IT News

This blog post was co-authored with Elie Berreby, Senior SEO Strategist

Criminals are highly interested in online marketing and advertising tools that they can leverage as part of their ongoing malware campaigns.

In particular, we have previously detailed how Google advertiser accounts can be hijacked to create new malicious ads and perpetuate a vicious cycle leading to more compromised accounts.

As part of our investigations, we uncovered a new operation going after Semrush, a visibility management SaaS platform that offers SEO, advertising, and market research, amongst other things.

With 40% of Fortune 500 companies and 117,000 paying customers relying on Semrush, the platform presents a highly attractive target for online criminals.

In this blog post, we detail how fraudsters are taking an indirect approach to hacking Google advertisers and by the same token likely gaining access to Semrush accounts.

We have diligently reported the malicious ads to Google. We would like to stress that we are not referring to any vulnerability or data breach with Semrush or its platform in this post. They are simply being targeted because of their growing popularity.

Google Ads crew pivots

Back in January, we documented a large phishing campaign targeting Google accounts via Google Ads using a very specific technique that abused Google Sites.

We believe the criminals behind it likely regrouped and switched to a less direct approach, yet one that might deliver just as much.

We observed this transition with a malicious ad for “Google Ads” that oddly enough redirected to a fraudulent login page for Semrush. While the phishing page uses the Semrush brand, only the “Log in with Google” option is enabled, forcing victims to authenticate with their Google account username and password.

Semrush phishing campaign

Barely a day later, the campaign was starting to take shape with Google ads now fully moving away from the “Google Ads” brand to fully impersonating Semrush.

The infrastructure for this new wave was deployed recently and the domain names registered for it are all variations on the Semrush name.

Each ad uses a unique domain name which does a redirect to more static domains dedicated to the fake Semrush and Google account login pages.

Once again, the landing page here shows two different types of login but only the Google method is enabled. We believe this is because the threat actors are primarily interested in harvesting Google accounts.

This is confirmed by the malicious sign in page for Google which sends those credentials to the criminals. We should note that victims that arrive at this page are most likely Semrush users, given the path they took to get here.

Google Analytics and Search Console Data Theft

Disclaimer: The following is not taken from a real compromise but rather is meant to illustrate the importance and extent of owning the credentials for a valuable Google account.

Google Analytics (GA) and Google Search Console (GSC) contain critical and confidential information for businesses, revealing detailed perspectives on website performance, user behavioral patterns, and strategic business focuses.

If a Google account is compromised, the malicious actors can access the raw data directly without having to log into Semrush.

E-commerce tracking in GA shows revenue, transaction volumes, average order values, and conversion rates by channel (organic search, paid ads).

Here’s a local shop selling products to a niche audience in a major U.S. city.

When malicious actors access the Google Analytics account, they can see a wealth of confidential information belonging to the publisher. For companies, this is a direct peek into financial performance.

The GSC account below is connected to Semrush. In GSC, the bad actors could see historical data for the past 16 months, including but not limited to search queries, pages, countries, devices, search appearance and dates.

Semrush Fraud and spear-phishing

Disclaimer: Similarly, the following screenshots were not taken from an actual compromise, but highlight the interconnectivity between Google and Semrush accounts.

As mentioned earlier, Google Analytics and Google Search Console data is often integrated with tools like Semrush for enhanced analysis.

For new projects, the SaaS platform requests validation from a Google account to allow Semrush to see and download GA and GSC data.

Once this is done, we can export behavioral data and KPIs coming directly from Google Search Console (GSC) without direct access to the Google account.

There is additional information stored in a Semrush account (name, phone, business name, address, email and the last 4 digits of a Visa card) that a threat actor could leverage to impersonate an individual or business.

Posing as the business, a threat actor could deceive vendors or partners into sending payments to fraudulent accounts, exploiting the trust tied to the business’s identity.

The combination of billing information and card details could be used to mount a more comprehensive attack. Someone posing as Semrush support, referencing an upcoming payment or the billing update process, could trick the victim into providing full credit card details.

Conclusion

Brand impersonation continues to be a popular attack vector used by online criminals to get access to valuable account credentials.

As Google Search is a central part of the SEO and ad ecosystems, individuals and businesses who inadvertently click on a malicious ad are at a major risk of losing extremely sensitive data and feel the impact of fraud on many levels. 

