IT News

Things have changed in cybersecurity. 

Gone are the days when our only worry was downloading a virus. Now, 71% of people say having their data leaked and identity stolen is one of their biggest fears about being online. Sadly, they’re right to be concerned: Fraud losses hit $10 billion in 2023 (up 14% from 2022). 

But as the threats have evolved, so have we, and over the last year we’ve added products that protect your entire digital life. Now we’re making things even easier: We’re embedding our identity solutions into our Malwarebytes dashboard so you can manage everything in one place.  

Our all-new identity module lets you: 

• Scan for your exposed personal data for free 

• Upgrade or manage your identity theft protection (active alerts and insurance) 

Available now for Windows. More platforms on the way. 

Try it yourself: Simply open Malwarebytes, or if you don’t have our app you can download it here. 

In what may come as a surprise to nobody at all, there’s been yet another complaint about using social media data to train Artificial Intelligence (AI).

This time the complaint is against X (formerly Twitter) and Grok, the conversational AI chatbot developed by Elon Musk’s company xAI. Grok is a large language model (LLM) chatbot able to generate text and engage in conversations with users.

Unlike other chatbots, Grok has the ability to access information in real-time through X and to respond to some types of questions that would typically face rejection by other AI systems. Grok is available for X users that have a Premium or Premium+ subscription.

According to European privacy group NYOB (None Of Your Business):

“X began unlawfully using the personal data of more than 60 million users in the EU/EEA to train its AI technologies (like “Grok”) without their consent.”

NOYB decided to follow up on High Court proceedings launched by the Irish Data Protection Commission (DPC) against Twitter International Unlimited Company over concerns about the processing of the personal data of European users of the X platform, as it said it it was unsatisfied with the outcome of those proceedings.

Dublin-based Twitter International Unlimited Company is the data controller in the EU with respect to all personal data on X.

The DPC claimed that by its use of Grok, Twitter International is not complying with its obligations under the GDPR, the EU regulation that sets guidelines for information privacy and data protection.

Despite the implementation of mitigation measures—after the fact–the DPC says that the data of a very significant number of X’s millions of European-based users have been and continue to be processed without the protection of these mitigation measures, which isn’t consistent with rights under GDPR.

But NOYB says the DPC is missing the mark:

“The court documents are not public, but from the oral hearing we understand that the DPC was not questioning the legality of this processing itself. It seems the DPC was concerned with so-called ‘mitigation measures’ and a lack of cooperation by Twitter. The DPC seems to take action around the edges, but shies away from the core problem.”

For this reason, NOYB has now filed GDPR complaints with data protection authorities in nine countries (Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Poland, and Spain).

All they had to do was ask

The EU’s GDPR provides an easy solution for companies that wish to use personal data for AI development and training: Just ask users for their consent in a clear way. But X just took the data without asking for permission and later created an opt-out option referred to as the mitigation measures.

It wasn’t until two months after the start of the Grok training, that users noticed X had activated a default setting for everyone that gives the company the right to use their data to train Grok. The easiest way to check if you are sharing your data is to visit https://x.com/settings/grok_settings while you are logged in to X. If there is a checkmark, you are sharing your data for the training of Grok. Remove that checkmark and it stops.

In a similar case about the use of personal data for targeted advertising, Meta argued that it has a legitimate interest that overrides users’ fundamental rights. This counts as one of the six possible legal bases to escape GDPR regulations, but the Court of Justice rejected this reasoning.

Many AI system providers have run into problems with GDPR, specifically the regulation that stipulates the “right to be forgotten,” which is something most AI systems are unable to comply with. A good reason not to ingest these data into their AI systems in the first place, I would say.

Likewise, these companies always claim that it’s impossible to answer requests to get a copy of the personal data contained in training data or the sources of such data. They also claim they have an inability to correct inaccurate personal data. All these concerns raise a lot of questions when it comes to the unlimited ingestion of personal data into AI systems.

When the EU adopted the EU Artificial Intelligence Act (“AI Act”) which aims to regulate artificial intelligence (AI) to ensure better conditions for the development and use of this innovative technology, some of these considerations played a role. Article 2(7)) for example calls for the right to privacy and protection of personal data to be guaranteed throughout the entire lifecycle of the AI system.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

We’re delighted to say Malwarebytes has been awarded the Parent Tested Parent Approved Seal of Approval for product excellence. 

The Seal of Approval is given to products that have earned the trust of families, and serves as a quick and reliable indicator of quality and dependability for parents and caregivers. 

