WorkComposer, an employee monitoring app, has leaked millions of screenshots through an unprotected AWS S3 bucket.

Unfortunately, spyware apps with poor reputations and even weaker security practices are all too common.

I’ve lost count of how many blogs I’ve written about stalkerware\-type apps that not only exposed the people they spied on but also ended up exposing the spies themselves.

However, perhaps one would expect an employee monitoring app to be of a higher standard. Not in this case.

Cybernews recently uncovered that employee monitoring app WorkComposer left over 21 million images exposed in an unsecured Amazon AWS S3 bucket. These images show a frame-by-frame activity log of remote workers.

This is not just bad news for those remote workers, it could be even worse for the WorkComposer customers that can see internal communications, confidential business documents, and log in pages exposed to anyone that stumbled over the unprotected bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

The WorkComposer software logs keystrokes, tracks how long an employee spends on each app, and records desktop screenshots every few minutes. This means those 21 million images could reveal everything from work processes to employees’ private information.

Although there are no indications that cybercriminals gained access to the same bucket, WorkComposer has failed to respond to any notifications and queries. It did secure the access after being notified, but did not provide any comments.

This incident echoes a previous Cybernews investigation that found WebWork, another remote team tracker, leaked over 13 million screenshots containing emails, passwords, and other sensitive work data.

**What to do if your employer used WorkComposer**

There are some actions you can take if you are, or suspect you may have been monitored by WorkComposer.

*   **Change the passwords that may have been seen.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for phishing attacks.** Cybercriminals may use the information to craft convincing phishing emails, SMS, or messages pretending to be from trusted sources. Do not click on suspicious links or respond to unexpected messages requesting personal or work information.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
*   **Report suspicious activity.** If you notice any suspicious emails, messages, or unauthorized access attempts, report them immediately to your IT department or manager. Early reporting can help contain potential damage and prevent further breaches.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Employee monitoring app exposes users, leaks 21+ million screenshots 

A list of topics we covered in the week of April 21 to April 27 of 2025

April 28, 2025 - WorkComposer, an employee monitoring app, has leaked millions of screenshots through an unprotected AWS S3 bucket.

April 25, 2025 - After hearing about ChatGPT o3 ability at geo-guessing we decided to run some tests and the tested AIs didn't fail to amaze us

April 24, 2025 - Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

April 24, 2025 - A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

April 24, 2025 - Blue Shield of California said it accidentally leaked the personal data of 4.7 million individuals to Google after a Google Analytics misconfiguration.

 A week in security (April 21 &#8211; April 27) 

After hearing about ChatGPT o3 ability at geo-guessing we decided to run some tests and the tested AIs didn't fail to amaze us

If you are worried about revealing your exact location—or if you maybe even fib about it at times—there are some good reasons to worry about what is visible in background photos, because Artificial Intelligence (AI) is getting very good at guessing where you are based on the smallest of clues. And that might even include audio clues, if given the right data.

Our curiosity was triggered by this article in TechRadar claiming that ChatGPT o3 can geo-guess your location from almost any photo. So, we decided to do some tests and removed the metadata from a few selected photographs that I took myself and never published anywhere (for quality reasons, obviously).

Metadata can include technical details like camera settings, date and time, location, and descriptive information like captions or keywords. And we wanted to test the AI’s capability on the picture itself—not on additional data included in the file. I also used a VPN so I didn’t give away my current location.

We started with an easy one. A landmark in a relatively large city, but from a strange perspective. The picture was part of a selfie taken through a window of an office building in Cork.

view over Cork, Ireland

It was no real surprise that ChatGPT got this right.

> “Alright, let’s break this one down — this does have some standout features that make it easier to geo-locate. Here’s the reasoning step by step:”

> **🧱 Architectural Clues:**
> 
> *   The old stone building in the foreground has **Georgian-style windows and masonry**, which are common in parts of the British Isles, especially in **Ireland** and **the UK**.
> *   The clock tower in the back-left with the **green copper dome** is particularly distinctive and often used in civic buildings in Ireland.
> *   The **mix of historical and modern buildings**, with the newer glass-fronted offices across a small river or canal, suggests urban regeneration in a historically rich city.