This should be a wakeup call to take steps to prevent such exposure by enforcing guard rails to anyone who manages an account for themselves or a company.

If you are a Malwarebytes customer, you are already protected against the malicious ads and sites used in this campaign. All these incidents have also been reported directly to Google.

We would like to thank the folks at Silent Push for giving us access to their platform, enabling us to uncover additional infrastructure.

Malicious Semrush domains

adsense-word[.]com
auth[.]semrush[.]help
sem-russhh[.]com
sem-rushhh[.]com
sem-rushh[.]com
semrush[.]click
semrussh[.]sbs
semrush[.]tech
seemruush[.]com
semrush-auth[.]com
auth.seem-rush[.]com
ads-semrush[.]com
semrush-pro[.]co
semrush-pro[.]click
auth.sem-ruush[.]com
semrush[.]works

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Experts are again warning about the proliferating market for targeted spyware and espionage.

Before we dive into the world of targeted spyware, it’s worth looking at a few of the main players that are active in and against this industry.

Paragon Solutions is an Israeli company which sells high-end surveillance technology primarily to government clients, positioning its products as essential for combating crime and national security. The name of Paragon’s spyware is Graphite.

However, a lot of controversy arose when it faced allegations over the targeting of specific WhatsApp users, including journalists and civil society members, leading to a cease-and-desist notice from WhatsApp. Following these allegations, Paragon Solutions ended its contract with Italy after Italian citizens were found to have been targeted.

The NSO group creates the high-level spyware known as Pegasus, and has also been caught spying on WhatsApp users. The NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public.

On the opposite side of the fence, CitizenLab is an interdisciplinary laboratory based in Toronto, Canada. CitizenLab focuses on studying information controls that impact the openness and security of the internet and pose threats to human rights.

The work done by CitizenLab has led to greater understanding of the global digital surveillance landscape and its implications for human rights.

Often, we will see newly found vulnerabilities in iOS, WhatsApp and other software credited to CitizenLab or one of its associates. They often find these vulnerabilities by analyzing devices of individuals infected with high-level spyware.

In an interview with TheRecord, founder Ronald Deibert said CitizenLab routinely checks people’s phones for spyware. Over time, the researchers at CitizenLab have honed their forensic skills to the level that they can pinpoint the moment of infection for the device right down to the second.

In a recent article, CitizenLab explained in great detail how it cooperated with Meta on uncovering a WhatsApp zero-day vulnerability and how it traced it back to Paragon and the Italian government.

While most of us will, hopefully, never have to deal or worry about getting infected with high-level spyware, we may end up falling victim to the vulnerabilities that are used to infect targets.

Both Paragon and the NSO group have brought many zero-day vulnerabilities to light in browsers and other online applications by using them to compromise mobile devices.

Zero-day vulnerabilities are hard to come by and therefore expensive. But once they are used against victims, there is a good chance that at some point they will be discovered and patched.

But small-time criminals will pick them up and try to use them against people who haven’t had a chance or the time to update their device yet.

Which is why we, on this blog, and through Malwarebytes’ Trusted Advisor, always urge people to keep their devices up-to-date.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

With financial stress at an all-time high, and many Americans grappling with confusion about social security, Medicaid, and Medicare, people are desperately seeking relief. Scammers know this all too well and have tailored their tactics to exploit these fears, preying on vulnerable individuals with promises of “free money.”

Whether it’s a so-called “subsidy program,” a “government grant,” or a “relief card,” these scams all share the same underlying goal—to manipulate people into giving away their personal information, or—worse—their hard-earned cash. 

Common free money scams

Too-good-to-be-true claims:

• “Get a $6,400 Subsidy to Pay for Groceries, Rent, and Gas!” 

• “Only 3 Days Left to Claim Your Government Benefit!” 

• “482 Spots Remaining! Act Now!” 

Urgency and exclusivity are classic scam tactics. By creating a demand to do something as soon as possible, scammers push people to act before they have time to think critically. 

Fabricated social proof 

• “Floyd Miles from LA just received his subsidy!” 

• “Mary T. Pritts from Silsbee, TX qualified 17 seconds ago!” 

• “Thousands of Americans are getting financial relief!” 

These so called testimonials are almost always fake, designed to create a false sense of trust. The names, locations, and stories are either entirely made up or copied from other scam sites. 

