The Phishing-as-a-Service kit Sneaky 2FA was found to use Browser-in-the-browser attacks to steal login credentials.

Attackers have a new trick to steal your username and password: fake browser pop-ups that look exactly like real sign-in windows. These “Browser-in-the-Browser” attacks can fool almost anyone, but a password manager and a few simple habits can keep you safe.

Phishing attacks continue to evolve, and one of the more deceptive tricks in the attacker’s arsenal today is the Browser-in-the-Browser (BitB) attack. At its core, BitB is a social engineering technique that makes users believe they’re interacting with a genuine browser pop-up login window when, in reality, they’re dealing with a convincing fake built right into a web page.

Researchers recently found a Phishing-as-a-Service (PhaaS) kit known as “Sneaky 2FA” that’s making these capabilities available on the criminal marketplace. Customers reportedly receive a licensed, obfuscated version of the source code and can deploy it however they like.

Attackers use this kit to create a fake browser window using HTML and CSS. It’s very deceptive because it includes a perfectly rendered address bar showing the legitimate website’s URL. From a user’s perspective, everything looks normal: the window design, the website address, even the login form. But it’s a carefully crafted illusion designed to steal your username and password the moment you start typing.

Normally we tell people to check whether the URL in the address bar matches your expectations, but in this case that won’t help. The fake URL bar can fool the human eye, it can’t fool a well-designed password manager. Password managers are built to recognize only the legitimate browser login forms, not HTML fakes masquerading as browser windows. This is why using a password manager consistently matters. It not only encourages strong, unique passwords but also helps spot inconsistencies by refusing to autofill on suspicious forms.

Sneaky 2FA uses various tricks to avoid detection and analysis. For example, by preventing security tools from accessing the phishing pages: the phishers redirect unwanted visitors to harmless sites and show the BitB page only to high-value targets. For those targets the pop-up window adapts to match each visitor’s operating system and browser.

The domains the campaigns use are also short-lived. Attackers “burn and replace” them to stay ahead of blocklists. Which makes it hard to block these campaigns based on domain names.

**So, what can we do?**

In the arms race against phishing schemes, pairing a password manager with multi-factor authentication (MFA) offers the best protection.

As always, you’re the first line of defense. Don’t click on links in unsolicited messages of any type before verifying and confirming they were sent by someone you trust. Staying informed is important as well, because you know what to expect and what to look for.

And remember: it’s not just about trusting what you see on the screen. Layered security stops attackers before they can get anywhere.

Another effective security layer to defend against BitB attacks is Malwarebytes’ free browser extension, Browser Guard, which detects and blocks these attacks heuristically.

**We don’t just report on threats—we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

 Attackers are using “Sneaky 2FA” to create fake sign-in windows that look real 

Our children build digital lives long before they understand them. Here’s how to shrink their online footprint and stay smart about “sharenting.”

Let’s be real: the online world is a huge part of our kids’ lives these days. From the time they’re tiny, we share photos, moments, and milestones online—proud parent stuff! Schools, friends, and family all get involved too. Before we know it, our kids have a whole digital history they didn’t even know they were building. Unlike footprints at the beach, this trail never washes away. 

That habit even has a name now: **sharenting**. It’s when parents share details of their child’s life online, often without realizing how public or permanent those posts can become. 

Think of your child’s digital footprint as the trail they (and you) leave across the internet. It includes every photo, post, comment, and account, plus all the data quietly collected behind the scenes. 

There are two sides to it: 

*   **Active footprints:** what you or your child share directly, such as photos, TikTok videos, usernames, or status updates. Even “private” posts can be screenshot or reshared. 
*   **Passive footprints:** what gets collected automatically. Cookies, location data, and app activity quietly build profiles of who your child is and what they do. 

Both add up to a digital version of your child that can stick around for years. 

For kids and teens, their online presence shapes how the world sees them—friends, teachers, even future employers. But it also creates risks: 

*   **Cyberbullying:** once something’s online, it can be copied or mocked. 
*   **Future opportunities:** colleges and jobs may see old posts that no longer reflect who they are. 
*   **Safety concerns:** oversharing locations or routines can make it easier for strangers to find or trick them. 
*   **Identity theft:** birthdates, school names, and addresses can help criminals create fake identities. 

Practicing good digital hygiene keeps those risks small. 

Kids don’t need social media accounts to leave data behind. Gaming platforms, smartwatches, school apps, and even voice assistants collect fragments of personal information. 