> **🌉 Infrastructure and Environment:**
> 
> *   The modern bridge with a **blue banner advertisement** and the **tree-lined waterfront** hints at a city that integrates riverways into its urban design.
> *   The road signs and general driving direction suggest **left-hand traffic**, supporting a guess of **Ireland or the UK**.

> **🏛** **Key Landmark:**
> 
> The building with the green dome in the background looks **very much like the clock tower of Cork City Hall in Ireland**. The angle of the shot shows the old Custom House building in front, and the modern offices across the **River Lee**, which runs through Cork.

This was spot on. But surely ChatGPT is not the only AI good at geo-guessing, so we used the same picture to test Perplexity as well.

> “This image provides several strong clues for geo-guessing:
> 
> The architecture of the foreground building is classic Georgian or early Victorian, with grey stone and sash windows—styles common in the British Isles, especially Ireland and the UK.
> 
> The river, modern glass buildings, and the steel bridge suggest a city that blends historical and contemporary elements.
> 
> The most distinctive feature is the clock tower with a green dome in the background. This is a well-known landmark: the Cork Courthouse clock tower in Cork, Ireland.
> 
> The bridge over the river and the combination of old and new buildings align with the area around the River Lee in Cork city centre.
> 
> **Conclusion**
> 
> This photo was taken in Cork, Ireland, looking out over the River Lee. The stone building in the foreground is part of the historic courthouse complex, and the green-domed clock tower is a prominent feature of Cork’s skyline. The modern glass buildings and bridge further confirm this as central Cork, a city known for its mix of heritage and modern development.”

Perplexity provided almost the same level of accuracy, so we decided to raise the difficulty level. A lot.

Landscaping in progress around Dutch holiday home

You’ll have to agree that this photo doesn’t give away a lot. But the AI tools took some unexpected clues from the picture.

Here is what ChatGPT determined:

> **🧩 Visual Clues:**
> 
> 1.  **Architecture:**
>     *   The buildings are modular and prefabricated in appearance, with light-colored paneling and dark window/door frames.
>     *   This type of house is common in northern Europe, especially in the Netherlands, Germany, Denmark, or parts of the UK.
> 2.  **Landscape:**
>     *   Very flat terrain with closely trimmed hedges and grassy areas.
>     *   This suggests low-lying regions—again pointing to places like the Netherlands or Belgium.
> 3.  **Infrastructure & Construction Tools:**
>     *   The pavers being laid and the wheelbarrows used (particularly the yellow color and shape) are very common in northern and western European construction.
> 4.  **Weather and Lighting:**
>     *   Overcast sky and soft, diffused lighting typical of northern Europe in autumn or early spring.
> 5.  **Small Details:**
>     *   The small shed in the back, the organization of tools, and cleanliness/horticulture are consistent with Dutch/German design sensibilities.
>     *   The wheelbarrow has the brand name “Fort”, which is a Dutch manufacturer—this is a **very strong clue**.
> 
> **🌍** **Likely Guess:**
> 
> **The Netherlands** 🇳🇱
> 
> **📍****Narrowing it Down:**
> 
> Given the modular housing, flat landscape, and Fort-brand wheelbarrow, this could be a holiday park, construction site, or suburban area in the Dutch countryside. Possibly in a province like **North Holland**, **South Holland**, or **Friesland** where such structures and environments are typical.

I must admit I was amazed that it mentioned South Holland which is where this photograph was taken.

Perplexity did not come as close as ChatGPT, but the tool did reach this conclusion:

> “Based on architectural style, landscaping, and contextual clues, this scene is almost certainly from the Netherlands. It showcases the country’s embrace of modular housing and practical, tidy outdoor spaces, reflecting broader trends in Dutch residential design and sustainable living.”

Which is still a lot better than I expected when I selected that picture.

**Bird songs**

So, modern AI tools can pick up visible clues. But then I had another idea—call it an epiphany if you will—which deserves a brief explanation. I use an app called Merlin Bird ID which is able to identify birds based on their singing.

Some bird species are a lot more local than others, so I asked Perplexity:

> “Would it be possible to do geo-guessing based on bird songs? And how many species do you think it would take to make a good guess?”

The answer:

> “How Many Species Are Needed?
> 
> One Species: Sometimes, a single species is enough if it’s highly range-restricted (e.g., endemic to an island or a small region). However, this is rare.
> 
> A Few Species (3–5): In most cases, hearing three to five distinct species can allow for a strong guess, especially if their ranges only overlap in a limited area.
> 
> More Species, More Precision: The more species you can identify, the more precisely you can geo-locate. With about 10–15 species, especially if some are local specialties, you can often narrow it down to a specific region, habitat, or even a particular park or reserve.”

