IT News

In 2019, a ransomware attack hit LifeLabs, a Canadian medical testing company. The ransomware encrypted the lab results of 15 million Canadians, and personally identifiable information (PII) of 8.6 million people was stolen.

After noticing the attack, LifeLabs informed its customers and the Canadian privacy regulators, which immediately announced an investigation.

The privacy commissioners of both British Columbia and Ontario finished writing a report about the incident in 2020 but LifeLabs managed to hold that up in court for four years. Now the report is publicly available and some of the findings are both shocking and unsurprising.

According to the report, LifeLabs had several shortcomings before the breach:

• LifeLabs failed to take reasonable steps to protect personal information and personal health information in its custody and control from theft, loss, and unauthorized access, collection, use, disclosure, copying, modification or disposal.
• LifeLabs failed to have in place and follow policies and information practices that comply with PIPA and PHIPA
• LifeLabs collected more personal information and personal health information than is reasonably necessary to meet the purpose for which it was collected.

Additionally, the investigation found that LifeLabs didn’t comply with its obligation to notify affected people at the first reasonable opportunity. This was because it didn’t implement a process to notify people about the details of what personal health information was compromised without requiring them to make a formal access request.

Patricia Kosseim, Information and Privacy Commissioner of Ontario commented:

“Personal health information is particularly sensitive and privacy breaches can have devastating impacts for individuals.”

The regulator said it was important for the report to be made public after four years of resistance by LifeLabs. We agree that it is important that we know how companies are protecting our data, especially the medical kind. But at the same time we also know that many organizations in the healthcare industry do not have the staff to handle this, not do they have the funding to hire those staff. It’s catch 22.

At the time, LifeLabs wrote in an open letter that the cybersecurity firm it hired to investigate the incident advised it that the risk to its customers in connection with this cyberattack was low. LifeLabs said it hadn’t seen any public disclosure of customer data as part of its investigations, including monitoring of the dark web and other online locations.

Malwarebytes checked up whether that claim still held through and could indeed not find any LifeLabs customer data that came from that breach.

The reason is not a big mystery. Reportedly, LifeLabs paid the ransomware group, which is why it’s still unknown which group was behind the attack. The specific amount of the ransom paid has not been disclosed by the company.

But as ransomware groups are just a gang of criminals, it might be hard to take their word for it that they won’t release the data at some point. We will keep an eye on it.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Recently we’ve seen some heated discussion about Microsoft’s connected experiences feature. As in many discussions lately there seems to be no room for middle ground, but we’re going to try and provide it anyway.

First of all, it’s important to understand what the “connected experiences” are.

Microsoft describes it like this:

“Connected experiences that analyze your content are experiences that use your Office content to provide you with design recommendations, editing suggestions, data insights, and similar features.”

If that sounds like auto-correct on steroids, you’re close. You like it or you don’t.

But I found that there are two types of connected experiences.

Let’s start with a locally saved document created in Microsoft 365 (Word). To find the connected experiences settings, you’ll need to

• Click on File > Options

• Select Trust Center and click on Trust Center Settings

• Select Privacy Options and click on Privacy Settings

Then you’ll see three entries for Connected experiences:

• Experiences that analyze your content
• Experiences that download online content
• All connected experiences

My tinfoil hat warns me that the second one is bound to show up in some vulnerability, but nowhere does it say that anything you produce will be shared with anyone, let alone train an AI model. If anything is worrying in there, it’s the fact that it uses content in your documents to find online information that might be of interest to you.

Feel free to turn these options off.

For online documents created with Microsoft 365 apps it’s a different topic, and depends on what the administrator of the organization that provided it has decided to make available to you.

The overview of optional connected services provided by Microsoft says:

“If you have a work or school account, your organization’s admin may have provided you with the ability to use one or more cloud-backed services (also referred to as “optional connected experiences”) while using the Office apps, like Word or Excel, that are included with Microsoft 365 Apps for enterprise.”