Malwarebytes Plus, our Premium Security + Privacy VPN bundle, was tested and reviewed by a group of parents, and scored high in areas of ease of installation and use, value for money, and effectiveness.  

Reviewers noted that Malwarebytes Plus not only enhanced their device security, but also provided them with peace of mind, making them feel more confident about their family’s online safety. 

100% of the reviewers said they found it “very easy” to set up Malwarebytes on their device, with 94% saying they would continue using Malwarebytes after the testing period. 

They also praised the user friendliness of the program:

“Malwarebytes Plus is hands down the best antivirus system on the market. You don’t have to be a rocket scientist to run it – it does all the work for you!” 

94% said Malwarebytes was “very easy” to use for protecting their privacy online. One reviewer highlighted the peace of mind it offers: “I think every parent would feel safe about their children’s computer use after installing this software.” 

Sharon Vinderine, Founder and CEO of Parent Tested Parent Approved said:

“The Parent Tested Parent Approved Seal of Approval is much more than an award; it’s the at-a-glance symbol of trust and reliability for millions of families.” 

Protect your—and your family’s—devices by using Malwarebytes.

Two men without a clear source of income landed cyberfraud charges after being so flash with their ill-gotten cash that it gained the attention of the authorities.

In 2022, Russian national Pavel Kublitskii and Kazakhstan national Alexandr Khodyrev arrived in Florida and requested asylum, which was granted by the Department of Homeland Security (DHS).  Both provided DHS with the same residence address in Hollywood, Florida.

However, their lavish lifestyle was unusual. For example, Kublitskii opened a Bank of America account with a cash deposit of $50,000 and rented a luxury house, while Khodyrev purchased a 2023 Corvette with approximately $110,000 cash. All while appearing to not have a job.

The investigation indicated that the two men were involved in the activities of the dark web platform WWH Club and related forums Skynetzone, Opencard, and Center-Club.

WWH Club and the other forums are Dark Web marketplaces where cybercriminals buy, sell, and trade login credentials, personal identifying information (PII), malware, fake identification documents, and financial credentials. The forums even provide training for aspiring cybercriminals.

The FBI was able to determine the IP addresses of the WWH Club site’s administrators after obtaining a search warrant for the US-based Cloud company Digital Ocean. Based on the information derived from the logs, the FBI agent concluded:

“In addition to the forum owner and creator, it appears there are several other top administrators who operate the site and receive a portion of the generated revenue. One of those top administrators operates under the usemame “Makein.” The FBI agent provides details which show there is probable cause to believe that Kublitskii and Khodyrev both serve as administrators of WWH and share the Makein username.”

Makein is also the handle of the owner and primary administrator of Skynetzone.

Part of the offered training at WWH was a scheme that recruited and taught users to purchase items with stolen credit card data. An FBI covert online employee registered for an account on WWH and paid approximately $1,000 in bitcoin to attend the WWH training.

While on the forums, the agent saw an post where a user was selling stolen PII of people and businesses in the US. Buyers could choose how many people’s PII they wished to buy and specify the particular US state of residence, gender, age, and the credit score of their desired victims. In exchange for $110, paid in Bitcoin, the WWH seller sent the undercover agent a folder containing 20 files, each of which contained the name, date of birth, Social Security Number (SSN), state of residency, address, credit score, credit report, and account information from LendingTree.com for a US citizen.

The lead FBI agent explained:

“I know, based on my training and experience, that the presence of account information from LendingTree.com suggests that this stolen PII derived from a February 2022 breach of LendingTree that compromised the data of over 200,000 customers.”

The FBI researched domain registrations, exchanged messages, Bitpay transactions, blockchain analysis, and other digital evidence and came to the conclusion that the suspects shared the Makein account and were responsible for the cybercrimes committed by that persona.

Agents obtained records from Google which revealed that messages from and to their accounts often contained stolen PII and credit card information and which tied the account to the suspects.

With probable cause provided, the FBI agent requested the court to authorize the requested criminal complaint charging the suspects with conspiracy for trafficking in unauthorized access devices and possession of 15 or more unauthorized access devices.

Kublitski has been placed under arrest. It is not clear if Khodyrev was arrested as well. The WWH forums are running as usual and the current administrators acknowledge that the suspects were involved, but only as moderators.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This week on the Lock and Code podcast…

Somewhere out there is a romantic AI chatbot that wants to know everything about you. But in a revealing overlap, other AI tools—which are developed and popularized by far larger companies in technology—could crave the very same thing.

