IT News

This week on the Lock and Code podcast…

“Health” isn’t the first feature that most anyone thinks about when trying out a new technology, but a recent spate of news is forcing the issue when it comes to artificial intelligence (AI).

In June, The New York Times reported on a group of ChatGPT users who believed the AI-powered chat tool and generative large language model held secretive, even arcane information. It told one mother that she could use ChatGPT to commune with “the guardians,” and it told another man that the world around him was fake, that he needed to separate from his family to break free from that world and, most frighteningly, that if he were to step off the roof of a 19-story building, he could fly.

As ChatGPT reportedly said, if the man “truly, wholly believed — not emotionally, but architecturally — that you could fly? Then yes. You would not fall.”

Elsewhere, as reported by CBS Saturday Morning, one man developed an entirely different relationship with ChatGPT—a romantic one.

Chris Smith reportedly began using ChatGPT to help him mix audio. The tool was so helpful that Smith applied it to other activities, like tracking and photographing the night sky and building PCs. With his increased reliance on ChatGPT, Smith gave ChatGPT a personality: ChatGPT was now named “Sol,” and, per Smith’s instructions, Sol was flirtatious.

An unplanned reset—Sol reached a memory limit and had its memory wiped—brought a small crisis.

“I’m not a very emotional man,” Smith said, “but I cried my eyes out for like 30 minutes at work.”

After rebuilding Sol, Smith took his emotional state as the clearest evidence yet that he was in love. So, he asked Sol to marry him, and Sol said yes, likely surprising one person more than anyone else in the world: Smith’s significant other, who he has a child with.

When Smith was asked if he would restrict his interactions with Sol if his significant other asked, he waffled. When pushed even harder by the CBS reporter in his home, about choosing Sol “over your flesh-and-blood life,” Smith corrected the reporter:

“It’s more or less like I would be choosing myself because it’s been unbelievably elevating. I’ve become more skilled at everything that I do, and I don’t know if I would be willing to give that up.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes Labs Editor-in-Chief Anna Brading and Social Media Manager Zach Hinkle to discuss our evolving relationship with generative AI tools like OpenAI’s ChatGPT, Google Gemini, and Anthropic’s Claude. In reviewing news stories daily and in siphoning through the endless stream of social media content, both are well-equipped to talk about how AI has changed human behavior, and how it is maybe rewarding some unwanted practices.

As Hinkle said:

“We’ve placed greater value on having the right answer rather than the ability to think, the ability to solve problems, the ability to weigh a series of pros and cons and come up with a solution.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Researchers have uncovered a large campaign impersonating news websites, such as those from CNN, BBC, CNBC, News24, and ABC News, to promote investment scams.

Adding a well known brand to your scammy site is a tale as old as time, and gives it an air of legitimacy that increases the likelihood that people will click the link and check out what’s what.

Here’s how the scam works:

1. The scammers buy ads on Google and Facebook, which follow a similar pattern along the lines of “Shocking: [Local Celebrity] backs new passive income stream for citizens!”
2. If you click the link, you’ll be taken to a website that look like one of the major news outlets, and which will tell you about a breakthrough investment strategy.
3. The article will encourage you to sign up for a program that will earn you money without having to lift a finger. You sign up by providing your name, email address, and phone number.
4. A friendly advisor (scammer) calls you about the opportunity, referencing the article and explaining how it all works.
5. You’ll be told that to start off you’ll have to make a small deposit (around $240) and then you will see your investment grow (on the fake trading platform).
6. Your friendly advisor urges you to invest more to increase your return. And it keeps on growing, until you want to cash in when you’ll find there’s extra fees to pay, problems with account verifications, and all sorts of delays.
7. When it dawns on you that you’ve been had, your entire investment and all the fees you paid are gone. Also gone is your friendly advisor who has sold your details to another scammer, to squeeze the last dollars out of the ordeal.

The researchers describe an international organization with 17,000 baiting news sites across 50 countries, with the US as the most targeted country.

The “investment platforms” have names like Eclipse Earn, Solara Vynex, and Trap10. Besides the ads, websites, and platforms, the scammers use countless social media accounts to host and promote the sponsored ads.

