IT News

A coordinated action between several European law enforcement agencies shut down an online marketplace called Manson Market that sold stolen data to any interested cybercriminal.

What made this market attractive for cybercriminals was that they could buy data sorted by region and account balance with advanced filtering options. This allowed the criminals to carry out targeted fraud with greater efficiency.

The law enforcement investigation started in 2022 when investigators were able to track very specific information used by scammers to the specialized marketplace. The scammers participated in fraudulent phone calls in which they impersonated bank employees to extract sensitive information, such as addresses and security answers, from their victims.

A network of fake online shops set up to phish for payment information provided one of the sources of stolen data.

Coordinated by Europol, the police in Germany, Finland, the Netherlands, and Norway seized the infrastructure of over 50 servers. With this, more than 200 terabytes of digital evidence have been collected.

Two main suspects were arrested in Germany and Austria on European arrest warrants and are currently awaiting their trials.

The operators of the Manson Market also ran Telegram channels, with one of the channels sharing credit card details, such as the number, expiration date, and the CVC code, for free every day.  

The seized website currently warns visitors that:

“All transactions, communications, and user information associated with this site are now in the custody of law enforcement.

If you have engaged in any illegal activity, you are under investigation.

Criminals are neither anonymous nor safe!

Justice is coming…”

And we can’t deny that European law enforcement had a fruitful week in the fight against online crime.

Earlier this week the German police shut down the servers and arrested one of the administrators of the country’s largest German-speaking online marketplaces for illegal goods and services, including stolen data, drugs, and forged documents.

Europol also published how French and Dutch authorities shut down an encrypted messaging service called MATRIX, which was used by criminals to commit serious crimes, including international drug trafficking, arms trafficking, and money laundering.

The Manson Market case shows once more how important it is to be vigilant with your online purchases. Make sure you are protected, be weary of search results for goods that are in high demand, and keep your personal information safe.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A years-long infiltration into the systems of eight telecom giants, including AT&T and Verizon, allowed a state sponsored actor to steal vast amounts of data on where, when and who individuals have been communicating with.

Speaking to Reuters, a senior US official said the attack telecommunications infrastructure was broad and that the hacking was still ongoing.

The state-sponsored actor behind the attack is an Advanced Persistent Threat (APT) group known as Salt Typhoon, believed to be tied to the People’s Republic of China (PRC).

Sophisticated state-sponsored campaigns from China are constantly targeting network appliances and devices. Among the culprits are four major APT groups: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant. Volt Typhoon made headlines earlier this year when the FBI removed their malware from hundreds of routers across the US.

The infrastructure that the US government relies to communicate on is made up of the same private sector systems that everybody else uses. By abusing their components that make up part of the infrastructure, the Chinese are said to have been able to eavesdrop on political and industrial leaders in multiple countries.

Speaking to Reuters, the official said they believed a “large number” of American’s metadata was taken. When asked if that might include every Americans’ phone records, they said:

“We do not believe it’s every cell phone in the country, but we believe it’s potentially a large number of individuals that the Chinese government was focused on.”

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have been investigating the incident since late spring, but admitted that there are still many unanswered questions, including the extent of the breach itself.

They have been working with the telecom companies to remove the intruders, but the companies have not been able to fully remove the hackers from their systems.

Anne Neuberger, the US deputy national security adviser for cyber and emerging technologies stated the “Chinese access was broad in terms of potential access to communications of everyday Americans” but she said the hackers only targeted prominent individuals.

According to NBC news, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at CISA– both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.

If you plan to follow that advice, but are new to encrypted messaging, make sure to use an app that offers E2EE (End-to-end encryption). What that means is only the person sending it and the person receiving it can read it.

To achieve this, a message gets encrypted on your device before it is sent out. During transit the message remains encrypted the entire time it is moving across the internet.  Only when the message reaches the recipient’s device can it be decrypted and read.

You don’t need an expensive app to achieve this. Several popular messaging apps and services support end-to-end encryption, such as WhatsApp, Signal, iMessage, Wire, and Telegram.

The FBI official added:

“People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.”

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

With the value of cryptocurrencies going to the roof, you can expect several attempts to get defrauded if you even show the slightest interest in the topic or not.

Since most cybercriminals lack creativity and are notoriously lazy, we expect to see only slight variations of old tricks. So, we figured if we showed you some old examples, you would know what to expect and hopefully that will assist you in avoiding them. And avoiding them is in everyone’s best interest—the Federal Bureau of Investigation (FBI) reported estimated losses to cryptocurrency related fraud exceeding $5.6 billion in 2023.