It then goes on to list all the possible optional connected experiences. The settings for these are of the type  “all or nothing.”

You can find these settings if you have a document open in your browser by following the path File > About > Privacy Settings > Optional connected experiences.

The official Microsoft 365 account on X tweeted to say it didn’t use customer data to train large language models (LLMs)—a type of artificial intelligence (AI) program—in M365 apps:

“In the M365 apps, we do not use customer data to train LLMs. This setting only enables features requiring internet access like co-authoring a document.”

So, turning that option off might result in some lost functionality if you’re working on the same document with other people in your organization.

If you want to turn these settings off for reasons of privacy and you don’t use them much anyway, by all means, do so. The settings can all be found under Privacy Settings for a reason. But nowhere could I find any indication that these connected experiences were used to train AI models.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Spotify and Amazon services have been flooded with bogus listings that push dubious “forex trading” sites, Telegram channels, and suspicious links claiming to offer pirated software according to our friends over at BleepingComputer.

Cybercriminals are abusing the options to inject keywords and links into playlist names to make their entries rank high in Google search results.

BleepingComputer found that spammers had posted a lot of links on the content platforms, but that the length of the audio “episodes” published under these “podcasts” was zero seconds.

What you can expect to be offered are cracks, keygens, cheat codes, and other game related content, but also “forex trading” seems to be a popular subject to promote.

The fact that many cracks, keygens, and game mods are often replaced by or come bundled with malware was already known in the previous century, so that shouldn’t surprise anyone.

The “forex trading” part may be a little harder to understand.

On the content platforms we mentioned, links are shared pointing to forex trading platforms where you can trade one currency for another speculating on exchange rate fluctuations. Forex trading is far from illegal, it’s an important part of international trade. But in areas where so much money changes hands, there will always be criminals looking for a piece of the action.

There are two main types of forex trading scams you need to be aware of. Scams performed by external criminals, and unethical forex brokers. Even though management teams within brokers must be vetted by regulators and licensers, there are plenty of incentives for brokers to take advantage of their customers.

The scams themselves can be largely identified as:

• Signal scams: Signals are data-driven broker-generated information prompts that give traders improved opportunities to make profitable trades. While many of them can be considered legitimate, they do not guarantee success and they can be abused by signal-sellers that prey on our tendency to want to get rich fast and with little effort.
• Pyramid schemes: The pyramid schemes are in fact private circles run by individuals who seek to profit by charging a subscription fee and encouraging new members to recruit fellow investors for the prize of a small commission payout. The higher up the money-earning pyramid you are, the more subscription fees flow your way.
• Point-spread scam: As brokers earn their commissions based on the gap between bid and ask prices, they make more money when the gap is bigger. When the natural supply and demand conditions do not create a big enough gap, some brokers have been known to exaggerate the gap by rigging the code that displays the prices.
• Robot scamming: This is a relative newcomer to the scams. It offers traders the option to earn money while you are not actively trading on your system. The term “robot” refers to the automation of the process with software. Needless to say these robots can be rigged to work for the broker instead of for you.
• Sale of personal information: Under the rules of Know Your Customer (KYC) legislation, every trader must be able to supply private and confidential information that often includes details like banking information and credit card information. Scam brokers could sell this information to a third party, who may try to lure you into another scheme.

But cybercriminals could also have set up their own fraudulent trading platforms and be phishing for your login credentials to existing platforms.

How to stay safe

If you decide you want to delve in forex trading, there are a few pointers to keep your money safe.

There are some similarities between forex trading and casino gambling, only forex trading involves more skill and analysis than most casino games. Don’t go all-in. Don’t lose your shirt.

• Get rich quick schemes often work for those offering them, but not for those falling for them.
• It is vital to research any financial service or platform before investing.
• As always, if it sounds too good to be true, it probably is.
• It is crucial to understand what you are doing or what is being done for you.
• Watch out for clone websites.
• If you don’t understand how the trader’s robot works, ask until you do or don’t use it.
• Stay away from forex trading platforms promoted on content platforms that have nothing to do with forex trading.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Andrew Tate’s online education platform The Real World—formerly known as Hustlers University—has been hacked and user data has been stolen.