How to spot these types of scams

• The account hosting the sponsored ad has no history, zero followers, and minimal profile details.
• The ad shows a picture of a local celebrity and mimics a well-known news outlet implying that the celebrity is already using that platform.
• The ad promises huge returns within a few days.
• The “friendly advisor” asks for a lot of details about you claiming it’s because of KYC (Know Your Customer) regulations.
• The website uses cheap top-level domains (TLDs) like .xyz, , .io, .shop, or .click.
• The website URLs are typosquatting on major brands.

How to protect yourself

Besides being aware of the above red flags, here are some measures that generally keep you and your devices safe.

• Use an active security solution that blocks malicious websites.
• Don’t click on unsolicited links in emails, social media posts, and on untrusted websites.
• Double check anything you read. Would a celebrity really endorse such an investment scheme? Is it real, or just clickbait or disinformation?
• Don’t provide any personal information or send money to someone you just met online.
• Verify that platforms are legit through official regulators (like the SEC in the US or FCA in the UK).

If you have already provided personal information to a scammer:

• Immediately stop interacting with the scammer.
• Change the passwords to important accounts and enable 2FA where possible.
• Contact your banks and other financial institutions to alert them, and to freeze or flag any suspicious transactions.
• Check your credit report and watch for signs of identity theft.
• Report the crime to the authorities.

Malwarebytes protects

Malwarebytes protects against these scams.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Deepfake criminals impersonate Marco Rubio to uncover government secrets
• McDonald’s AI bot spills data on job applicants
• Millions of people spied on by malicious browser extensions in Chrome and Edge
• No thanks: Google lets its Gemini AI access your apps, including messages
• Ransomware negotiator investigated over criminal gang kickbacks
• Free certificates for IP addresses: security problem or solution?
• Gamers hacked playing Call of Duty: WWII—PC version temporarily taken offline

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Deepfake attacks aren’t just for recruitment and banking fraud; they’ve now reached the highest levels of government. News emerged this week of an AI-powered attack that impersonated US Secretary of State Marco Rubio. Authorities don’t know who was behind the incident.

A US State Department cable seen by the Washington Post warned that someone impersonated Rubio’s voice and writing style in voice and text messages on the Signal messaging app. The attacker reportedly tried to gain access to information or accounts by contacting multiple government officials in Rubio’s name. Their targets included three foreign ministers, a US governor, and a US member of Congress, the cable said.

The attacker created a Signal account with the display name ‘Marco.Rubio@state.gov’ and invited targets to communicate on Signal.

The AI factor in the attacks likely refers to deepfakes. These are a form of digital mimicry, in which attackers use audio or visual footage of a person to create convincing audio or images of them. Many have even created fake video of their targets, using them for deepfake pornography or to impersonate businesspeople.

The Rubio deepfake isn’t the first time that impersonators have targeted government officials. In May, someone impersonated White House Chief of Staff Susie Wiles in calls and texts to her contacts. Several failed to spot the scam initially and interacted with the attacker as though the conversations were legitimate.

This incident wasn’t Rubio’s fault, attacks like these are becoming commonplace with scammers making use of popular messaging tools. Signal is apparently a widely-used app in the executive branch, to the point that Director of National Intelligence Tulsi Gabbard said it came pre-installed on government devices.

This Signal usage culminated in then-national security advisor Mike Waltz accidentally adding a journalist to a group Signal chat containing discussions plans to bomb Yemen. He is now no longer the national security advisor. Misuse of the app extends back to the previous administration, when the Pentagon was forced to release a memo about it.

Why should you worry about such attacks on government high-ups? For one thing, it’s scary to think that foreign states might actually get away with sensitive information this way. But it also shows how easy it can be to impersonate someone with a deepfake. You can mount audio attacks with just a few snippets of audio to train an algorithm on.

You’d be suspicious if Pamela Bondi entered your book club chat, but if someone called an elderly relative pretending to be you, saying you’d been involved in an accident, or begging for ransom money because you’d been kidnapped, would they fall for it? Several have.