Here’s what to look out for:

Pig butchering scams. We have discussed the workings of pig butchering scams several times. Somebody contacts you out of the blue, sometimes pretending to be a friend you haven’t heard of in ages, sometimes a celebrity, and sometimes someone appearing to have the wrong contact details.

Once the conversation starts, the scammer will slowly move to the subject of interesting “investments” with the goal of cleaning out your accounts. The investments, mind you, are always part of the larger scam. By siphoning your money out of your accounts, and by sometimes even fabricating false “returns” on your investments, the cybercriminals are slowly building trust from you, only to yank away all your money at a later date.

Elon Musk livestreams. Scammers have used deepfake videos of Elon Musk and other wealthy celebrities to deceive investors. These scams make it appear as if this celebrity is discussing specific cryptocurrency opportunities and promising doubled returns on cryptocurrency deposits if victims send in their crypto. Remember, if a celebrity or public figure is suddenly making large promises on specific, individual cryptocurrencies, be cautious about their claims.

Fake crypto trading platforms. If you want to invest in cryptocurrency or want to get out now that the price is right for you, be careful where you conduct the trades. Unfortunately, we have seen a number of devastating exit scams and other deceptive operations where people’s life savings disappeared into thin air.

Advance fee scams. These are closely related to the fake crypto trading platform. In advance fee scams a “trader” asks for an upfront payment, promising a future service or huge return on investment. This is sometimes followed by additional requests to complete the promised transaction, which, as it turns out eventually, will never happen.

Fake bonus scams. Similar to pyramid schemes, there are sites where users would supposedly earn more based on the number of referrals and investment amounts made by their referrals. The victims did indeed see the number of tokens grow steadily. But when they tried to withdraw their funds, they got nothing.

Compromised account scams. Cybercriminals will send a warning to the target and claim that their account has been compromised. If the user responds, the scammers will try to obtain additional information such as the owner’s seed phrase, an important piece of information which thieves can use to empty the account.

Typosquatting. Similar to other typosquatting scams, imposters have registered domain names that are similar to or can easily be confused with legitimate cryptocurrency trading platforms. Should you enter your login credentials on such a fake site, the scammers will harvest them and log in on the actual site to take over your account.

How to protect your investments

A good resource for learning about crypto related scams is the Crypto Scam Tracker website of the California Department of Financial Protection and Innovation (DFPI) where you can find examples of the latest scams that are doing the rounds. Here is how you can stay safe from crypto scams (and other types of common scams found online):

• Use a password manager, it will refuse to fill out your details when it’s on the wrong website.
• Use multi-factor authentication (MFA) to make it harder for criminals to take over your account.
• Don’t respond to messages out of the blue, especially from people you don’t know.
• Don’t click on links in unsolicited emails or messages.
• Carefully research the platforms you plan to do business with.

And always act on the age-old adage: “If it’s too good to be true, it probably is.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have discovered a huge Google Cloud Storage bucket, found freely accessible on the internet and containing a treasure trove of personal information.

AI startup WotNot provides companies with the ability to create their own customized chatbot. The company reportedly has 3,000 customers including some household family names.

But the way its solution is set up introduces an extra link in the chain in the flow of personally identifiable information (PII) from the customer to the company that deployed the chatbot, leaving an additional risk of exposure.

Given the variety in the data the researchers found in the 346,381 files, they suspect that it stems from several WotNot customers. Some of the records that were found included:

• Identification documents including passports, which contain information like full names, dates of birth, passport numbers, and other information cybercriminals love to get their hands on.
• Medical records including diagnoses, treatment history, test results and other medical information that should be private.
• Resumes which include employment history, addresses, education, and contact data like email addresses and phone numbers.

All in all, if a group of cybercriminals finds data like that they can deploy all sorts of schemes to defraud the people whose information they found—ranging from phishing mails that look convincing because they include personal information, to identity theft.

In a statement, WotNot said:

“The cause for the breach was that the cloud storage bucket policies were modified to accommodate a specific use case. However, we regretfully missed thoroughly verifying its accessibility, which inadvertently left the data exposed.”

The “specific use case”  seems to be that these customers were using the “free plan” which apparently comes with no security.

WotNot clarified:

“For enterprise customers, we provide private instances to ensure security and compliance standards are strictly adhered to.”

WotNot also said it typically recommends that its customers delete such files from the server after they have been received and forwarded to their own systems. I would recommend that WotNot customers provide their own customers with a method to send them such files directly.