Hacktivists flooded the primary chatroom with emojis as proof that they had breached the site. After this they shared approximately 794,000 usernames of, allegedly, the site’s current and former members with the Daily Dot and journalism collective DDoSecrets.

The stolen chat logs originated from the platform’s 221 public and 395 private chat servers. Included in the data are 794,000 usernames for current and former members, and 324,382 unique email addresses that appear to belong to users who were removed from the main database after they stopped paying their subscriptions.

It’s not clear if this set of email addresses came from a less secure environment or whether the hacktivists just stumbled over those first. A source close to the hacktivists say the platform’s security is “hilariously insecure.”

An unpatched vulnerability meant they could “upload emojis, delete attachments, crash everyone’s clients, and temporarily ban people.” All of this must be painful for a platform that claims to teach “all digital skills.”

Highly controversial figure Andrew Tate has not responded to the breach yet.

This could be because he is facing other problems. He’s currently under house arrest in Romania, facing trial after being charged with rape, human trafficking and forming an organised crime group to sexually exploit women. He is also wanted in the UK to face allegations of sexual assault. He denies all the allegations.

Anyway, there are reasons why clients, especially those that stopped payments, would not like to be associated with The Real World.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

Last week on Malwarebytes Labs:

• Meta takes down more than 2 million accounts in fight against pig butchering
• “Sad announcement” email implies your friend has died
• Update now! Apple confirms vulnerabilities are already being exploited
• AI Granny Daisy takes up scammers’ time so they can’t bother you
• Free AI editor lures in victims, installs information stealer instead on Windows and Mac
• AI is everywhere, and Boomers don’t trust it
• An air fryer, a ring, and a vacuum get brought into a home. What they take out is your data (Lock and Code S05E24)
• QuickBooks popup scam still being delivered via Google ads

Last week on ThreatDown:

• How to tame ransomware gangs’ top 5 favorite scripting engines

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Meta provided insight this week into the company’s efforts in taking down more than 2 million accounts that were connected to pig butchering scams on their owned platforms, Facebook and Instagram.

Pig butchering scams are big business, with hundreds of millions of dollars involved every year. The numbers are not precise because some researchers see these scams as a special kind of romance scam, while others classify them as investment fraud, muddying the numbers based on which group is counting what type of loss.

Still, the general idea is that scammers use elaborate storylines to fatten up victims into believing they are in a romantic or otherwise close personal relationship. Once the victim places enough trust in the scammer, they bring the victim into a cryptocurrency investment scheme. Then comes the “butchering”—an attempt to “bleed” a target dry of their money.

Pig butchering, however, isn’t always a simple case of cybercriminals preying on unsuspecting victims. As Meta described, sometimes the scammers themselves are victims that work in scam centers, mainly located in Asia.

“These criminal scam hubs lure often unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums, and recruitment platforms to then force them to work as online scammers, often under the threat of physical abuse.”

These workers not only work on pig butchering scams. They are also forced to engage in a wide range of malicious activities that can involve cryptocurrency and gambling, or they can be tasked to carry out impersonation scams.

Working with expert NGOs and law enforcement partners in the US and Southeast Asia, Meta has focused on investigating and disrupting the activities of the criminal scam centers in Southeast Asia. This has led to the take-down of over two million accounts linked to scam centers in Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines.

Despite their location, the targets of the scams can be found all over the globe. The scammers follow playbooks to gain the trust of the targets. Contacting victims initially on social media, dating apps, email, or messaging apps, the scammers later move their interactions to more private channels like scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms. This pushes victims further into a trap and it removes their ability to report their conversations to a platform that takes this type of abuse seriously.