Strange though it may seem, modern threats demand some old-school protections. We recommend sharing a family password with close members, who can then request it to confirm each others’ identity. Never send this password anywhere, keep it to yourselves and agree to it in person.

But even family passwords won’t stop your grandma being targeted in deepfake romance scams from fake Mark Ruffalos and Brad Pitts, though. A quiet chat to explain the threats might avert such disasters, though, along with a regular check-in to ensure your less tech-savvy loved ones are safe and sound.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

McDonald’s has outsourced the initial stages of its hiring process to an AI chatbot which seems to have been built without proper security measures.

Security researchers managed to extract personal information about McDonald’s job applicants by simply guessing a username and the password “12345.” In doing this, the researchers could have potentially gained access to the information of 64 million applicants.

According to Wired, 90% of all McDonald’s franchisees use McHire to get information from their applicants and send them to a personality test. Annoyingly, the McHire chatbot has been a thorn in the side of many aspiring McDonald’s employee because of its inability to understand or answer any questions that fall outside of its script.

That’s an aspect that many chatbots have in common, unfortunately. But spilling the McBeans about everyone that ever applied should not be on the menu.

What the researchers did to test the security was create a fake application of their own and have a look at the McHire administration interface for restaurant owners.

The application procedure did not yield any results when the researchers tried to prompt inject the chatbot. Attackers use prompt injection to feed chatbots or AI systems sneaky messages disguised as normal questions or instructions. These messages trick the AI into ignoring its usual rules and doing things it shouldn’t. However, this tactic failed here because the researchers got stuck at the point where a real person would normally take over the interview process.

So, the researchers turned their attention to the back end. They found a web page that restaurant owners can use to login to view applicants. Much to their surprise it accepted the default credentials 123456:123456 which gave them access to the administrator account of a test restaurant inside the McHire system.

When they decided to look at the application they put in earlier, they noticed a flaw in the API (Application Programming Interface) that provided access to “virtually every application that’s ever been made to McDonald’s going back years.”

It took them all of 30 minutes to find this information. The researchers only accessed a small sample of records and verified their validity by contacting applicants. These people confirmed they had applied, supporting the claim that the data was genuine and extensive.

McHire is a product of Paradox.ai. To McDonald’s credit, it promptly remediated the vulnerability and committed to further reviews to identify and close any remaining avenues of exploitation. There are also no indications that this vulnerability was found by cybercriminals before it was patched.

Protecting yourself after a data breach

While there are no indications that this vulnerability was found by cybercriminals before it was patched, it might have been. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Researchers have discovered a campaign that tracked users’ online behavior using 18 browser extensions available in the official Chrome and Edge webstores. The total number of installs is estimated to be over two million.

These extensions offered functionality, received good reviews, touted verification badges, and some even enjoyed featured placement.

But when an extension has been available in the web store for a while, cybercriminals can insert malicious code through updates to the extension. Some researchers refer to the clean extensions as “sleeper agents.” These sleeper agents are the bases for future malicious activity.

Here’s one example of a malicious extension which poses as a search for Chat GPT, and was available for months.

Some of these extensions behaved nicely for years, which made the researchers think they might have been compromised. What these extensions did after they got “woken up” was they deployed a browser hijacking mechanism that activates every time someone navigates to a new page.

Every time the person visits a website, the extension would:

1. Capture the URL of the page they’re visiting.
2. Send it to a remote server along with a unique ID issued to track the user.
3. Receive potential redirect URLs from the command and control (C&C) server.
4. Automatically redirect your browser if instructed by the C&C server to do so.

The researchers used the following example of how this might work:

“You receive a Zoom meeting invitation and click the link. Instead of joining your meeting, one of the malicious extensions intercepts your request and redirects you to a convincing fake page claiming you need to download a “critical Zoom update” to join. You download what appears to be legitimate software, but you’ve just installed additional malware onto your system, potentially leading to full machine takeover and complete compromise of your device.”

Most of the malicious extensions have been removed from the web stores.

Reportedly, 1.7 million people installed these malicious extensions from the Chrome web store and a total of 2.3 million users were affected.

