IT News

Security alerts from tech companies are supposed to warn us when something might be amiss—but what if the alerts themselves are the risk? Scammers have long impersonated tech companies’ security and support staff as a way to sniff out users’ login credentials, and reports suggest that they’re doing it again, at scale.

The attack goes like this: Victims get an email or phone call allegedly from Google support that warns someone has tried to hack their account. The best way to protect themselves is to reset the password, the scammer says.

They then send a separate account reset email to the victim, who dutifully enters their login credentials. The account includes a code that the victim must read out to verify that they’re legit. The support staff say they’ll enter this code to reset the system, but they’re using those precious extra few seconds to hijack the victim’s account.

Someone posting to Reddit described getting a call from someone in California who claimed to be from Google.

“He was trying to actively recover my account and steal possession of it, while on the phone with me,” the Redditor said, adding that they challenged the caller, calling them a scam artist. The caller then upped the ante, asking them to look up their number, which showed up on caller ID, and even to hang up and call the number back. “He was completely bluffing — as when you call that number you cannot get a human on the line,” said the Redditor. “They don’t staff that line with agents.”

This scam, reported by Forbes, is just one example of how imposters build trust by pretending to be from tech companies. Last month, the Federal Trade Commission also warned Amazon customers of fake refund mails. The scam messages tell customers that a product they were sent failed to pass an Amazon quality check, and asks them to click a link for a refund. The link, of course, is malicious and leads to information theft.

This kind of thing might leave users worried. After all, if you can’t trust messages purporting to be from your technology provider, then who can you trust?

Companies often have guidance to help prepare you for such scams. Google’s guide to verifying security alerts says that the company will never take you to a sign-in page or ask you to verify yourself. It also says that all legitimate messages will appear on the Security page of your Google account, under “Recent security activity.” Amazon also has a page on identifying scams.

Our favorite comment came from the same Redditor who posted about the Google scammer: “The best thing I’ve read regarding these attempts is ‘Google will NEVER call you out of the blue. They don’t care about your account’” they said. Snarky, but likely true. “Be highly suspicious and never give anyone a code or password and never accept those recovery prompts unless you are 10000% certain YOU issued them.”

We don’t just report on scans—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Last week on Malwarebytes Labs:

• Italian hotels breached for tens of thousands of scanned IDs
• National Public Data returns after massive Social Security Number leak
• Romance scammers in Ghana charged with more than $100 million in theft
• Netflix scammers target jobseekers to trick them into handing over their Facebook logins
• Russians hacked US courts, say investigators
• Microsoft patches some very important vulnerabilities in August’s patch Tuesday
• WinRAR vulnerability exploited by two different groups
• Scam hunter scammed by tax office impersonators
• That “Amazon Safety Recall” message may well be a scam
• “The worst thing” for online rights: An age-restricted grey web (Lock and Code S06E16)
• Online portal exposed car and personal data, allowed anyone to remotely unlock carslock-cars

Last week on ThreatDown:

• AI has “fully defeated” most of the ways people authenticate

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The Computer Emergency Response Team (CERT) for Italy’s “Agenzia per l’Italia Digitale” (AGID) issued a warning that cybercriminals are selling stolen identity documents from hotels operating in Italy.

This summer, a criminal hacker group named “mydocs” infiltrated the booking systems of at least ten Italian hotels, stealing high-resolution scans of ID documents, including passports and national ID cards, provided by guests during check-in. These documents, amounting to tens of thousands in number (potentially up to 100,000), have been offered for sale on dark web forums at prices ranging from $1000 to $10,000. Both Italian and foreign guests are affected, with luxury and city hotels among the breached venues.

While the incident appears to have taken place in June and July of this year, it is not clear how many years back the hotels’ scans are retained for, so you could be at risk if you have visited the hotels at an earlier time. AGID did not mention the hotels by name, but we hope the hotels will take it upon themselves to warn the people whose ID information may be for sale.

AGID warns that warned that the stolen data could be used for:

• Fraudulent creation of new documents.
• Opening bank accounts or lines of credit.
• Social engineering attacks against individuals and their contacts.
• Digital identity theft, with serious legal and financial implications.

Authorities advise guests to contact the hotels where they stayed if they suspect their data was compromised and to stay alert for scams or phishing attempts using their information.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Remember that data broker nobody had ever heard of, but managed to leak a database which contained the data of some 2.9 billion people? It’s back, and this time with a search function.