We have already seen way too many cases where leaks in the supply chain have exposed data from people who had never heard of the company that leaked them.

If anything, the incident shows the importance of checking where your data is going before providing companies with sensitive personal information. But it also demonstrates it’s not always clear to the end user whether there are extra links in the chain to the company they are dealing with.

If you do get a chance, don’t send sensitive data to a chatbot, but ask for a safe company email address instead.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Of all the different kinds of malicious search ads we track, those related to customer service are by far the most common. Brands such as PayPal, eBay, Apple or Netflix are among the most coveted ones as they tend to drive a lot of online searches.

Tech support scammers are leveraging Google ads to lure victims in, getting them on the phone and finally fleecing them. While hard to measure precisely, tech support scams accounted for $924M, according to the FBI’s 2023 Internet Crime Report.

We’ve identified specific advertiser accounts that make up the bulk of fraudulent ads we have reported to Google this past year. What’s interesting is that the scammers keep reusing the same accounts over time. For instance, one advertiser had over 30 reported incidents in the past 3 months.

While it would be foolish to assume fraudsters would stop scamming altogether if those accounts were terminated, it also exposes something problematic with our reporting, and to a greater extent with how Google’s policies apply to repeat offenders.

Search for help, find a scam

Search engines, and Google’s in particular, are our gateway to the web. Yet, that door sometimes opens up to unsavory places thanks to sponsored search results, AKA ads.

Take this search for ‘paypal help‘ which displays an ad as the first result, followed by the official website. While the organic result looks more trustworthy, it does appear under. We should also note that sometimes it shows way below the fold, as documented in our recent blog “Printer problems? Beware the bogus help“.

Not only is the ad malicious, it is also linking to a fraudulent page hosted on Google Sites, Google’s free platform to build websites. The scammers created it with PayPal’s logo to make it look legitimate, with — quite literally — a simple call to action.

Somewhere far in Asia, someone in a call centre is waiting to welcome the next victim by starting with “Hi, welcome to PayPal support, my name is John, how can I help you?“

Repeat offenders

We have found and reported many of such fraudulent ads to Google over the past year. At some point, we realized that the same advertiser accounts kept coming up, begging the question: why would an account with multiple incidents not get blocked permanently?

In the screenshot below, you can see the same advertiser ID associated with over 30 incidents in a period of around 3 months.

In fact, these are only the malicious ads we were able to find, using our own tools. For example, not in the list of targeted brands in our tracking for this account is Amazon. Looking at this advertiser via Google’s Ads Transparency Center, we see a fraudulent ad we had missed reporting:

We reported 2 other advertiser accounts with very similar behavior, and perhaps not just a coincidence is that they all belonged to profiles registered and verified by Google from Vietnam.

Taking down scammers

Going after scammers is a relentless job that both private individuals, companies and government agencies perform day in and day out. It can be frustrating having to repeat the same thing over and over while the offenders have the upper hand.

Having said that, it is possible to make long lasting change by looking at incidents from a macro level. Rather than chasing one-offs, data shows us that criminals tend to reuse the same techniques, and in this case, the same accounts.

It’s unclear why Google has not taken definitive action on the advertiser profiles we have reported. However, we have escalated this issue and hope to see some changes as a result.

The banner image for this blog post contains a typo. It was made using Google’s Gemini AI and despite several requests, it kept getting the spelling wrong.

We don’t just report on threats—we block them

Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today.

The US Department of Justice has charged a Russian national named Evgenii Ptitsyn with selling, operating, and distributing a ransomware variant known as “Phobos” during a four-year cybercriminal campaign that extorted at least $16 million from victims across the world.

The government’s indictment against Ptitsyn should dispel any notion that ransomware gangs only target the largest, richest, most robust corporations on the planet, as one Phobos affiliate allegedly extorted a Maryland-based healthcare provider out of just $2,300—possibly the lowest payment ever recorded.

In a November 18 statement, Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, stressed the wanton victim targeting by Ptitsyn’s ransomware network.

“Ptitsyn and his co-conspirators hacked not only large corporations but also schools, hospitals, nonprofits, and a federally recognized tribe, and they extorted more than $16 million in ransom payments.”

Ransomware is the single most devastating cyberthreat to businesses today. Through a variety of evolving techniques, cybercriminals break into a company’s network and then deploy ransomware to lock down every file, computer, and sensitive piece of data within reach. The files cannot be unlocked without a “decryption key,” which the cybercriminals will only offer for a price.