A push to submit personal information 

• “Enter your name, email, and phone number to check eligibility!” 

• “Claim your subsidy now – just provide your bank details!” 

The goal? To collect personal data that can be used for identity theft, sold to third parties, or leveraged for future scams. 

Push notification scams 

After submitting information, users are prompted to “Allow” notifications to receive updates on their application. In reality, enabling notifications results in a flood of unwanted ads and malicious content (malvertising), potentially exposing users to phishing attempts and harmful software. 

Additional social engineering techniques

• Phishing emails and messages: Scammers send convincing emails or text messages that appear to be from legitimate government agencies or financial institutions, urging users to click on malicious links or provide personal information. 
• Impersonation scams: Fraudsters pose as government officials, representatives from relief organizations, or financial advisors to gain victims’ trust. 
• Fake customer support calls: Victims may receive calls from so-called “support agents” asking for verification details to process their subsidy claim. 
• QR code scams: Increasingly, scammers use QR codes on fake subsidy pages to drive users to phishing sites that steal their credentials.
• Malware-infested attachments: Scammers send downloadable forms for “subsidy applications,” which are actually embedded with malware that steals information from users’ devices. 

Red flags to watch out for 

• Vague or unverifiable claims: Legitimate government programs are clearly outlined on official websites (.gov domains). If a subsidy isn’t listed there, it doesn’t exist.
• No contact information: If a website lacks a verifiable phone number, email or office address, it’s likely a scam. 
• Unrealistic promises: Any offer of free money with no strings attached should raise suspicions. 
• Pressuring users to act quickly: Government aid programs don’t work on a first-come, first-served basis with countdown timers. 

How to protect yourself from free money scams

• Verify sources: If an offer sounds too good to be true, check with official government sites like USA.gov or your local state agency. 
• Never share personal information: Avoid entering sensitive information (Social Security Number, bank details, etc.) on unverified websites. 
• Report suspicious sites: If you come across a scam, report it to the Federal Trade Commission (FTC) at reportfraud.ftc.gov. 
• Educate others: Many scam victims are elderly or financially struggling individuals who may not recognize these red flags. Share this knowledge to protect your loved ones. 

Conclusion 

Scammers are constantly evolving, but their tactics remain predictable. By staying informed and skeptical of “too-good-to-be-true” offers, we can collectively shut down these fraudulent schemes. The best defense is awareness—because in reality, there’s no such thing as free money. 

IOCs 

34[.]123[.]196[.]68 

34[.]132[.]227[.]60 

34[.]31[.]92[.]173 

aidforhealthcare[.]org 

americansubsidy[.]com 

assistanceadvocate[.]org 

assistanceadvocates[.]org 

communitycareaid[.]org 

grabsubsidy[.]com 

healthaidhub[.]org 

healthaidnetwork[.]org 

improveourcredit[.]com 

justhealthbenefits[.]com 

local-subsidy[.]com 

localaid[.]co 

nationaid[.]org 

nationwidesubsidy[.]com 

qualifyaca[.]com 

subsidyacrossnation[.]com 

subsidyaid[.]com 

subsidysupport[.]org 

subsidysupportnetwork[.]org 

timeforacahelp[.]com 

us-debtassistance[.]org 

wellnesssubsidyhub[.]org 

Sperm donor giant California Cryobank has announced it has suffered a data breach that exposed customers’ personal information.

California Cryobank (CCB) is a sperm donation and cryopreservation firm and one of the US’ top sperm banks. As such, it services all US states and over 30 countries worldwide.

The data breach notification states that the breach occurred on April 20, 2024 and CCB discovered it on October 4, 2024. After an investigation, CCB determined that an unauthorized party gained access to its IT environment and may have accessed and/or acquired files maintained on certain computer systems between April 20, 2024, and April 22, 2024.

The information potentially involved varies by customer but includes names and one or more of the following:

• Driver’s license numbers
• Bank account and routing numbers.
• Social Security Numbers (SSN)
• Health insurance information

CCB is posting letters—along the lines of this California example—to everyone who may be impacted.

It is unclear whether the CCB considers sperm donors as customers so their personal information may or may not have been breached.

Anonymous sperm donations are mostly a thing of the past. Anonymous donation was considered a method deemed to protect the privacy of the donor and shield them from any legal obligations, but online DNA databases have put an end to any guarantee of anonymity. However, untimely disclosure of sperm donor details might pose a significant privacy concern to those who donated in the past anonymously.