From here, scammers will continue the charade that they’ve set up wise investments for the targets. But once enough trust has been built to seriously rob a victim, scammers will steal what they can and disappear. As Meta said:

“Typical of ‘pig butchering’ schemes, the target may be allowed to withdraw small amounts to build trust, but once they start asking for their ‘investment’ back or it becomes clear that they do not have more funds to send to the scammer, overseas scammers typically disappear with all the money.”

How to avoid becoming the pig

The good thing about pig butchery scams is that they mostly follow a narrow pattern, with few variations. If you recognize the signs, you stand a very good chance of going about your day with a distinct lack of pig-related issues. The signs are:

• Receiving stray messages for “someone else” that appear out of the blue. This can be a message directed to someone who does not have your name.
• The profile picture of the person you’re talking to looks like someone who is a model.
• Common scam opening lines may involve: Sports, golfing, travel, fitness.
• At some point they will ask you about investments and/or cryptocurrency.
• They will ask you to invest or take some of their money and use that instead.

As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. This is definitely one of those “If it’s too good to be true” moments, and the part where you make your excuses and leave (but not before hitting block and reporting them).

Here’s what you can do to keep yourself safe:

• Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in. Use tools such as the Malwarebytes Personal Data Remover to minimize the amount of data accessible through search engine results, spam lists, and people search sites.
• Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.
• Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.
• Never give money to anyone you’ve met online
• Get a second opinion from someone you trust
• If in doubt, back away and report the account.

If you’ve been impacted by a romance scam, pig butchering, or crypto investment fraud, you can report the crime to the Internet Crimes Complaint Center (IC3), which is run by the FBI, or the FTC on its reporting and resources page.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Tech support scammers are again stooping low with their email campaigns. This particular one hints that one of your contacts may have met an untimely end.

It all starts with an email titled “Sad announcement” followed by a full name of someone you know. The email may appear to come from the person themselves.

A co-worker who received such an email pointed it out to our team. Looking around, I found the first report about such an email in a tweet dating back to February 5, 2024.

With some more information about what I was looking for, I managed to find several more.

There is a great deal of variation between the emails, but we do have enough samples to show you a pattern which looks like this:

Subject: Sad announcement: <First name><Last name>

Sometimes the colon is replaced by the word “from”.

Then a short sentence to pique the reader’s curiosity, which often references photos. Here are some examples:

“When you open them you will see why I actually wanted to share them with you today”

“Never thought I would want to share these images with you, anyways here they are”

“I’m presuming you should remember these two ladies, in that photo”

“When I was looking through some old folders I found these 3 pics”

“it wasn’t initially my plan, but I had to change my mind about it”

“Two pictures that I wanted to share with you. They’re likely to bring a flood of memories to you, as they did to me…”

“Probably should have contacted you a little bit earlier. Anyways just wanted to keep you updated”

This is then immediately followed by a link. These also follow a certain pattern:

These domains are all registered with NameCheap and are only active for a few days.

To close the emails off, the scammers end with a quote in the format:

“You do not find the happy life. You make it.” –  Camilla Eyring Kimball

The sender addresses are spoofed to look like they were coming from family or friends of the target. The actual sender addresses are compromised accounts from all over the world.

The campaign looks to have targeted mainly the US, but I also found some located in Ireland and the UK and some odd ones in India and Italy.

So, the question is, what are they after? The short-lived domains really made it hard for me to figure that out. It took me quite a bit to find a domain that was still active, but then I knew soon enough what the end-goal of the spammers was.

A short chain of redirects sent me to https://niceandsafetystore0990.blob.core.windows[.]net/niceandsafetystore0990/index.html which is now blocked by Malwarebytes Browser Guard.

The blob.core.windows.net subdomains are unique identifiers for Azure Blob Storage accounts. They follow this format:

<storageaccountname>.blob.core.windows.net

Where <storageaccountname> is the name of the specific Azure Storage account. Spammers like using them because the windows.net part of the domain makes them look trustworthy.

The website itself probably looks familiar to a lot of readers: A fake online Windows Defender scan.