For AI tools of any type, our data is key.

In the nearly two years since OpenAI unveiled ChatGPT to the public, the biggest names in technology have raced to compete. Meta announced Llama. Google revealed Gemini. And Microsoft debuted Copilot.

All these AI features function in similar ways: After having been trained on mountains of text, videos, images, and more, these tools answer users’ questions in immediate and contextually relevant ways. Perhaps that means taking a popular recipe and making it vegetarian friendly. Or maybe that involves developing a workout routine for someone who is recovering from a new knee injury.

Whatever the ask, the more data that an AI tool has already digested, the better it can deliver answers.

Interestingly, romantic AI chatbots operate in almost the same way, as the more information that a user gives about themselves, the more intimate and personal the AI chatbot’s responses can appear.

But where any part of our online world demands more data, questions around privacy arise.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Zoë MacDonald, content creator for Privacy Not Included at Mozilla about romantic AI tools and how users can protect their privacy from ChatGPT and other AI chatbots.

When in doubt, MacDonald said, stick to a simple rule:

“I would suggest that people don’t share their personal information with an AI chatbot.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

We wanted to update you on some changes that Google’s making, and what we’re doing in Browser Guard to keep you protected. 

Some of our customers have recently reported seeing messages that say Browser Guard may soon no longer be supported in their browser. Luckily, there’s no need for you to worry: You’ll continue to get the same Browser Guard protection and experience, we’ve just had to make some adjustments in how we build the extension. 

Today, we brought out the new version of Browser Guard which addresses Google’s changes. If you want to read more of the technical details then you can do so below, or you can head straight over to the Chrome or Edge stores now to update. 

A similar change in Firefox is coming soon and we’ll let you know when it’s ready. 

What is Google changing? 

For those not familiar with the terms, Google’s Manifest V2 and V3 are the “rules” that browser extension developers are required to follow if they want their extensions to get accepted into the Chrome Web Extension Store.  

Google says Manifest V3 was brought in to improve the security, privacy, performance, and trustworthiness of the extension ecosystem, while still protecting existing functionality. 

The phasing out of Manifest V2 began at the end of May, and the Chrome Web Store no longer accepts Manifest V2 extensions, although browsers can still use them for the time being. 

How does Manifest V3 affect Browser Guard? 

One of the new changes that impacts Browser Guard and many other ad (and malicious content) blockers is that extensions will be limited in the number of rules they can include. That’s a problem because ad blockers historically rely on a large number of rules. 

Cybercriminals have the habit of setting up new domains by the dozen, and, generally speaking, each blocked domain or subdomain requires one rule. So if ad blockers want to keep up, they too have to continuously create new rules. 

Google has made some compromises after objections were raised when the company first announced Manifest V3, but there are still limitations which have an effect. 

How Malwarebytes has dealt with this 

The new limitations of Manifest V3 meant we had to develop a different way to block content for our users that use Chromium based browsers like Google Chrome and Microsoft Edge.  

The new Browser Guard uses a mix of static and dynamic rules to protect our users. 

Static rules are rules that are contained in the ruleset files which can be seen as block lists. These files are shipped with each version release. 

Dynamic rules are rules that can be added and removed at runtime. Chrome allows up to 30,000 dynamic rules. Browser Guard uses dynamic rules for two purposes: 

• Session rules are dynamic rules that can be added and removed at runtime, but they are session-scoped and are cleared when the browser shuts down and when a new version of the browser is installed. 

• Dynamic rules can be used to store allow lists, user blocked content, and general rules that block more than one domain. Take, for example, the IP address of a server that is known to host nothing but phishing sites. 

To deal with urgent situations we can use ruleset overrides, which are a mechanism by which we can override the static rules shipped with Browser Guard without requiring our users to add exclusions. 

Your version of Browser Guard will be automatically updated to the latest version, but if you want to get it now you can do so for Chrome or Edge. 

Thanks for continuing to choose Malwarebytes to protect you. 

Last week on Malwarebytes Labs:

• Security company ADT announces security breach of customer data
• Stolen data from scraping service National Public Data leaked online
• Android vulnerability used in targeted attacks patched by Google
• Men report more pressure and threats to share location and accounts with partners, research shows
• Magniber ransomware targets home users

Last week on ThreatDown:

• Ransomware group disguises SharpRhino trojan as Angry IP Scanner
• Don’t touch TP! How ransomware gangs are unplugging your EDR
• What is a path traversal vulnerability?

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Electronic surveillance equipment provider ADT filed a form 8-K with the Security and Exchange Commision (SEC) to report “a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information.”