The handling, storage, and sharing of protected health information (PHI) within sperm banks falls under the Health Insurance Portability and Accountability Act (HIPAA):

• The Privacy Rule requires sperm banks to implement safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that can be made without patient consent.
• The Security Rule specifically requires sperm banks to secure electronic PHI (ePHI) appropriately against potential risks to confidentiality, integrity, and availability.
• The Breach Notification Rule requires the provision of a notification to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media, in the event of a breach of unsecured PHI.

CCB is offering individuals whose Social Security and/or driver’s license numbers may have been involved in the incident complimentary one-year memberships to credit monitoring services.

For those that receive a notification letter, CCB has set up a dedicated, tollfree call center to answer questions that recipients may have.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We were alerted to Mac and Windows stealers currently distributed via Reddit posts targeting users engaging in cryptocurrency trading. One of the common lures is a cracked software version of the popular trading platform TradingView.

The crooks are posting links to both Windows and Mac installers which have been laced with Lumma Stealer and Atomic Stealer (AMOS) respectively.

These two malware families have wreaked havoc, pillaging victims’ personal data and enabling their distributors to make substantial gains, mostly by taking over cryptocurrency wallets.

Reddit posts target crypto enthusiasts

Scammers are lurking on subreddits visited by cryptocurrency traders and posting about free access to TradingView, a web-based platform and social network that provides charting tools for analyzing financial markets, including stocks, forex, cryptocurrencies, and commodities.

The offer claims that the programs are totally free and have been cracked directly from their official version, unlocking premium features.

While the original post gives a heads-up that you are installing these files at your own risk, further down in the thread we can read comments from the OP such as “a real virus on a Mac would be wild“.

Downloads hosted on unrelated website

We checked both links and noticed that the website hosting the files belongs to a Dubai cleaning company. It’s not totally clear why the scammers didn’t choose a service like Mega or similar, unless they wanted the ability to upload and update their code directly via a server they control.

Upon checking that website, we can see that it leaks its PHP version (7.3.33). It already reached its end of life in December 2021 and no longer receives official security updates, making it prone to exploitation and compromise.

Double zipped malware

Both Mac and Windows files are double zipped, with the final zip being password protected. For comparison, a legitimate executable would not need to be distributed in such fashion.

On Mac, the installer is a new variant of AMOS, a popular macOS stealer. In its latest iterations, the malicious code checks for the presence of virtual machines and exits with error code 42 if it detects any.

osascript -e "set memData to do shell script "system_profiler SPMemoryDataType"
if memData contains "QEMU" or memData contains "VMware" then
    do shell script "exit 42"
else
    do shell script "exit 0"
end if"

Analysis of the full script shows the function that exfiltrates user data via a POST request to 45.140.13.244, a server hosted in the Seychelles:

On Windows, the payload is loaded via an obfuscated bat file (Costs.tiff.bat) that runs a malicious Autoit script (Sad .com):

"C:Windowssystem32cmd.exe" /c expand Costs.tiff Costs.tiff.bat & Costs.tiff.bat

cmd /c copy /b 701617Sad.com + Io + Thin + Experiment + Detect + Subsection + Meter + Well + Walls + Substantially + Mcdonald 701617Sad.com

The malware command and control server here is cousidporke[.]icu, registered about a week ago by someone in Russia.

We have heard of victims whose crypto wallets had been emptied, and were subsequently impersonated by the criminals who sent phishing links to their contacts.

Conclusion

Cracked software has been prone to containing malware for decades, but clearly the lure of a free lunch is still very appealing. What’s interesting with this particular scheme is how involved the original poster is, going through the thread and being ‘helpful’ to users asking questions or reporting an issue.

Here are some things to look out for and stay safe:

• instructions to disable security software so the program can run (do not disable the antivirus that’s trying to protect you!)
• files that are password-protected (this is a common practice to thwart security scanners)
• files hosted on dubious online platforms

However, it is still easy to fall for these scams, especially if the recommendation came from a friend. Malwarebytes protects from both Mac and Windows payloads.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Amazon has announced its Echo devices will no longer have the option to store and process requests on the device itself, meaning your voice recordings will now be sent to the cloud for processing.

In an email sent to customers, Amazon explained that the feature “Do Not Send Voice Recordings” will no longer be available beginning March 28, 2025.