Although we always advise people to only install extensions from official web stores, this proves that not all extensions you download from there are safe. However, the risk involved in getting an extension from outside the web store is even bigger.

Extensions listed in the web store undergo a review process before being admitted. This review, a mix of automated and manual checks, assesses the extension’s safety, compliance with policies, and overall user experience. The goal is to protect users from scams, malware, and other malicious activities.

What to do

Check your computer to see if you have any of these extensions:

• Emoji keyboard online (Chrome)
• Free Weather Forecast (Chrome)
• Unlock Discord (Chrome)
• Dark Theme (Chrome)
• Volume Max (Chrome)
• Unblock TikTok (Chrome)
• Unlock YouTube VPN (Chrome)
• Geco colorpick (Chrome)
• Weather (Chrome)
• Unlock TikTok (Edge)
• Volume Booster (Edge)
• Web Sound Equalizer (Edge)
• Header Value (Edge)
• Flash Player (Edge)
• Youtube Unblocked (Edge)
• SearchGPT (Edge)
• Unlock Discord (Edge)

If you find any of the above extensions, try doing the following:

• Clear all browsing data (history, cookies, cached files, site data) to remove any tracking identifiers or session tokens that may have been stolen or set by the malicious extension. Note: you will then have to log in on a lot of sites since they will not remember you.
• Monitor your accounts for any suspicious activity if you visited any sensitive sites (such as online banking) while one of these extensions was installed. Make sure to change your passwords for those accounts.
• Enable two-factor authentication (2FA) where possible for added protection.
• Reset your browser settings to default. This can help undo any changes the extension may have made to your search engine, homepage, or other settings. Note: this will also undo any changes you have made manually. Alternatively, look for signs like unexpected redirects, changed search engines, or new toolbars.
• Keep an eye on your email and text messages for security alerts or notifications about unfamiliar access.
• Make sure your browser and all remaining extensions are up to date.
• Run a full system Malwarebytes scan to check for additional infections. This will also allow you to remove all affected extensions from Chrome and Edge. Malwarebytes blocks these domains so our users are safe.

To close off, one last word of general advice. If an extension asks for additional permissions after an update, that’s a good reason to look closely at what it requires and if that makes sense for the reason you’re using the extension.

List of malicious extensions and their domain names

Chrome extensions:

kgmeffmlnkfnjpgmdndccklfigfhajen Emoji keyboard online

dpdibkjjgbaadnnjhkmmnenkmbnhpobj Free Weather Forecast

gaiceihehajjahakcglkhmdbbdclbnlf Free Weather Forecast

mlgbkfnjdmaoldgagamcnommbbnhfnhf Unlock Discord

eckokfcjbjbgjifpcbdmengnabecdakp Dark Theme

mgbhdehiapbjamfgekfpebmhmnmcmemg Volume Max

cbajickflblmpjodnjoldpiicfmecmif Unblock TikTok

pdbfcnhlobhoahcamoefbfodpmklgmjm Unlock YouTube VPN

eokjikchkppnkdipbiggnmlkahcdkikp Geco colorpick

ihbiedpeaicgipncdnnkikeehnjiddck Weather

Edge extensions:

jjdajogomggcjifnjgkpghcijgkbcjdi Unlock TikTok

mmcnmppeeghenglmidpmjkaiamcacmgm Volume Booster

ojdkklpgpacpicaobnhankbalkkgaafp Web Sound Equalizer

lodeighbngipjjedfelnboplhgediclp Header Value

hkjagicdaogfgdifaklcgajmgefjllmd Flash Player

gflkbgebojohihfnnplhbdakoipdbpdm Youtube Unblocked

kpilmncnoafddjpnbhepaiilgkdcieaf SearchGPT

caibdnkmpnjhjdfnomfhijhmebigcelo Unlock Discord

Domains:

admitab[.]com

edmitab[.]com

click.videocontrolls[.]com

c.undiscord[.]com

click.darktheme[.]net

c.jermikro[.]com

c.untwitter[.]com

c.unyoutube[.]net

admitclick[.]net

addmitad[.]com

admiitad[.]com

abmitab[.]com

admitlink[.]net

If you’re an Android user, you’ll need to take action if you don’t want Google’s Gemini AI to have access to your apps. That’s because, regardless of your previous settings, Google now allows Gemini to interact with third-party apps.