That innocent photo from a class project might live in a public gallery. A leaderboard can display a real name or score history. Even nicknames or in-game chat can expose more than intended. 

Help your kids check what’s visible publicly and what isn’t. 

Don’t worry, I’ve done some of these too! We love to share and celebrate our kids, but sometimes we give away more than we mean to: 

*   Posting full names, birthdays, and locations on open social media. 
*   Sharing photos with school logos, house numbers, or nearby landmarks visible. 
*   Leaving geotagging or location data on by accident (it’s scary how precise this can be). 
*   Talking about routines, worries, or personal struggles in public forums. 
*   Forgetting to clean up old posts as our kids get bigger. 

And it’s easy to forget about all those apps we sign up to “just to try it”. They might be collecting info in the background, too. 

Karen loves her son, Max. She posts his awards, soccer games, and milestones online, sometimes tagging the school or leaving her phone’s location on. 

It’s innocent… until someone strings the details together. A fake gamer profile messages Max: “_Hey, don’t you go to Graham Elementary? I saw your soccer pics!_” Suddenly, a friendly chat feels personal and real. 

Karen meant well, but her posts created a map for someone else to follow. 

Then there’s the story we covered of a mother in Florida who picked up the phone to hear her daughter sobbing. She’d been in a car accident, hit a pregnant woman, and needed bail money right away. The voice sounded exactly like her child. Terrified, she followed the caller’s instructions and handed over $15,000. Only later did she learn her daughter had been safe at work the whole time. Scammers had used AI to clone her voice from a short online video. It’s a chilling reminder that even something as ordinary as a video or social post can become fuel for manipulation. 

**Simple steps parents can take **

*   **Be a model:** before you post, ask, “Would I be OK with a stranger seeing this?” 
*   **Start young:** teach privacy basics early and update as they grow. 
*   **Lock it down:** review privacy settings together on both your accounts. 
*   **Use pseudonyms:** encourage nicknames for games or public forums. 
*   **Agree as a family:** set boundaries for what’s OK to share. 
*   **Turn off geotags:** remove automatic location data from photos. 

**Know what to do if something goes wrong **

Everyone messes up online sometimes. It happens to the best of us. We’ve all shared something we wish we hadn’t. The goal isn’t to scare our kids (or ourselves) away from the internet, but to help them feel confident, safe, and smart about it all. 

If your child ever feels uncomfortable or gets into a sticky situation online: 

*   Stay calm and let them know you are safe to talk to. 
*   Keep record of any sketchy messages or harassment. 
*   Use blocking, reporting, and privacy tools. 
*   Loop in school counselors or other trusted adults if you need backup. 
*   If there’s a real threat or criminal activity, contact the proper authorities. 

You’ve got this! 

The online world is always changing, and honestly, we’re all learning as we go. But by staying curious, keeping the lines open, and setting a good example yourself, you’ll help your kids build a digital life they can be proud of. 

Let’s look out for each other. If you’ve got thoughts or tips about sharenting and online safety, do share them with me. You can message me on Linkedin at https://www.linkedin.com/in/mattburgess/. We’re all in this together. 

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Sharenting: are you leaving your kids’ digital footprints for scammers to find?  

Google has released an update to patch two high-severity vulnerabilities, one of which is already under active exploitation.

Google has released an update for its Chrome browser that includes two security fixes. Both are classified as high severity, and one is reportedly exploited in the wild. These flaws were found in Chrome’s V8 engine, which is the part of Chrome (and other Chromium-based browsers) that runs JavaScript.

Chrome is by far the world’s most popular browser, used by an estimated 3.4 billion people. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update.

These vulnerabilities are serious because they affect the code that runs almost every website you visit. Every time you load a page, your browser executes JavaScript from all sorts of sources, whether you notice it or not. Without proper safety checks, attackers can sneak in malicious instructions that your browser then runs—sometimes without you clicking anything. That could lead to stolen data, malware infections, or even a full system compromise.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be open to an attack just by browsing the web, and attackers often exploit these kinds of flaws before most users have a chance to update. Always let your browser update itself, and don’t delay restarting to apply security patches, because updates often fix exactly this kind of risk.

**How to update**

The Chrome update brings the version number to 142.0.7444.175/.176 for Windows, 142.0.7444.176 for macOS and 142.0.7444.175 for Linux. So, if your Chrome is on the version number **142.0.7444.175 or later,** it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the “**More**” menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then relaunch Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can find more detailed update instructions and how to read the version number in our article on how to update Chrome on every operating system.