The reason for this change? AI.

“As we continue to expand Alexa’s capabilities with generative AI features that rely on the processing power of Amazon’s secure cloud, we have decided to no longer support this feature.”

Basically, the processing requests that rely on AI features can’t be done within the limited processing power of the Echo device itself. This means that voice recordings will be sent to and processed in the cloud.

Amazon promises the recordings will be deleted after Alexa processes your requests if you enable the “Don’t Save Recordings” setting (we recommend you do this). But is that promise enough? And what happens to the data before it’s deleted? After all, it wasn’t that long ago that Amazon’s Ring camera feeds were available for all staff and contractors to view.

This change confirms existing fears about user privacy with the implementation of the generative AI version of Alexa. Due to financial losses that came with Alexa’s operation, Amazon introduced the AI-powered Alexa+ which has far more capabilities and should generate more cash-flow. Alexa+ is based on several major language models such as the in-house development Nova, and Claude from Anthropic.

In a statement Amazon told TechCrunch:

“The Alexa experience is designed to protect our customers’ privacy and keep their data secure, and that’s not changing. We’re focusing on the privacy tools and controls that our customers use most and work well with generative AI experiences that rely on the processing power of Amazon’s secure cloud.”

This sounds reassuring, but something that doesn’t leave the device can’t get lost along the way. So, the “Do Not Send Voice Recordings” sounds a lot safer to me.

Reportedly, the change specifically affects the fourth generation Echo Dot (4^th Gen), Echo Show 10, and Echo Show 15 devices, for customers in the US with devices set to English.

When devices are too smart

I love gadgets as much as the next person, but with some devices I wonder whether it’s really necessary to make them “smart.”

The only way to protect your privacy and security at home is to avoid using devices that connect to the internet, including your phone. Obviously, in today’s world, that’s an impossible task for most. Therefore, the second-best option is to consider which devices are absolutely necessary for work, pleasure, and convenience, and slim down the list of smart-enabled devices.

For example, for an energy-conscious person, the use of a smart thermostat makes sense. However, we’ve seen plenty of devices that were only smart because it benefited the vendor. Data brokers will pay a pretty penny to those vendors if you install their app which gathers data about you and your device.

The FBI Denver Field Office has warned of an increasing number of scammy websites offering free online file converter services.

Instead of converting files, the tools actually load malware onto victims’ computers. The FBI warned specifically about that malware leading to ransomware attacks, but we’ve also seen similar sites that install browser hijackers, adware, and potentially unwanted programs (PUPs).

The cybercriminals offer any kind of popular file conversion to attract victims, with the most common ones converting .doc to .pdf files and vice versa. There are also sites that offer to combine multiple images into one .pdf file.

And it’s not as if these file converters don’t work. Usually, they will, and the victim will think nothing more of it. They might even recommend it to a friend or co-worker.

But in the background, their system has hidden malware in the file the victim has downloaded, which is capable of gathering information from the affected device such as:

• Personal identifying information (PII) including Social Security Numbers (SSN).
• Financial information, like your banking credentials and crypto wallets.
• Other passwords and session tokens that could allow the scammers to bypass multi-factor authentication (MFA).
• Email addresses.

There are a few possible scenarios the cybercriminals might pursue:

• They encourage you to download a tool on your device to do the conversion. This is the actual malware.
• You might be recommended to install a browser extension that you can use going forward. These extensions are often browser hijackers and adware.
• In the most sophisticated scenario, the so-called converted file contains malware code that downloads and install an information stealer and everyone who opens it will get their device infected.

By using one of these online converters you could be at risk of getting infected with ransomware or enable criminals to steal your data or identity in full.

Education is key

FBI Denver Special Agent in Charge Mark Michalek stated:

“The best way to thwart these fraudsters is to educate people so they don’t fall victim to these fraudsters in the first place.”

Obviously it also helps to have active anti-malware protection on your device and a browser extension that blocks malicious sites.

If you have fallen victim, or suspect you may have, you should:

• Contact your financial institutions immediately. Work with them to take the necessary steps to protect your identity and your accounts.
• Change all your passwords and do this using a clean, trusted device.
• Report it to the Internet Crime Complaint Center.

IOCs

Below are some recent examples of domains involved in this type of scam and the reason why Malwarebytes products block them.