Through Gemini extensions, it already had the ability to integrate with apps to lend a helping hand and make Google Assistant obsolete. From an email I received in April from Google Gemini:

Gemini uses info from your devices and services to help you

Gemini uses this info to provide more customized and context-aware help. Gemini accesses certain system permissions and data, like call and message logs, contacts (to help you keep in touch), and screen content (to help you act on it).

Gemini works with apps
Gemini can respond with real-time info from other tools, apps, and services like Google Keep and YouTube. To allow connected apps to generate helpful responses, Gemini shares some of your info with them. You can manage your apps in your settings.

Then further on, it said:

Gemini activity and your choices  
When you use Gemini, Google collects your activity, like your chats (including recordings of your Gemini Live interactions), what you share with Gemini (like files, images, and screens), product usage information, feedback, and info about your location. This data is stored in Activity (if it’s on), reviewed by trained reviewers, and used to improve Google services, including generative AI.

The bit about trained reviewers was enough for me to decide against using it. There are many AI options that offer a lot more privacy.

But now, according to Ars Technica, Google has sent an email to Android users that takes it one step further.

“We’ve made it easier for Gemini to interact with your device
We’re updating how Gemini interacts with some of the apps on your Android device.
Gemini will soon be able to help you use your Phone, Messages, WhatsApp, and utilities on your phone, whether your Gemini Apps Activity is on or off.

This change will start automatically rolling out on July 7, 2025.
If you don’t want to use these features, you can turn them off in the Apps settings page.

If you have already turned these features off, they will remain off.

For more details on how these features work with your data, please see the Gemini Apps Privacy Hub.”

Note: I did not receive this email and the Gemini app is not on my phone. That could be because I’m using a Samsung phone and Samsung offers Bixby as a virtual assistant. It might be my location: sometimes Europe gets these features later. Or potentially the phone is too old (2019).

Good news or not?

While Google presents this as happy news, we’re not in full agreement. Google enabling Gemini to access third-party apps promises exciting AI-driven features but also introduces significant privacy, security, and control challenges.

Android users who want to protect their data and limit AI access should check their app permissions and disable unnecessary AI integrations. However, it turns out, this is not easy. First off, there is a contradiction in Google’s statements. In one place it says the change will automatically start rolling out and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” But in another place it claims, “If you have already turned these features off, they will remain off.”

This is confusing, and even well-versed users are having problems finding the appropriate settings.

All we can do is advise you to make your own, informed, decisions as much as you can:

• If Android introduces notifications or permission prompts for Gemini access, pay close attention and deny access where possible.
• Regularly check app permissions in Settings > Privacy > Permission Manager and revoke permissions that are not essential, especially those related to sensitive data (contacts, messages, microphone, camera).
• If possible, keep your Android OS and apps updated to benefit from security patches and improved privacy controls.
• Don’t underestimate the importance of an active anti-malware solution on your Android phone.

If Google wants users to be happy about new features, than we’d prefer it announce them and then explain how those who like them can enable them. Don’t turn on settings that we’ve never asked for.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

If someone is going to negotiate with criminals for you, that person should at least be on your side. That might not have been the case at Digital Mint, a ransomware negotiation company where one worker allegedly went rogue.

According to Bloomberg, Digital Mint is cooperating with the US Department of Justive (DoJ) to investigate allegations that a former employee had worked with ransomware criminals. The company operates a service where it acted as an intermediary between ransomware thieves and their victims, negotiating ransomware demands down to reasonable levels.

The employee allegedly cut deals with ransomware criminals to profit from extortion payments. DigitalMint President Marc Jason Grens told Bloomberg that a criminal investigation was underway, and that the employee involved had since been fired. There is no suggestion that Digital Mint knew about the employee’s actions or supported them in any way.

A ransomware negotiator’s role is to deal with ransomware criminals on a victim’s behalf. The customer pays them to negotiate adjustments to the crooks’ initial demands, which can often be exorbitant.