**Technical details**

Both vulnerabilities are characterized as “type confusion” flaws in V8.

Type confusion happens when code doesn’t verify the object type it’s handling and then uses it incorrectly. In other words, the software mistakes one type of data for another—like treating a list as a single value or a number as text. This can cause Chrome to behave unpredictably and, in some cases, let attackers manipulate memory and execute code remotely through crafted JavaScript on a malicious or compromised website.

The actively exploited vulnerability—Google says “an exploit for CVE-2025-13223 exists in the wild”—was discovered by Google’s Threat Analysis Group (TAG). It can allow a remote attacker to exploit heap corruption via a malicious HTML page. Which means just visiting the “wrong” website might be enough to compromise your browser.

Google hasn’t shared details yet about who is exploiting the flaw, how they do it in real-world attacks, or who’s being targeted. However, the TAG team typically focuses on spyware and nation-state attackers that abuse zero days for espionage.

The second vulnerability, tracked as CVE-2025-13224, was discovered by Google’s Big Sleep, an AI-driven project to discover vulnerabilities. It has the same potential impact as the other vulnerability, but cybercriminals probably haven’t yet figured out how to use it.

Users of other Chromium-based browsers—like Edge, Opera, and Brave—can expect similar updates in the near future.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Chrome zero-day under active attack: visiting the wrong site could hijack your browser 

It was the way DoorDash handled the communication of the breach, as much as the data leaked, that has angered customers.

DoorDash is known for delivering takeout food, but last month the company accidentally served up a tasty plate of personal data, too. It disclosed a breach on October 25, 2025, where an employee fell for a social engineering attack that allowed attackers to gain account access.

Breaches like these are sadly common, but it’s how DoorDash handled this breach, along with another security issue, that have given some cause for concern.

Information stolen during the breach varied by user, according to DoorDash, which connects gig economy delivery drivers with people wanting food bought to their door. It said that **names**, **phone numbers**, **email addresses**, and **physical addresses** were stolen.

DoorDash said that as well as telling law enforcement, it has added more employee training and awareness, hired a third party company to help with the investigation, and deployed unspecified improvements to its security systems to help stop similar breaches from happening again. It cooed:

> “At DoorDash, we believe in continuous improvement and getting 1% better every day.”

However, it might want to get a little better at disclosing breaches, warn experts. It left almost three weeks in between the discovery of the event on October 25 and notifying customers on November 13, angering some customers.

Just as irksome for some was the company’s insistence that “no sensitive information was accessed”. It classifies this as Social Security numbers or other government-issued identification numbers, driver’s license information, or bank or payment card information. While that data wasn’t taken, names, addresses, phone numbers, and emails are pretty sensitive.

One Canadian user on X was angry enough to claim a violation of Canadian breach law, and promised further action:

> “I should have been notified immediately (on Oct 25) of the leak and its scope, and told they would investigate to determine if my account was affected—that way I could take the necessary precautions to protect my privacy and security. \[…\] This process violates Canadian data breach law. I’ll be filing a case against DoorDash in provincial small claims court and making a complaint to the Office of the Privacy Commissioner of Canada.”

**How soon should breach notifications happen?**

How long is too long when it comes to breach notification? From an ethical standpoint, companies should tell customers as quickly as possible to ensure that individuals can protect themselves—but they also need time to understand what has happened. Some of these attacks can be complex, involving bad actors that have been inside networks for months and have established footholds in the system.

In some jurisdictions, privacy law dictates notification within a certain period, while others are vague. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) simply requires notification as soon as is feasible. In the US, disclosure laws are currently set on a per-state level. For example, California recently passed Senate Bill 446, which mandates reporting breaches to consumers within 30 days as of January 1, 2026. That would still leave DoorDash’s latest breach report in compliance though.

**Another disclosure spat**

This isn’t the only disclosure controversy currently surrounding DoorDash. Security researcher doublezero7 discovered an email spoofing flaw in DoorDash for Business, its platform for companies to handle meal deliveries.

The flaw allowed anyone to create a free account, add fake employees, and send branded emails from DoorDash servers. Those mails would pass various email client security tests and land without a spam message in email inboxes, the researcher said.

The researcher filed a report with bug bounty program HackerOne in July 2024, but it was closed as “Informative”. DoorDash didn’t fix it until this month, after the researcher complained.