But for many companies, the price of a ransom demand isn’t the only dilemma they face, as the price of recovery can be even heftier.

According to Malwarebytes’ business unit, ThreatDown, the average cost of a ransomware attack—excluding the ransom itself—is a whopping $4.7 million. That enormous sum represents a company’s downtime during a ransomware attack, any reputational damage it suffers, and the lengthy recovery process of rebuilding databases and reestablishing workplace accounts and permissions.

From what was revealed in the government’s indictment against Ptitsyn, those costs were likely beyond reach for many Phobos victims, which included a marketing and data analytics firm in Arizona, a Connecticut public school system, and an automotive company out of Ohio.

According to an analysis of Phobos ransom demands last year, these smaller targets line up with the gang’s focus. In 2023, ThreatDown discovered that, unlike other ransomware gangs that demanded up to $1 million or more from each victim, Phobos operators demanded an average of $1,719 from victims, with a median demand of just $300.

Smaller demands mean little, however, for the companies hit by the ransomware.

Ptitsyn, who was extradited to the United States out of South Korea, now faces 13 counts, which include wire fraud, conspiracy to commit wire fraud, and conspiracy to commit computer fraud and abuse, along with four counts each of causing intentional damage to protected computers and extortion in relation to hacking. According to the Department of Justice, the charges carry a “maximum penalty of 20 years in prison for each wire fraud count; 10 years in prison for each computer hacking count; and five years in prison for conspiracy to commit computer fraud and abuse.”

How to protect your small business from ransomware

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

• Block common forms of entry. Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
• Prevent intrusions and stop malicious encryption. Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

This week on the Lock and Code podcast…

Two weeks ago, the Lock and Code podcast shared three stories about home products that requested, collected, or exposed sensitive data online.

There were the air fryers that asked users to record audio through their smartphones. There was the smart ring maker that, even with privacy controls put into place, published data about users’ stress levels and heart rates. And there was the smart, AI-assisted vacuum that, through the failings of a group of contractors, allowed an image of a woman on a toilet to be shared on Facebook.

These cautionary tales involved “smart devices,” products like speakers, fridges, washers and dryers, and thermostats that can connect to the internet.

But there’s another smart device that many folks might forget about that can collect deeply personal information—their cars.

Today, the Lock and Code podcast with host David Ruiz revisits a prior episode from 2023 about what types of data modern vehicles can collect, and what the car makers behind those vehicles could do with those streams of information.

In the episode, we spoke with researchers at Mozilla—working under the team name “Privacy Not Included”—who reviewed the privacy and data collection policies of many of today’s automakers.

To put it shortly, the researchers concluded that cars are a privacy nightmare. 

According to the team’s research, Nissan said it can collect “sexual activity” information about consumers. Kia said it can collect information about a consumer’s “sex life.” Subaru passengers allegedly consented to the collection of their data by simply being in the vehicle. Volkswagen said it collects data like a person’s age and gender and whether they’re using your seatbelt, and it could use that information for targeted marketing purposes. 

And those are just the highlights. Explained Zoë MacDonald, content creator for Privacy Not Included: 

“We were pretty surprised by the data points that the car companies say they can collect… including social security number, information about your religion, your marital status, genetic information, disability status… immigration status, race.”

In our full conversation from last year, we spoke with Privacy Not Included’s MacDonald and Jen Caltrider about the data that cars can collect, how that data can be shared, how it can be used, and whether consumers have any choice in the matter.

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• Printer problems? Beware the bogus help
• Data broker exposes 600,000 sensitive files including background checks
• Medical testing company LifeLabs failed to protect customer data, report finds
• Explained: the Microsoft connected experiences controversy
• Spotify, Audible, and Amazon used to push dodgy forex trading sites and more
• “Hilariously insecure”: Andrew Tate’s The Real World breached, 800,000 users affected

Last week on ThreatDown:

• What is Buffer Overflow?
• Beluga phishing campaign targets OneDrive credentials

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Anyone who has ever used a printer likely has had a frustrating experience at some point. There always seems to be some kind of issue with the software not responding, paper getting jammed or one of many other possible failures.

When people need help, they often turn to Google (and now AI) to look for an answer. This is where scammers come in, preying on unsuspecting and irate users ready to throw their printer out the window.

After clicking on a malicious Google ad, victims are redirected to a fraudulent site often using official brand names and logos. The crooks’ end goal is to get people to call them, and they achieve that by tricking them with fake printer drivers that always fail to install.