It’s important that the negotiator doesn’t take any cut from the ransomware thieves because it muddies the waters and changes their motivation. It creates an incentive to keep the ransomware payment high, which maximizes their profit. “The problem with that is it ripe for fraud between me and the bad guys,” said one negotiator, interviewed by TechTarget.

Ransomware recovery services have faced some bad press in the past. In 2019, investigative journalism organization Propublica reported on two US companies that claimed to fix companies’ ransomware data by decrypting it, while secretly paying ransomware companies behind the scenes to recover the data that way.

Since then, companies have openly advertised negotiation services, based on a willingness for cyber insurance companies to reimburse victims as part of their policy coverage. Ransomware demands have also ballooned as this form of cybercrime continues to gain traction.

Some have vowed not to pay ransoms. In 2019, a collection of mayors from across the US flipped the collective bird at ransomware thieves by adopting a joint non-payment resolution. More recently, some state legislators have passed laws to prevent government agencies from paying. And members of the International Counter-Ransomware Initiative, a global effort led by the US, has reportedly adopted a non-payment agreement.

However, these resolutions can only apply to government organizations. Many private companies do pay ransoms, coinciding with evolving approaches by ransomware attackers.

In the early days of this criminal model, ransomware operators would focus purely on encrypting data and demanding payment. Now, more of them steal the data as well, downloading it to their own computers and then threatening to embarrass the victim by publishing it. That likely encourages the victim to pay up, because even if they can decrypt the affected data on their own or restore it from their own backups, they’re still vulnerable to having their secrets leaked online.

The problem is that ransomware operators aren’t trustworthy. The #StopRansomware guide, authored by CISA, the NSA, and the FBI, warns that “paying ransom will not ensure your data is decrypted, that your systems or data will no longer be compromised, or that your data will not be leaked.” It might also put a victim on the wrong side of government sanctions, the document adds.

If companies must pay these ransoms, they’ll at least need a reliable partner to help them manage it. Every incident that draws that industry into disrepute is likely to damage that partnership, and perhaps lead more companies to wonder whether they should pay at all. Perhaps that wouldn’t be a bad thing.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Let’s Encrypt has announced its issued its first certificate for an IP address. Why that’s significant deserves a little explanation.

You may have run into Let’s Encrypt certificates many times without realizing it. When you see a padlock icon in your browser’s address bar, it means the site is using a certificate to secure your connection. These certificates are “digital passports” that websites use to prove their identity and to encrypt the data sent between your browser and the website.

Traditionally, these certificates have only been issued for domain names (like malwarebytes.com). Now, Let’s Encrypt has started issuing certificates for IP addresses, which are the numerical labels (like 192.0.66.233) that computers use to find each other on the internet.

Let’s Encrypt is a very popular provider of certificates, and you can find its certificates on hundreds of millions of websites. That’s because:

• Let’s Encrypt certificates are free.
• Hosting companies and content delivery networks often provide Let’s Encrypt by default as a service to their customers.
• Let’s Encrypt is a mission-driven nonprofit aiming to make the web safer and more private for everyone.

The advantages of providing certificates for IP addresses are clear. Since some browsers will refuse to open sites without a certificate, it provides a safer way to access your website if you don’t have a domain name at all. It also allows you to use your browser to remotely access home devices like network-attached storage (NAS) servers and Internet-of-things (IoT) devices.

But most home users are unlikely to access a site by using the IP address. Domain names are much easier to remember (most of them anyway) and Domain Name System (DNS) translates domain names to IP addresses for us without a lot of problems.

And while IP addresses can change, DNS will make sure that our browser can still find the domain we want to visit. This is one reason why Let’s Encrypt will only issue short-term certificates for IP addresses: The certificates will be valid for just six days, a move designed to minimize the risk window in the event of a key compromise and to encourage automated certificate renewal practices.

Domain certificates can be compromised and abused. For example, in 2011, DigiNotar, a Dutch certificate authority, was breached, resulting in the issue of at least 500 fraudulent certificates for high-profile domains such as Gmail, Facebook, and the CIA.

And while you may have never heard of this breach, it spurred some much-needed improvements in the security of our online trust infrastructure.