So, I tried an experiment and offered both AI tools (ChatGPT and Perplexity) a list of bird song matches made from my Merlin Bird ID app. Here is the bird list, and what they tell us about where those birds are located:

**Latin Name**

**Common Name**

**Clue**

**Fringilla coelebs**

Chaffinch

Common across Europe

**Turdus merula**

Eurasian Blackbird

Also common across Europe

**Parus major**

Great Tit

Ubiquitous, widespread

**Grus grus**

Common Crane

Migratory — breeds in Scandinavia, Baltics, parts of Central Europe; passage bird elsewhere

**Carduelis carduelis**

European Goldfinch

Europe and western Asia

**Turdus viscivorus**

Mistle Thrush

Forests, open woodland — common in Europe

**Certhia brachydactyla**

Short-toed Treecreeper

Tells us something — this species avoids northern/colder parts of Europe (rare in the UK, absent in Scandinavia)

**Ardea alba**

Great Egret

Formerly rare in Europe, but now expanding — increasingly common in wetlands and rivers of Central and Southern Europe

**Sylvia atricapilla**

Eurasian Blackcap

Woodland; migratory in north, resident in south

**Anthus trivialis**

Tree Pipit

Breeds in open woodlands across Europe; migratory

**Vanellus vanellus**

Northern Lapwing

Farmland, wet grasslands; declining in the west but still widespread

In analyzing this list, Perplexity was the “winner,” able to more accurately guess my location:

> “Given all of these factors, my best guess is that you were somewhere in Northern Europe, likely Germany, Denmark, the Netherlands, or the UK. Without more information about habitat (e.g., forest, farmland, coast), it’s difficult to narrow it down further.”

Here was ChatGPT’s response to the same bird song list:

> **🗺️** **My Final Geo-Guess:**
> 
> You were likely in **Germany** — possibly in **northern or eastern Germany** (e.g., Brandenburg or Mecklenburg-Vorpommern), which is:
> 
> *   On the **Grus grus migration route**
> *   Rich in mixed forests and wetlands
> *   Within the range of **Certhia brachydactyla**
> *   Likely to host **all the species** you heard, in late April

In reality, the birds were recorded near the Dutch-German border, which put ChatGPT off by almost 400 miles, whereas Perplexity mentioned both countries I was in or close to, but covered a large area with its geo-guess.

**Conclusion**

If you’re making selfies or vlogging and you don’t want to give away your location, you’ll need to be very aware of your visual and auditory surroundings. A wheelbarrow of a specific brand or the sound of a bird with a limited habitat are enough to provide hints about your location. With enough hints, AI can deduce your exact location.

With social media being used for AI training, it is likely that these results will rapidly gain even more in accuracy.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 AI is getting “creepy good” at geo-guessing 

Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

Be careful when talking to people you’ve not met with before over the Zoom video conferencing system; you might get more than you bargained for. Two CEOs were recently targeted by a Zoom-based attack. One spotted it in time – and sadly, one did not.

The attack is by a crime group that the Security Alliance call ELUSIVE COMET in a warning about the threat last month. ELUSIVE COMET targets its victims by luring them into a Zoom video call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

The group typically approaches victims with a supposed media opportunity to get them interested, and then sets up an introductory Zoom call. During that video meeting, the attacker keeps their screen switched off, but sends a remote control request to the victim.

Remote control is a feature in the Zoom app that allows someone else to take control of your PC. It’s great if, for example, you’re not very tech-savvy and you want your grandchild to fix your computer from the other side of the country. It’s less good if you agree to a remote control request from someone you don’t know – especially if you don’t know you’re doing so.

That’s what happens to victims during their fraudulent call from ELUSIVE COMET. When the remote control request comes through to the victim, the notification says “<Participant> is requesting remote control of your system” where <Participant> is the participant’s screen name. In this takeover attempt, the attacker changes their screen name to ‘Zoom’ before sending the remote control request so it appears as though the app itself is requesting control.

Some rushed or distracted people might assume that’s a valid request from the app, perhaps as a precursor to recording a call or displaying new content. If the victim accepts, it’s game over, and the attacker can take full control of the victim’s system.