The fake Windows Defender site shows that your system is infected with loads of threats.

Funny enough the site claims to be Windows Defender, but uses Malwarebytes’ detection names. For example: Microsoft does not detect the Potentially Unwanted Program which Malwarebytes detects as PUP.Optional.RelevantKnowledge.

Anyway, the website quickly takes up the entire screen, so you have to click or hold (depending on your browser) the ESC button to get back the controls that allow you to close the website.

Now that you have seen the patterns in the email, we hope that you will refrain from clicking the links. The redirect chain can be changed and may be different for your location and type of system. So, there may be more serious consequences than an annoying website.

How to avoid the “sad announcement” scam

• Always compare the actual sender address with the email address this person would normally use to send you an email.
• Never click on link in an unsolicited email before checking with the sender.
• Don’t call the phone numbers displayed on the website, because they will try to defraud you.
• If in doubt, contact your friend via another, trusted method

If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely looking at a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible or restart your device if this doesn’t work.

Despite the occasional arrests and FTC fines for tech support scammers and their henchmen, there are still plenty of cybercriminals active in this field. Scams range from unsolicited calls offering help with your “infected” computer to fully-fledged websites where you can purchase heavily over-priced versions of legitimate security software.

Unfortunately for some people these warnings may have come too late. So what should you do if you have fallen victim to a tech support scam? Here are a few pointers:

• Have you already paid? Contact your credit card company or bank and let them know what’s happened. You may also need to file a complaint with the FTC or contact your local law enforcement agency, depending on your region.
• If you’ve shared your password with a scammer, change it on every account that uses this password. Consider using a password manager and enable 2FA for important accounts.
• Scan your device. If scammers have had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove backdoors and other software left behind by scammers.
• Keep an eye out for unexpected payments. Be on the lookout for suspicious charges/payments on your credit cards and bank accounts so you can revert and stop them.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

The updates for iOS and Intel-based Mac systems are especially important, as they tackle vulnerabilities that are being actively exploited by cybercriminals. You should make sure you update as soon as you can.

To check if you’re using the latest software version, go to Settings > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

To determine whether your Mac is Intel-based or equipped with Apple silicon, follow these simple steps:

• Click the Apple icon in the top-left corner of your screen.
• Select About This Mac.
• Check the information:
  • If you see an item labeled Chip, your Mac has Apple silicon (like M1, M2, or M3).
  • If you see an item labeled Processor, it indicates that your Mac is Intel-based, and the specific Intel processor name will be listed next to it.

Technical details

Because Apple does not share details until everyone has had a chance to update, it is hard to figure out what the exact problem is. But there are some things we can deduct from the given information.

The vulnerabilities that Apple says may have been actively exploited on Intel-based Mac systems are:

CVE-2024-44308: a vulnerability in the JavaScriptCore component. Processing maliciously crafted web content may lead to arbitrary code execution. This means that an attacker will have to trick a victim into opening a malicious file containing web content.

JavaScriptCore is the built-in JavaScript engine for WebKit that enables cross-platform development by providing a way to execute JavaScript within native iOS and macOS applications.

CVE-2024-44309: a cookie management issue in the WebKit component was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross-site scripting attack.

We don’t just report on macOS security—we provide it.

Cybersecurity risks should never spread beyond a headline. Keep threats off your Mac by downloading Malwarebytes for Mac today.

A mobile network operator has called in the help of Artificial Intelligence (AI) in the battle against phone scammers.

Virgin Media O2 in the UK has built an AI persona called Daisy with the sole purpose of keeping scammers occupied for as long as possible. Basically, until the scammers give up, because Daisy won’t.

Daisy uses several AI models that work together listening to what scammers have to say, and then responding in a lifelike manner to give the scammers the idea they are working on an “easy” target. Playing on the scammers’ biases about older people, Daisy usually acts as a chatty granny.