In this blog post, we review how this scam works and how to stay away from it.

Malicious Search Ads

Two of the most popular printer brands are HP and Canon. If you were to Google for help related to either of those brands right now, you would likely see sponsored results at the top of the search results page.

Unfortunately, in the majority of cases these ads are not from trusted providers but instead from tech support scammers. In the image below, you can see 4 ads shown for the query ‘hp printer help‘. It’s only after those that the official HP website appears.

If you were to say that consumers stand no chance, you’d be right. Unless you clicked on the official (organic search results), you’d end up getting scammed.

The list of sites includes:

megadrive[.]solutions
geeksprosoftwareprints[.]org
select-easy123print[.]com
printcaretech[.]com

The driver scam

A driver is a software program that your computer uses to talk to physical hardware (i.e. your printer). In the early Microsoft Windows days, drivers were very important to get printers, monitors and other peripherals working. Today, the operating system is usually good at detecting new hardware and installing the required drivers automatically. There are some exceptions, not to mention that some manufacturers like to package additional software with their drivers.

After clicking on a malicious ad, the website instructs you to enter your printer’s model number in order to download the required driver, which it proceeds to “install”. This is entirely fake, and the only thing the website displays is a recorded animation that will always end up with the same error message.

This type of error is very similar to those seen in the “Microsoft tech support scam”, typically done via a browser hijack. Scammers want to scare and then get their victims to contact them directly, via phone or live chat.

Remote access and extortion

There are many people that fall for these types of scams and entire armies of tech support agents working in poor conditions ready to defraud them. The script is usually standard across scams, with the support agent impersonating a popular brand and requesting personal information from the victim.

It is quite common for scammers to request and be granted remote access to the user’s computer. This gives them leverage to do a number of things, such as stealing data, locking the machine or even using it to log into the victim’s bank account.

This is why it is so important to be extremely cautious with online search ads, and search results in general. Browser extensions such as Malwarebytes Browser Guard will block ads but also the scam or malware sites associated with these schemes.

This won’t help with your printer issues, but at least it’ll save you the trouble of being defrauded. When it comes to such questions, online forums are usually a good place to start, and if you’re lucky to count a computer person in your family, that’s always a good favor to ask for.

A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.

The 713.1 GB container (an Amazon S3 bucket ) did not have password-protection, and the data was left unencrypted, so anybody who stumbled on them could read the files. The files not only contained thousands of people’s vehicle records (license plate and VIN) and property ownership reports, but also criminal histories, and background checks.

The majority of the records were labelled as background checks which contained full names, home addresses, phone numbers, email addresses, employment history, family members, social media accounts, and criminal record history.

Data brokers collect and sell your information, including financial, personal, behavior and interests, for profit. SL Data Services markets itself as a provider of real estate information reports. But when the researcher contacted its support team, they stated the company also provides criminal checks, division of motor vehicles (DMV) records, death and birth records.

Probably to organize the data to this end, the folders inside the container all had names of separate website domains. The company apparently operates a network of an estimated 16 different websites, offering a range of information services (e.g. PropertyRec).

Background checks can and are often done without the subject’s awareness. But with all the combined information about a person, it paints a very complete picture that insurance companies, advertisers, and even cybercriminals can use to their advantage.

The researcher explained:

“I am not stating nor implying that Propertyrec’s customers or any individuals are at risk of impersonation, spear phishing, or social engineering attacks, I am only providing a real world risk scenario of how this type of information could possibly be exploited by criminals.”

And to make things worse—if possible– the files had names that used the following format: “First_Middle_Last_State.PDF.” Which makes it incredibly easy for anyone, whether they are supposed to have access or not, to find a person of interest and read that file.

It took the researcher quite a few calls and emails to get the exposed data taken out of public sight, and SL Data Services never provided the researcher with a response, let alone an explanation how this could happen.

Don’t give up your information, remove it where you can

Unfortunately, incidents like this are commonplace, so it’s clear that we should take it upon ourselves to make sure our information can’t be found by data brokers.

Removing your personal information from data broker sites can be a complex and time-consuming process. While manual opt-outs are effective, they require considerable effort to keep up with new data entries and the reappearance of your information on various sites. This is where data broker removal services come in handy. 

Data broker removal services are designed to automate the process of finding and removing your personal information from data broker databases. These services regularly scan known databases for your information and submit opt-out requests on your behalf, ensuring a more comprehensive and continuous protection of your privacy. 

Malwarebytes offers a Personal Data Remover service (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.