However, all might not be as it seems. DoorDash has complained that the researcher made financial demands around disclosure timelines that felt extortionate, according to Bleeping Computer.

**What actions can you take?**

Back to the data breach issue. What can you do to protect yourself against events like these? The Canadian X user explains that they used a fake name and forwarded email address for their account, but that didn’t stop their real phone number and physical address being leaked.

You can’t avoid using your real credit card number, either—although many ecommerce sites will make saving credit card details optional.

Perhaps the best way to stay safe is to use a credit monitoring service, and to watch news sites like this one for information about breaches… whenever companies decide to disclose them.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Thieves order a tasty takeout of names and addresses from DoorDash 

Those too-good-to-be-true online deals often come from drop-shipping sellers, and that can leave you holding all the risk.

Online shopping has never been easier. A few clicks can get almost anything delivered straight to your door, sometimes at a surprisingly low price. But behind some of those deals lies a fulfillment model called drop-shipping. It’s not inherently fraudulent, but it can leave you disappointed, stranded without support, or tangled in legal and safety issues.

I’m in the process of de-Googling myself, so I’m looking to replace my Fitbit. Since Google bought Fitbit, it’s become more difficult to keep your information from them—but that’s a story for another day.

Of course, Facebook picked up on my searches for replacements and started showing me ads for smartwatches. Some featured amazing specs at very reasonable prices. But I had never heard of the brands, so I did some research and quickly fell into the world of drop-shipping.

**What is drop-shipping, and why is it risky?**

Drop-shipping means the seller never actually handles the stock they advertise. Instead, they pass your order to another company—often an overseas manufacturer or marketplace vendor—and the product is then shipped directly to you. On the surface, this sounds efficient: less overhead for sellers and more choices for buyers. In reality, the lack of oversight between you and the actual supplier can create serious problems.

One of the biggest concerns is quality control, or the lack of it. Because drop-shippers rely on third parties they may never have met, product descriptions and images can differ wildly from what’s delivered. You might expect a branded electronic device and receive a near-identical counterfeit with dubious safety certifications. With chargers, batteries, and children’s toys, poor quality control isn’t just disappointing, it can be downright dangerous. Goods may not meet local standards and safety protocols, and contain unhealthy amounts of chemicals.

Buyers might unknowingly receive goods that lack market approval or conformity marks such as CE (Conformité Européenne = European Conformity), the UL (Underwriters Laboratories) mark, or FCC certification for electronic devices. Customs authorities can and do seize noncompliant imports, resulting in long delays or outright confiscation. Some buyers report being asked to provide import documentation for items they assumed were domestic purchases.

Then there’s the issue of consumer rights. Enforcing warranties or returns gets tricky when the product never passed through the seller’s claimed country of origin. Even on platforms like Amazon or eBay that offer buyer protection, resolving disputes can take a while to resolve.

Drop-shipping also raises data privacy concerns. Third-party sellers in other jurisdictions might receive your personal address and phone number directly. With little enforcement across borders, this data could be reused or leaked into marketing lists. In some cases, multiple resellers have access to the same dataset, amplifying the risk.

In the case of the watches, other users said they were pushed to install Chinese-made apps with different names than the brand of the watch.. We’ve talked before about the risks that come with installing unknown apps.

**What you can do**

A few quick checks can spare you a lot of trouble.

*   **Research unfamiliar sellers**, especially if the price looks too good to be true.
*   **Check where the goods ship from** before placing an order.
*   **Use payment methods with strong buyer protection**.
*   **Stick with platforms that verify sellers** and offer clear refund policies.
*   **Be alert** for unexpected shipping fees, extra charges, or requests for more personal information after you buy.

Drop-shipping can be legitimate when done well, but when it isn’t, it shifts nearly all risk to the buyer. And when counterfeits, privacy issues and surprise fees intersect, the “deal” is your data, your safety, or your patience.

If you’re unsure about an ad, you can always submit it to Malwarebytes Scam Guard. It’ll help you figure out whether the offer is safe to pursue.

And when buying any kind of smart device that needs you to download an app, it’s worth remembering these actions:

*   **Question the permissions an app asks for**. Does it serve a purpose for you, the user, or is it just some vendor being nosy?
*   **Read the privacy policy—yes, really.** Sometimes they’re surprisingly revealing.
*   **Don’t hand over personal data manufacturers don’t need**. What’s in it for you, and what’s the price you’re going to pay? They may need your name for the warranty, but your gender, age, and (most of the time) your address isn’t needed.