According to Virgin Media O2’s press release Daisy has successfully kept numerous fraudsters on calls for 40 minutes at a time. To achieve this “Granny Daisy” will tell the scammers all about her passion for knitting, her cat Fluffy, and provide exasperated callers with false personal information including made up bank details.

The idea behind Daisy is two-fold. Not only does it waste the scammers’ time—time they could have spent defrauding real people—but it also raises awareness, through posts such as this one, that the person you are talking to on the phone could be very different from what you imagine.

Raising awareness about how AI can be used to deceive people is necessary: We’ve reported about how scammers have used AI used to fake voices of loved ones in a “I’ve been in an accident” scam to warn others about the scam.

Virgin Media O2 research learned that 67% of Brits are concerned about being the target of fraud and 22% experience a fraud attempt every single week. The Federal Trade Commission (FTC) received fraud reports from 2.6 million consumers in 2023, with imposter scams the most commonly reported fraud category.

The criminals often pretend to work for your bank or a delivery company that needs a payment before they can deliver a package, with the end goal of the victim disclosing their banking details.

It’s too bad that Daisy can’t intercept the calls from the scammers. For now, the scammers will have to call one of the phone numbers that Daisy answers, which have cleverly been circulated on contact lists known to be used by scammers.

If you’d like to hear Daisy in action here is a video with some actual audio.

Daisy was set up with the help of one of YouTube’s best known scam baiters, Jim Browning. Behind the scenes there are several people that enjoy being a real life time waster, but they can only occupy so many because their time is limited.

We asked Tammy Stewart, one of Malwarebytes’ researchers, who has made it a hobby to waste the time of phishers herself, and she was enthusiastic about the idea of having a “Daisy.” In fact, she’d like to have several and she thinks they could be very effective.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

A large social media campaign was launched to promote a free Artificial Intelligence (AI) video editor. If the “free” part of that campaign sounds too good to be true, then that’s because it was.

Instead of the video editor, users got information stealing malware. Lumma Stealer was installed on Windows machines and Atomic Stealer (AMOS) on Macs.

The campaign to promote the AI video editor was active on several social media platforms, like X, Facebook, and YouTube…

…and had been active for quite a while. as you can see from this tweet.

The criminals seem to have used a lot of accounts to promote their “product” as you can see from this search on X.

Some accounts were expressly created for this purpose, while others look like they may have been compromised accounts.

The campaign looks well organized, and looks so legitimate that it took quite a while before a researcher found out and tweeted about the threat.

When interested individuals follow the links, they’ll end up on a professional looking website—exactly what you would expect.

But if they click the “GET NOW” button, they’ll download the information stealer and infect their device. The file is called “Edit-ProAI-Setup-newest_release.exe” for Windows, and “EditProAi_v.4.36.dmg” for macOS.

Lumma is available through a Malware-as-a-Service (MaaS) model, where cybercriminals pay other cybercriminals for access to malicious software and its related infrastructure. Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details. Lumma is often distributed via email campaigns, but nothing stops the cybercriminals from spreading it as a download for an AI editor, as they did here.

AMOS makes money for its operators by finding and stealing valuable information on the computers it infects, such as credit card details, authentication cookies, passwords and cryptocurrency. Besides stealing data from the web browsers themselves, AMOS can also steal data from browser extensions (plugins).

What if you installed one of these?

Both stealers are after login credentials and financial information, so there are a few things you’ll need to do.

• Monitor your accounts. Banking and cryptocurrency information is a prime target for these information stealers, so check your accounts and monitor them closely.
• Change all your passwords starting with the important ones, and if you’re not using a password manager already, now might be a good time to get one. It can help you create and store strong passwords.
• Enable multi-factor-authentication (MFA) on all your important accounts.
• Log out of all your important accounts on infected devices. These information stealers are capable of taking over some accounts by stealing cookies, even if you have MFA enabled.

Malwarebytes for Windows and Malwarebytes for Mac can detect the information stealers, and they block the EditProAI websites.