National Public Data suffered an alleged breach in 2024 against a data base that, it turned out, carried 272 million unique social security numbers (SSNs.) Granted, that there are limits to the safety of using a nine-digit ID in 2025, but the news that the folks at National Public Data have decided it’s time for a comeback made me slightly nauseous.

After the fall-out of the aforementioned leak and others, the site shut down in December amid a wave of lawsuits against parent company Jerico Pictures. But the people at PCMag noticed that the domain nationalpublidata[.]com has been brought back to life.

In an update page about the security incident, the new owner states:

“Jerico Pictures, Inc., the Florida company that suffered a major data breach in 2024, no longer operates this site. We have zero affiliation with them.”

Data brokers scrape, collect, and aggregate data, combining disparate details into comprehensive dossiers. Sometimes your information ends up there because of public records. And sometimes it’s the result of poor security, or, as we see a lot unfortunately, a leak, ransomware attack, or other type of data breach.

On their “About us” page the new owners note:

“We collect the data you find on our people search engine from publicly available sources, including federal, state, and local government agencies, social media pages, property ownership databases, and other reliable platforms. After the data is in our hands, we verify and filter it to make sure it is indeed accurate and up-to-date.”

Their goal:

“National Public Data is a people search website where you can find accurate information about US citizens. Our database gives you access to millions of public records to help you find the data you need the most for various purposes. Privacy, speed, and ease of use are at the heart of what we do. Start your search today and discover what you can learn.”

If you live in the US, it might be prudent to check what information they have about you and where they might have scraped that from. Did you know you can have a lot of that information removed?

In the meantime, the “info spillers” are back, and they seem to be making up for lost time. The real question isn’t if your data is at risk. It’s what you’re going to do about it now.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

The Department of Justice (DOJ) extradited and indicted 4 Ghanaian nationals for allegedly stealing more than $100 million, mainly through romance scams and business email compromises.

According to a report from Comparitech, nearly 59,000 Americans fell victim to romance scams in 2024, losing an estimated $697.3 million. Our own research from last year showed that 10% of romance scam victims lose more than $10,000. The overall true cost is believed to be vastly higher than official reports, as many cases go unreported due to victims’ shame and difficulty tracing scammers.

Many of the scammers work offshore from countries where the chances of them getting apprehended are slim. But US Attorney Jay Clayton stated:

“Offshore scammers should know that we, the FBI, and our law enforcement partners will work around the world to combat online fraud and bring perpetrators to justice.”

The four men are accused of being leaders of a criminal organization based in Ghana which committed romance scams and business email compromises against individuals and businesses located across the US.

Their victims were mostly older men and women tricked into believing they were engaging in a romantic relationship online. These “relationships” sometimes start as a harmless text or by a direct message on social media and dating apps. Soon the scammer will suggest to take the conversation to a more secure platform like WhatsApp or Telegram.

The scammers will take the time to get to know you and assess what the best approach is to deceive you. Most of the time they are after your money, but sometimes they are after information. These scammers may also use other people, who are often younger, as money mules.

The people entailed in romance scams are courted and lavished with attention, until it’s time to cash in. Then the scammer suddenly needs money for travel, an illness, or other made-up reasons. Some scammers also lure victims with a supposed, great investment opportunity that you can’t afford to miss—which will turn out great for them, not the victim.

The four Ghanaian men are facing multiple charges including wire fraud, money laundering, receiving stolen money and more. In total each is facing a maximum sentence of 75 years in prison if convicted on all the charges.

Stay safe from romance scammers

The scale of losses from romance scams often eclipses that of many other types of reported consumer fraud or internet crime, demonstrating the high financial risk entailed in these emotional exploitation schemes.

So, it’s important to understand how these scams operate and how you can stay safe. Some of these tips may seem basic, but in these cases, it’s easy for people to mistake their online relationship with the scammer for a real one. This isn’t the fault of scam victims—it is just a symptom of how effective these scam methods are.