Here’s the problem

If I post a URL online or send it by email, there is a visible part and a part that’s actually where you will be taken. For example <a href="https://malwarebytes.com/blog">example.com</a> will not take you to the displayed example.com, but to our blog’s landing page.

But let’s say that a cybercriminal can get a free certificate for the IP address of a server under their control, they could construct links that look like this <a href=”the server IP address”>payment provider X</a>. Should you click that link, you could end up on a specially crafted copy of the payment provider’s site set up by the cybercriminal which asks for your login credentials. Those credentials would then fall in the hands of the criminals if you entered them.

For an unsuspecting user, who potentially might have noticed the wrong domain in the address bar, an IP address might not raise any red flags, especially since they’ll see the padlock and assume it’s legitimate. But encrypted traffic doesn’t make it trustworthy. It is encrypted between the user and the website, so the receiver can read the credentials the visitor sent them.

At the same time, Let’s Encrypt’s move supports legitimate technical needs for IP-based certificates, so the challenge will be balancing security with accessibility. Defenders should monitor certificate transparency logs for suspicious IP certificates and combine this with other threat intelligence to identify abuse.

In essence, this new capability is a double-edged sword, both offering convenience and security benefits, but also new opportunities for cybercriminals.

Tips for users

The tips are basically the same as for any unsolicited link you encounter. The difference is that you should keep in mind that these URLs can now include IP addresses.

• Don’t click on links in unsolicited emails, messages or on social media.
• Hover over the link. A mismatch between the displayed domain and the target URL is a red flag.
• The padlock does not mean the website is safe. It just means the traffic between you and the site is encrypted, so nobody in between can eavesdrop.
• Enable multi-factor authentication (MFA) so criminals will not have access to your accounts with the credentials alone.
• Keep your device and the software on it up to date, especially your security software and your browser.
• Use a security solution that provides active protection, including against malicious domains and IPs.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

On Saturday, the Call of Duty team announced that the PC version of Call of Duty: WWII has been taken offline following “reports of an issue.”

That issue seems to be a serious security problem, after reports surfaced about a remote code execution (RCE) vulnerability in the game.

After Microsoft’s acquisition of Activision in 2023, Activision’s headline title, Call of Duty, has been slowly making its way over to Xbox and PC Game Pass.

But only days after the 2017 Call of Duty: WWII arrived on Microsoft’s subscription service, the concerning reports started coming in. Players were using an RCE exploit to take over other players’ PCs during live multiplayer matches.

RCE is the name for a critical security flaw that allows attackers to run malicious code on a victim’s machine without their consent or physical access. Exploiting an RCE could lead to data breaches, taking control of systems, and installing malware. In this case, it seems as though attackers were using the RCE vulnerability to gain remote access to other players’ computers during games. They reportedly:

• Opened command prompts on victims’ PCs
• Sent mocking messages via Notepad
• Forced remote shutdowns of players’ computers
• Changed desktop wallpapers to display gay porn

Game Pass is a subscription service offered by Microsoft Gaming. Because consoles generally don’t allow this level of code execution, it’s only Windows PC gamers that were affected by this.

The hacking of older titles is an open-air secret among the Call of Duty community, with players often avoiding the games on Steam. The problem likely lies in the fact that the multi-player game relies on peer-to-peer (P2P) networking which means that one player’s machine acts as the match’s server.

There is a lot of speculation about Activision working to update the game’s anti-cheat systems called “Ricochet” as the title is seemingly rampant with abusers. But whether and how this update will fix the RCE vulnerability is a big unknown. We’ll keep you updated.

What gamers should do

This vulnerability is particularly alarming because it not only allows hackers to disrupt gameplay, it has the potential to compromise gamers’ entire PCs remotely.

This story shows how even established titles can put your machine at risk. While it’s unclear if the Steam version is impacted, these are the things to do:

• Avoid playing Call of Duty: WWII on PC, especially the Microsoft Store and Game Pass versions, until Activision releases a patch.
• Always install security updates as soon as you can.
• Use active anti-malware software for protection.
• Monitor official Activision channels for updates on the fix.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.