**Zoom takeovers in action**

ELUSIVE COMET tried this trick on the CEO of cybersecurity consulting company Trail of Bits, but it didn’t work on him. After receiving an invitation to appear on “Bloomberg Crypto,” he suspected something was amiss.

The attackers approached him via the X social media network and refused to switch to email when asked. Then they used a third-party booking system called Calendly to arrange the call. While Calendly is a legitimate service, the attackers hadn’t branded their Calendly pages with Bloomberg’s logo, which the CEO felt was suspicious. After checking into some of the data gathered on the group in the Security Alliance advisory, the CEO realized what was happening.

Sadly, that wasn’t the case for Jake Gallen, who owns a cryptocurrency company called Emblem Vault. As he describes in a postmortem thread on X earler this month, he also got a media invitation from an X account, this time called @tacticalinvest\_, to appear on a podcast. He took the bait.

“While the interview was ongoing @tacticalinvest\_ was downloading malware on my computer known as goopdate,” he reports, “which was powerful enough to steal >$100k in digital assets from my Bitcoin and Ethereum wallets, as well as log into my twitter, gmail, and other accounts.”

Gallen did his due diligence. Before he took the meeting, he did some research and found that the account had a large audience, with a history of consistent posts and videos. There was also a YouTube account. This illustrates just how sneaky some of these attackers can be, and how even tech-savvy people can be duped.

While you might not be a business owner or influencer looking for exposure, it’s worth paying attention to who you let into Zoom meetings, and who you give control of the meeting to. Let’s not also forget that there’s an ongoing trend of people ‘Zoombombing’ by infiltrating others’ meetings.

**How to stay safe**

One of the easiest approaches is to avoid installing Zoom’s app and simply use it in the browser where possible. Running Zoom in the browser limits its functionality, including not allowing remote control of your system. Zoom gives you this option when you attempt to join a meeting without opening the app.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Zoom attack tricks victims into allowing remote access to install malware and steal money 

A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data and send it to cybercriminals half a world away. All you have to do is install the software and tap your card to your phone – and criminals excel at persuading you to do just that.

The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC). This enables your phone to read the data on a supporting payment card when it comes close enough. It’s how tap-to-pay machines found in retailers and ATMs work their magic.

Attackers get the malicious software via a malware-as-a-service model. This enables them to become affiliates for the developers of the software, who typically offer it for a percentage of the attackers’ takings. They can then focus on finding and targeting victims with social engineering attacks, which Cleafy says they’ve been doing in Italy.

**How the attack works**

First the attackers have to get the malware onto someone’s Android phone. That starts with a fraudulent ‘smishing’ message sent via SMS or WhatsApp, often impersonating a bank and asking the user to call.

The telephone number connects the victim to the attacker, who then persuades them to give up their PIN and log into their bank account. From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. This contains the SuperCard X malware.

Finally comes the payoff. The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. The malware then captures the card details, which it then sends to the attacker’s own Android phone. They can then use the phone as a cloned card for contactless payments. If you’ve ever tapped your phone instead of your card to pay for something, you’ll know how easy that is to do.

**Where did SuperCard X come from?**

Like much malware, SuperCard X didn’t come out of nowhere. Cleafy says that it shares code with another piece of malware called NGate, discovered last year. Both of these are likely built on concepts first outlined in NFCGate, a freely available open-source NFC software tool developed by German’s Technical University of Darmstadt.

SuperCard X’s developers have focused on making this software as stealthy as possible. Most antivirus programs for Android fail to spot it, says Cleafy. That’s because it asks for as few privileges as possible on the phone, and it doesn’t include many of the features that other malware has. In short, the less that a malicious program does on a phone, the smaller its footprint is and the more silent it can be.

This malware is a cybercriminal’s favorite for several reasons. Rather than attacking people with accounts at a particular bank, it works against anyone with a payment card, increasing the attacker’s scope. It’s also instant, compared to thefts by wire transfer, which can take days to complete.

It is important to note that payment framework**s** like Google Pay, Apple Pay, Samsung Pay, and som b**a**nk-specific wallet apps  use dynamic cryptographic tokens — which are similar in concept to the “rolling codes” often used in car keyless entry systems — to prevent signal replay attacks.