Imageconvertors[.]com (phishing)

convertitoremp3[.]it (Riskware)

convertisseurs-pdf[.]com (Riskware)

convertscloud[.]com (Phishing)

convertix-api[.]xyz (Trojan)

convertallfiles[.]com (Adware)

freejpgtopdfconverter[.]com (Riskware)

primeconvertapp[.]com (Riskware)

9convert[.]com (Riskware)

Convertpro[.]org (Riskware)

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This year, Spring Break vacationers are packing more than their flip-flops, bucket hats, and sunglasses—they’re also packing a few cybersecurity anxieties for the trip.

According to new research from Malwarebytes, 52% of people said they “worry about being scammed while traveling,” while another 40% admitted that they “worry about my kids or family sharing trip details online.” While most people said they will act on these concerns—63% will make sure their security software is up to date, 53% will back up their data—roughly 10% of people said they will take no precautions whatsoever into protecting their security or privacy while on vacation.

The findings reveal that the public approaches cybersecurity as a patchwork quilt, implementing some best practices while forgoing others, and engaging in a few behaviors that carry significant risk online.

For this research, Malwarebytes conducted a pulse survey of its customers in March via the Alchemer Survey Platform.

Broadly, Malwarebytes found that:

• 52% of people “agreed” or “strongly agreed” that they “worry about being scammed while traveling.”
• 20% of people “agreed” or “strongly agreed” that they “don’t really think about protecting my data while traveling.”
• 38% of people said they will book their next travel opportunity through a “general search,” which could leave them vulnerable to malvertising.
• Apps are a way of life, as 66% of people said they use between one and six apps specifically for travel (such as hotel apps, airline apps, and translation apps). A particularly plugged-in 8% of people said they manage more than seven apps for the same purposes.
• To stay cybersecure and private on vacation, the majority of people will backup their data (53%), ensure their security software is up to date (63%), and set up credit card transaction alerts (56%), but 10% will take none of these—or other—steps.
• 53% of people refuse to take a single laptop with them on vacation, whereas just 1% leave even their smartphone behind—talk about a holiday.

Risky business break

The cybersecurity risks around personal vacations are unlike those around the holidays for major organizations and businesses, in which cybercriminals know that low staffing will leave companies more vulnerable to an attack or breach.

Instead, far-flung Spring Breakers can engage in a series of behaviors both before and during their holidays that leave them open to online scams and theft.

Take, for example, the 38% of people who told Malwarebytes that they would conduct a “general search online” in booking their next vacation. While Google searches are probably one of the most common tasks for any vacation planning, the results that people see can be manipulated through a type of cybercrime called malvertising, short for “malicious advertising.” 

In malvertising, cybercriminals will create a fake website that looks like a popular service, like Facebook, Slack, or eBay. Cybercriminals will also pay a small sum so that these fake websites show up near the top of Google’s sponsored results for relevant searches. Once users click on the websites, which appear legitimate, they’re tricked into downloading malware or handing over sensitive information to scammers.

A safer option for vacationers is to book travel directly with an airline or hotel chain. Many participants wrote this approach into the Malwarebytes survey when selecting the “Other” option (14%). Interestingly, the 29% of respondents who said they use a travel agent for booking likely also receive some extra safeguards, simply because another, experienced, person is involved in the process.

But in the same way that cybercriminals have begun abusing Google search results to send victims to dangerous websites, they’ve also done the same to trick users into downloading fake versions of popular apps.

Android “phishing” apps are a serious threat to users today—Malwarebytes detected 22,800 of them last year alone—and, as we wrote before, they represent the next step in camouflaged cyber-scamming:

“By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals.”

The threat here endures long after the app is installed. If enough victims unwittingly send their passwords, cyber thieves could bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

This wouldn’t be too much a problem if modern traveling didn’t involve so many apps.

According to our survey, 44% of people manage between two to four apps specifically for travel purposes, and 9% manage between five and six apps. And while 20% of people use zero apps for travel and 14% use just one app, there are 8% of people who rely on more than seven apps strictly for travel purposes.

That could include airlines apps, hotel apps, translation apps, and more. But as more apps help with traveling needs, more opportunities arise for those apps to be falsely emulated and maliciously advertised online.

As for what people do while physically on vacation, many engaged in online behaviors that could prove risky, but they can hardly be criticized for it.

