuse to fill out your details when it’s on the wrong website.
• Use multi-factor authentication (MFA) to make it harder for criminals to take over your account.
• Don’t respond to messages out of the blue, especially from people you don’t know.
• Don’t click on links in unsolicited emails or messages.
• Carefully research the platforms you plan to do business with.

And always act on the age-old adage: “If it’s too good to be true, it probably is.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have discovered a huge Google Cloud Storage bucket, found freely accessible on the internet and containing a treasure trove of personal information.

AI startup WotNot provides companies with the ability to create their own customized chatbot. The company reportedly has 3,000 customers including some household family names.

But the way its solution is set up introduces an extra link in the chain in the flow of personally identifiable information (PII) from the customer to the company that deployed the chatbot, leaving an additional risk of exposure.

Given the variety in the data the researchers found in the 346,381 files, they suspect that it stems from several WotNot customers. Some of the records that were found included:

• Identification documents including passports, which contain information like full names, dates of birth, passport numbers, and other information cybercriminals love to get their hands on.
• Medical records including diagnoses, treatment history, test results and other medical information that should be private.
• Resumes which include employment history, addresses, education, and contact data like email addresses and phone numbers.

All in all, if a group of cybercriminals finds data like that they can deploy all sorts of schemes to defraud the people whose information they found—ranging from phishing mails that look convincing because they include personal information, to identity theft.

In a statement, WotNot said:

“The cause for the breach was that the cloud storage bucket policies were modified to accommodate a specific use case. However, we regretfully missed thoroughly verifying its accessibility, which inadvertently left the data exposed.”

The “specific use case”  seems to be that these customers were using the “free plan” which apparently comes with no security.

WotNot clarified:

“For enterprise customers, we provide private instances to ensure security and compliance standards are strictly adhered to.”

WotNot also said it typically recommends that its customers delete such files from the server after they have been received and forwarded to their own systems. I would recommend that WotNot customers provide their own customers with a method to send them such files directly.

We have already seen way too many cases where leaks in the supply chain have exposed data from people who had never heard of the company that leaked them.

If anything, the incident shows the importance of checking where your data is going before providing companies with sensitive personal information. But it also demonstrates it’s not always clear to the end user whether there are extra links in the chain to the company they are dealing with.

If you do get a chance, don’t send sensitive data to a chatbot, but ask for a safe company email address instead.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Of all the different kinds of malicious search ads we track, those related to customer service are by far the most common. Brands such as PayPal, eBay, Apple or Netflix are among the most coveted ones as they tend to drive a lot of online searches.

Tech support scammers are leveraging Google ads to lure victims in, getting them on the phone and finally fleecing them. While hard to measure precisely, tech support scams accounted for $924M, according to the FBI’s 2023 Internet Crime Report.

We’ve identified specific advertiser accounts that make up the bulk of fraudulent ads we have reported to Google this past year. What’s interesting is that the scammers keep reusing the same accounts over time. For instance, one advertiser had over 30 reported incidents in the past 3 months.

While it would be foolish to assume fraudsters would stop scamming altogether if those accounts were terminated, it also exposes something problematic with our reporting, and to a greater extent with how Google’s policies apply to repeat offenders.

Search for help, find a scam

Search engines, and Google’s in particular, are our gateway to the web. Yet, that door sometimes opens up to unsavory places thanks to sponsored search results, AKA ads.

Take this search for ‘paypal help‘ which displays an ad as the first result, followed by the official website. While the organic result looks more trustworthy, it does appear under. We should also note that sometimes it shows way below the fold, as documented in our recent blog “Printer problems? Beware the bogus help“.

Not only is the ad malicious, it is also linking to a fraudulent page hosted on Google Sites, Google’s free platform to build websites. The scammers created it with PayPal’s logo to make it look legitimate, with — quite literally — a simple call to action.

Somewhere far in Asia, someone in a call centre is waiting to welcome the next victim by starting with “Hi, welcome to PayPal support, my name is John, how can I help you?“

Repeat offenders

We have found and reported many of such fraudulent ads to Google over the past year. At some point, we realized that the same advertiser accounts kept coming up, begging the question: why would an account with multiple incidents not get blocked permanently?

In the screenshot below, you can see the same advertiser ID associated with over 30 incidents in a period of around 3 months.

In fact, these are only the malicious ads we were able to find, using our own tools. For example, not in the list of targeted brands in our tracking for this account is Amazon. Looking at this advertiser via Google’s Ads Transparency Center, we see a fraudulent ad we had missed reporting:

We reported 2 other advertiser accounts with very similar behavior, and perhaps not just a coincidence is that they all belonged to profiles registered and verified by Google from Vietnam.

Taking down scammers

Going after scammers is a relentless job that both private individuals, companies and government agencies perform day in and day out. It can be frustrating having to repeat the same thing over and over while the offenders have the upper hand.

Having said that, it is possible to make long lasting change by looking at incidents from a macro level. Rather than chasing one-offs, data shows us that criminals tend to reuse the same techniques, and in this case, the same accounts.

It’s unclear why Google has not taken definitive action on the advertiser profiles we have reported. However, we have escalated this issue and hope to see some changes as a result.

The banner image for this blog post contains a typo. It was made using Google’s Gemini AI and despite several requests, it kept getting the spelling wrong.

We don’t just report on threats—we block them

Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today.