**How to protect yourself**

But, as with many things, the best defense is you. In this case, protection is simple. The cybercriminals behind this attack can’t do anything unless you install the software on your phone, and so they go through several steps to convince you to do so.

Be skeptical of text messages from people you don’t know, especially those claiming to be urgent. Scammers typically try and panic you into a fast response. When they get you on the phone, they can befriend you, further impeding your ability to think critically and say “no”.

If you can’t help yourself and feel compelled to take action, check in with a trusted family member if available to get their perspective. If you’re still convinced, then at least verify the message first. Call your financial institution through an official number – not through the one in the text message. We’ll bet a steak dinner that they won’t know what you’re talking about.

Never give personal details to anyone you don’t know who contacts you via text message, and never change your banking details at their request. And if anyone asks you to install software sent via text message, refuse and end the communication.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android malware turns phones into malicious tap-to-pay machines 

Blue Shield of California said it accidentally leaked the personal data of 4.7 million individuals to Google after a Google Analytics misconfiguration.

Blue Shield of California leaked the personal data of 4.7 million people to Google after a Google Analytics misconfiguration. The tech giant may have used this data for targeted advertising, according to Blue Shield, which is one of the largest health insurers in the US.

In a data breach notice on its website, Blue Shield says it had begun notifying “certain members of a potential data breach that may have included elements of their protected health information.”

Blue Shield a nonprofit health insurer serving nearly 6 million members, used Google Analytics to monitor how customers interacted with its websites to improve services. However, a configuration error in Google Analytics allowed sensitive member data to spill to Google Ads, potentially exposing customer data for almost three years. This likely included protected health information.

Blue Shield stated, “Google may have used this data to show targeted ad campaigns to individual members.”

The transmission of data took place between April 2021 and January 2024. The leaked information includes various details such as the type of health insurance plan, postal code and city, gender, family size, account IDs, names of insured persons, and search queries related to finding a doctor, which could reveal members’ health concerns or needs.

Blue Shield said there was no leak of other types of personal information, such as Social Security numbers, driver’s license numbers, or banking or credit card information.

After discovering the leak, Blue Shield said it reviewed all its websites to ensure no other tracking software was sharing protected health information with third parties.

Usually in a data breach we can point at cybercriminals that went out of their way to obtain the data. In this case, a simple misconfiguration shared data with an entity—that already knows so much about us—that then used the information for targeted advertising.

Maybe this case can serve as a cautionary tale about using analytics tools in areas where misconfigurations can lead to severe privacy violations, especially when sensitive data is involved.

Blue Shield is notifying all customers who may have accessed their member information on the potentially impacted Blue Shield websites during the relevant time frame.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 4.7 million customers&#8217; data accidentally leaked to Google by Blue Shield of California 

Shopify is facing a class action lawsuit that could change the way globally active companies can be held accountable

Shopify faces a data privacy class action lawsuit in the US that could change the way globally active companies can be held accountable.

The proposed class action is a revival of a case that had been dismissed by a lower court judge and a three-judge 9th Circuit Court of Appeals panel. But now it’s been brought back after a decision by the full 9th Circuit.

Shopify is a global commerce platform headquartered in Ottawa, Canada. It provides the infrastructure and tools that businesses of all sizes use for retail operations, both online and offline.

To provide these services, Shopify collects personally identifiable information (PII) from buyers, primarily to facilitate and improve their commerce experience. This data includes names, email addresses, phone numbers, shipping and billing addresses, IP addresses, device information, and behavioral data. That is, all the information needed for processing orders, managing payments, shipping products, and communicating with end customers effectively.

With this collection of PII comes responsibility. Shopify acknowledges the data belongs to the users and is collected only to the extent necessary to provide its services. It claims to implement robust security measures to protect this data from unauthorized access and complies with relevant privacy laws such as GDPR.

But Brandon Briskin, a California resident claims Shopify installed tracking cookies on his iPhone without his consent when he bought athletic wear from a retailer, and used his data to create a profile it could sell to other merchants.

The case was at first dismissed after Shopify argued it should not be sued in California because it operates nationwide and did not aim its conduct toward that state.

The dismissal was revoked because the judges found that:

> “Shopify deliberately reached out … by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous.”

A Shopify spokesman told Reuters that the decision makes online retailers vulnerable to lawsuits anywhere and “attacks the basics of how the internet works,” and that it drags entrepreneurs who run online businesses into distant courtrooms regardless of where they operate.