For example, 25% of people said they scan QR codes while on vacation. These codes could lead people to malicious websites, but QR codes have become normalized at restaurants that no longer have physical menus. And 33% of people “log into financial institution sites or apps to manage [their] budget, check purchases, etc.” This type of activity was susceptible to online eavesdropping many years ago, but everyday internet connections have become far more secure in the past decade. That said, it’s inspiring to see that 41% of people “download or install a VPN” to provide an extra level of security when browsing on public Wi-Fi.

Safe travels

Cybersecurity is probably the last thing people want to “pack” before going away on a break, but, thankfully, it’s something that a majority of people said they do.

For instance, 63% said they “check that [their] security software is up to date,” while 53% said they “backup [their] data.” Similarly, 56% said they “set up credit card transaction alerts.” And while it isn’t quite a majority, 47% said they turn on “Find my Device” features which can help in case of a lost or stolen device. Interestingly, people do not commit to the same precautions for their bags—just 21% of survey participants said they “put a tracker in [their] luggage.”

Still, there’s progress to be made.

Not only did 10% of survey participants share that they take zero cybersecurity or data privacy precautions before traveling, but 20% also agreed or strongly agreed with the statement “I don’t really think about protecting my data while traveling.”

For safety abroad, here are a few tips travelers can take before and during their next vacation:

• Backup your data before you head out. Losing a device or having it stolen while on vacation won’t just ruin the trip itself—it will return the return journey, too. Backing up your data will help ensure that any lost device doesn’t lead to lost files.
• Turn on “Find My” features. To respond to a lost or stolen device, turn on the “Find My” features on iPhones and Androids before your vacation so you can track a device’s location in real time.
• Protect your devices with antivirus and cybersecurity tools. Modern cybersecurity tools don’t just stop viruses from landing on your devices, they also warn you about dangerous websites and links that could steal your info.
• Update your software. Ensure that your devices are running on the latest versions of their operating systems. This helps prevent any known weaknesses from being exploited by cybercriminals.
• Use a password manager and 2FA. Your most sensitive accounts shouldn’t just have a unique password. They should also be protected by two-factor authentication, which requires more than a password for anyone to login.
• Consider a VPN. If you are doing something sensitive online, it never hurts to use a VPN. Bonus: If you’re travelling to another country where your favourite streaming shows aren’t available, a VPN can help here too.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Research on iOS apps shows widespread exposure of secrets
• Don’t let your kids on Roblox if you’re not comfortable, says Roblox CEO
• Update your iPhone now: Apple patches vulnerability used in “extremely sophisticated attacks”
• The dark side of sports betting: How mirror sites help gambling scams thrive
• Android devices track you before you even sign in
• X users report login troubles as Dark Storm claims cyberattack
• How ads weirdly know your screen brightness, headphone jack use, and location, with Tim Shott (Lock and Code S06E05)
• Fake CAPTCHA websites hijack your clipboard to install information stealers
• Malwarebytes Premium Security awarded “Product of the Year” from AVLab

Last week on ThreatDown:

• ThreatDown is Product of The Year
• March 2025 Patch Tuesday, severity over quantity
• Phishing, now available on your favorite app store!

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Researchers found that most of the apps available on Apple’s App Store leak at least one hard-coded secret.

The researchers looked at 156,000 iOS apps and discovered more than 815,000 hardcoded secrets, including very sensitive secrets like keys to cloud storage, various Application Programming Interfaces (APIs), and even payment processors.

The researchers noted how:

“The average app’s code exposes 5.2 secrets, and 71% of apps leak at least one secret.”

Secrets hard-coded in the source code of the apps are considered exposed because they are relatively easy to find and abuse by cybercriminals.

While you may think that’s the publisher’s problem, these hard-coded secrets can have serious consequences for the an app’s users, particularly when these are credentials which provide access to cloud storage services like AWS S3 buckets or Azure Blob Storage. The researchers found 78,000 apps which exposed cloud storage buckets.

We have posted plenty of examples of exposed AWS S3 buckets over the years, often leading to millions of exposed customer records. Depending on the type of app these records can contain financial data, location data, and other personal information.

Unless you’re able to reverse engineer an app, there is not a lot you can do after the fact. But you can keep this information in mind before you install an app. Do you trust the developers to follow best practices and do you really need it? Also keep a tight rein on the permissions you allow an app.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.