• Don’t send money or disclose sensitive information to anyone you have never met in person.
• Take it slow and read back answers. Scammers usually have a playbook, but sometimes you can spot inconsistencies in their answers.
• Don’t do this alone. Allow someone in your life to share this with. Their perspective may keep your feet on the ground.
• Cut them off early. As soon as you expect you are dealing with a scammer, stop responding. Don’t fall for sob stories or even physical threats they’ll use to keep the connection alive.
• Check their profile picture in an online search. You may find other profiles with the same picture. This is a huge red flag.
• The move to a “safer platform” is another red flag. They are not doing this for privacy reasons, but to stay under the radar of the platform where they first contacted you.
• Consult with a financial advisor or investment professional who can provide an objective opinion if you’re offered an investment opportunity.
• If you encounter something suspicious, report it to the appropriate authorities—such as local law enforcement or the FBI via its Internet Crime Complaint Center. Your action could prevent others from falling victim.  
• Share examples (anonymized) to help others. One way to do this is to use Malwarebytes Scam Guard, which also helps you assess if a message is a scam or not.

We don’t just report on scans—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

In what seems a phishing attack targeted at a certain audience, scammers are impersonating Netflix and reaching out to marketing staff.

The initial mail looks like what you might expect from a headhunter or a human resources (HR) recruitment specialist.

“I hope this note finds you well,” the email begins. “Your reputation as a visionary marketing leader has caught out attention, and I’d like to share an extraordinary opportunity with you at Netflix.”

Undoubtedly this email is crafted by AI and based on real-life examples. The role offered in the email as VP of Marketing would be a fitting role for the person that received this email, so it looks as if the scammers have done their research before reaching out.

Replying to the initial mail—which is not recommended, unless you like letting scammers know you exist and encouraging them to send you more phishes—got us one step closer to landing the exciting new job at Netflix.

We received an invitation to set up an interview with the ‘Netflix HR team’.

Following the link under “Schedule Interview” gets us a block by Malwarebytes web protection.

Again, not something we would want our readers to do but in the interest of learning more about the scam, we bypass that block and proceed to the website.

We find that there are 20 openings, all more or less in the same fields of social media and marketing.

The website itself is a mix of content copied from the actual Netflix site and of the phishing campaign.

Back to scheduling our interview. We’re given an option to choose our interview slot:

Regardless of which of the two buttons you use on the screen, you’ll be asked to sign in to your existing “Career Profile” or create a new one.

At this stage, all red flags should go up. It doesn’t matter if you choose “Continue with Facebook” or whether you enter your email and click “Continue with Email” the next screen will ask you to sign in to your Facebook account.

The only difference is that the second option fills out your email in the login screen.

That doesn’t make a lot of sense—Facebook is not known to keep track of your calendar. It does keep track of a lot of things, but your meeting schedule isn’t one of them. Besides, if you look at the address bar, you’ll see I’m still at the fake Netflix site.

However, it’s very normal practice to offer the option of logging in with Facebook on third party sites, so it would be understandable for the jobseeker to click that link.

When you enter the credentials and click on “Log In”, it will take a while and then you’ll be notified that “The password you’ve entered is incorrect. Please try again!”

This login page is also the part that makes this attack a very sophisticated one. The phishers use a websocket method that allows them to intercept submissions live as they are entered. This allows them to try the credentials and if your password works, they can log into your real Facebook account within seconds. They could potentially ask for multi-factor authentication (MFA) confirmation if that’s necessary, too.

Imagine that the phisher can instantly see the credentials you submitted, tests them at the real Facebook login page, and subsequently sends you the appropriate response. (In my case “wrong password” since I had no intention of feeding them valid credentials.)

You’d have no idea that they were accessing your Facebook account and they’d have bought some time to log you out, spam your friends, or whatever else they wanted to do with your account.

We often see phishing campaigns like these that are explicitly designed to steal the credentials of marketing managers, social media staff, and especially those who have access to company Facebook Pages or business accounts.

Compromising a business account can allow attackers to run malicious ads using the company’s payment methods, demand a ransom for return of control over the account, or use the company’s reputation to spread more scams.

What to do

If you suspect your credentials may have been compromised, immediately change your passwords, enable multi-factor authentication, and notify your IT/security team if you have one.

You can stay safe from these attacks by:

• Be super cautious at engaging in job offers that you have not applied for.
• Carefully check the URLs, both in the email and on the website, before you click them (did you notice the missing “i” in the domain name?)
• Check if the address in the browser bar matches what you expect to see, along with the content of the website.
• Learn how to spot and recognize phishing attempts. Phishing mails are getting harder to identify now that cybercriminals are using Artificial Intelligence (AI).
• Keep your browser, your Operating System, and other software up to date.
• Use an up-to-date real-time anti-malware solution with web protection.

Since the phishing campaign was hosted behind Cloudflare’s services, we have notified Netflix and Cloudflare about this campaign.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.