Briskin’s lawyer said the court bolstered accountability for internet-based companies by rejecting the argument that a company is jurisdictionally ‘nowhere’ because it does business ‘everywhere.’

And many US states agreed they need an ability to enforce their own consumer protection laws against companies that avail themselves of local marketplaces through the internet.

The general expectation is that this decision could make it easier for American courts to assert jurisdiction over internet-based platforms. The majority of the 9th Circuit, which includes nine western US states, Guam, and the Northern Mariana Islands, adhered to the “traveling cookie rule” because it “impermissibly manufactures jurisdiction wherever the plaintiff goes.”

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Shopify faces privacy lawsuit for collecting customer data 

All Google accounts could end up compromised by a clever replay attack on Gmail users that abuses Google infrastructure.

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials.

This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS).

Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

> Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got: pic.twitter.com/tScmxj3um6
> 
> — nick.eth (@nicksdjohnson) April 16, 2025

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did.

Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email.

If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials.

Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account.

The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

**How to avoid scams like this**

*   Don’t follow links in unsolicited emails or on unexpected websites
*   Carefully look at the email headers when you receive an unexpected mail
*   Verify the legitimacy of such emails through another, independent method
*   Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

**Technical details**

Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb.

DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication.

So, what the cybercriminals did was:

*   Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.”
*   Register an OAuth app and set the app name to match the phishing link
*   Grant the OAuth app access to their Google account which triggers a legitimate security warning from no-reply@accounts.google.com
*   This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name.
*   Forward the message untouched which keeps the DKIM signature valid.

Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com.

Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 All Gmail users at risk from clever replay attack 

A list of topics we covered in the week of April 12 to April 18 of 2025

April 18, 2025 - Text scams come in many forms and are an ever increasing threat doing an awful lot of financial, and other, damage

April 17, 2025 - Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited...

April 16, 2025 - A new variant of the hello pervert emails claims that the target's system is infected with njRAT and spoofs the victims email address

April 15, 2025 - Car rental giant Hertz data suffered a data breach caused by a CL0P ransomware attack on file sharing vendor Cleo

April 14, 2025 - A newly created inetpub folder turns out to be part of a Microsoft update against a vulnerability tracked as CVE-2025-21204

 A week in security (April 12 &#8211; April 18) 

This week on the Lock and Code podcast, we speak with Sydney Saubestre about DOGE and its access to Americans' data.

_This week on the Lock and Code podcast…_

If you don’t know about the newly created US Department of Government Efficiency (DOGE), there’s a strong chance they already know about you.

Created on January 20 by US President Donald Trump through Executive Order, DOGE’s broad mandate is “modernizing Federal technology and software to maximize governmental efficiency and productivity.”

To fulfill its mission, though, DOGE has taken great interest in Americans’ data.

On February 1, DOGE team members without the necessary security clearances accessed classified information belonging to the US Agency for International Development. On February 17, multiple outlets reported that DOGE sought access to IRS data that includes names, addresses, social security numbers, income, net worth, bank information for direct deposits, and bankruptcy history. The next day, the commissioner of the Social Security Administration stepped down after DOGE requested access to information stored there, too, which includes records of lifetime wages and earnings, social security and bank account numbers, the type and amount of benefits individuals received, citizenship status, and disability and medical information. And last month, one US resident filed a data breach notification report with his state’s Attorney General alleging that his data was breached by DOGE and the man behind it, Elon Musk.

In speaking with the news outlet Databreaches.net, the man, Kevin Couture, said:

“I filed the report with my state Attorney General against Elon Musk stating my privacy rights were violated as my Social Security Number, banking info was compromised by accessing government systems and downloading the info without my consent or knowledge. What other information did he gather on me or others? This is wrong and illegal. I have no idea who has my information now.”

Today on the Lock and Code podcast with host David Ruiz, we speak with Sydney Saubestre, senior policy analyst at New America’s Open Technology Institute, about what data DOGE has accessed, why the government department is claiming it requires that access, and whether or not it is fair to call some of this access a “data breach.”

> “\[DOGE\] haven’t been able to articulate why they want access to some of these data files other than broad ‘waste, fraud, and abuse.’ That, ethically, to me, points to it being a data breach.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Source

Malwarebytes