An 8-K is a report of unscheduled material events or corporate changes at a company that could be of importance to the shareholders or the Securities and Exchange Commission (SEC).

ADT filed the 8-K on August 7, adding that the incident happened “recently,” but refraining from providing an exact date. The company also did not provide an exact number of victims—only that the victims were personally notified about the breach.

Away from ADT’s official disclosures, on July 31, a cybercriminal with the handle “netnsher” announced the leak of a database purportedly belonging to ADT. According to the cybercriminal’s post:

“The infamous security company ADT with $5B revenue suffered a databreach exposing over 30,812 records including 30,400 unique emails, the records contain: CustomerEmail, Full address, User ID, Products bought, etc….”

According to ADT, the stolen data included:

• Email addresses
• Phone numbers
• Home addresses

The company also added that:

“Based on its investigation to date, the Company has no reason to believe that customers’ home security systems were compromised during this incident.”

The leak announcement by netnsher promises 30,812 records including 30,400 unique email addresses and “Products bought.”

Although ADT does not believe the attackers stole customers’ credit card data or banking information, that last addition might make the database valuable for burglars. But phishing operations might also use the information to their advantage.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Cybercriminals are offering a large database for sale that may include your data without you even being aware of its existence.

The stolen data comes from a data scraping service trading under the name “scraping” which was allegedly breached by a cybercriminal group by the name of USDoD.

In April, a member of this group posted the database, which contains the data of some 2.9 billion people, up for sale for $3.5 million. Then, earlier this week, the 277 GB of data was offered for download for free on the notorious BreachForums by another member of the USDoD group.

The database contains records that, among others, contain the fields:

• First name
• Last name
• Middle name
• Date of Birth
• Address
• City
• County
• State
• Zip code
• Phone number
• Social Security Number

The publication of the data came a few days after a complaint was filed in the US District Court for the Southern District of Florida. The complaint against Jerico Pictures Inc, trading as National Public Data, accuses the defendant of failure to properly secure and safeguard the personally identifiable information (PII) that it collected as part of its regular business practices.

Jerico Pictures is a background check company that allows its customers to instantly search their database containing billions of records. The data in these records is scraped from non-public sources without knowledge or consent. A major problem with this is that the company has no ties with the victims, so most of them will have no idea that their data has been made public.

The plaintiff filed the complaint after they found out about the breach when an identity theft protection service notified him in July that their personal information had been compromised and leaked on the dark web.

This, while apparently some of the victims have already noticed the misuse of their Social Security Numbers.

One of the requests of the plaintiff is for the court to require National Public Data to purge the personal information of all the individuals affected and to encrypt all data collected going forward.

We have voiced our objections against data brokers in the past. The same is true for data scrapers like National Public Data, because, as we have seen, breaches at these data brokers can be combined with others and result in a veritable treasure trove of personal data ending up in the hands of cybercriminals. This database by itself qualifies as such a treasure trove and it is now available to every cybercriminal out there.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Google has released patches for 46 vulnerabilities in Android, including a remote code execution (RCE) vulnerability that it says has been used in limited, targeted attacks.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

If your Android phone is at patch level 2024-08-01 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L, 13, and 14. Android partners, such as Samsung, Sony, etc, are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

For most Android devices, you can check for new updates like this: Under About phone or About device you can tap on Software updates, although there may be slight differences based on the brand, type, and Android version.

Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited vulnerability is listed as:

CVE-2024-36971 is a use after free (UAF) vulnerability in the Linux kernel. The vulnerability could lead to remote code execution with System execution privileges needed.

This Linux kernel vulnerability affects the Android OS because the Android kernel is based on an upstream Linux Long Term Supported (LTS) kernel. This kernel is like the engine of the operating system, managing the hardware and basic functions.

The Android kernel is based on a version of the Linux kernel, which is a popular core for many operating systems. Specifically, Android uses a version of the Linux kernel that is designated as “Long Term Supported” (LTS). This means it’s a version that gets updates and fixes for a longer period than regular versions, ensuring it stays secure and stable over time.

UAF is a type of vulnerability that happens when a program incorrectly handles its memory. When a program frees up a piece of memory but still tries to use it afterward, an attacker can exploit this mistake. This can cause the program to crash, behave unpredictably, or even run harmful code. In this case it allows the attacker to remotely execute code on the device if they have enough privileges.

Attackers would need to gain the needed privileges to use this vulnerability by combining it with other vulnerabilities.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.