Most importantly’worry about what companies do with the information and how well they protect it from third-party abuse or misuse.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Why it matters when your online order is drop-shipped 

This is how surveillance gets normalized: one “safety” feature at a time.

To talk dirty to ChatGPT, you may soon have to show it your driver’s license.

OpenAI announced last month that ChatGPT will soon offer erotica—but only for _verified adults._ That sounds like a clever guardrail until you realize what “verified” might mean: uploading government identification to a company that already knows your search history, your conversations, and maybe your fantasies.

It’s a surreal moment for technology. The most famous AI tool in the world is turning into a porn gatekeeper. And it’s not happening in a vacuum. California just passed a law requiring age checks for app downloads. Discord’s age-verification partner was hacked this summer, exposing 70,000 government-issued IDs that are now being used for extortion. Twenty-four US states have passed similar laws.

What began as an effort to keep kids off adult sites has quietly evolved into the largest digital ID system ever built. One we never voted for.

****The normalization of online ID checkpoints****

Age verification started as a moral crusade. Lawmakers wanted to protect minors from explicit material. However, every system that requires an ID online transforms into something else entirely: a surveillance checkpoint. To prove you’re an adult, you hand over the same information criminals and governments dream of having—and to a patchwork of private vendors who store it indefinitely.

We’ve already seen where that leads. In the UK, after age-gating rules took effect under the Online Safety Act, one of the verification companies was breached. In the US, the AU10TIX breach exposed user data from Uber, X, and TikTok. Each time, the same story: people forced to upload passports, driver’s licenses, or selfies, only to watch that data leak.

If hackers wanted to design a dream scenario for mass identity theft, this would be it. Governments legally requiring millions of adults to upload the exact documents criminals need.

****The illusion of safety****

The irony is that none of this actually protects children. In the UK, VPN sign-ups spiked 1,400% the day the new restrictions went live. We hope that’s from adults balking at handing over personal data, but the point is any teen with a search bar can bypass an age-gate in minutes. The result isn’t a safer internet—it’s an internet that collects more data about adults while pushing kids toward sketchier, unregulated corners of the web.

Parents already have better options for keeping inappropriate content at bay: device-level controls, filtered browsers, phones built for kids. None of those require turning the rest of us into walking ID tokens.

****From bars to browsers****

Defenders like to compare online verification to showing ID at a bar. But when you flash your license to buy a beer, the cashier doesn’t scan it, store it, and build a permanent record of your drinking habits. Online verification does exactly that. Every log-in becomes another data point linking your identity to what you read, watch, and say.

It’s not hard to imagine how this infrastructure expands. Today it’s porn, violence, and “mature” chatbots. Tomorrow it could be reproductive-health forums, LGBTQ+ resources, or political discussion groups flagged as “sensitive.” Once the pipes exist, someone will always find a new reason to use them.

****When innovation starts to feel invasive****

Let’s be honest. We could all make money if we just decided to build porn machines, and that’s what this new offering from ChatGPT feels like. It didn’t take long for AI to grab a slice of the OnlyFans market. Except the price of admission isn’t only $20 a month; it’s potentially your identity and a whole lot of heartache.

As Jason Kelley of the Electronic Frontier Foundation explained on my Lock and Code podcast,

> “Once you are asked to give certain types of information to a website, there’s no way to know what that company, who’s supposedly verifying your age, is doing with that information.”

The verification process itself becomes a form of surveillance, creating detailed records of legal adult behavior that governments and cybercriminals can exploit.

This is how surveillance gets normalized: one “safety” feature at a time.

ChatGPT’s erotic mode will make ID-upload feel routine—a casual step before chatting with your favorite AI companion. But beneath the surface, those IDs will feed a new class of data brokers and third-party verifiers whose entire business depends on linking your real identity to everything you do online.

We’ve reached the point where governments and corporations don’t need to build a single centralized database; we’re volunteering one piece at a time.

ChatGPT’s latest intentions are a preview of what’s next. The internet has been drifting toward identity for years—from social logins to verified profiles—and AI is simply accelerating that shift. What used to be pockets of anonymity are becoming harder to find, replaced by a web that expects to know exactly who you are.

The future of “safe” online spaces shouldn’t depend on handing over your driver’s license to an AI.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 The price of ChatGPT’s erotic chat? $20/month and your identity 

This week on the Lock and Code podcast, we speak with Dr. Kristina Rapuano about AI "workslop" and its impact on people and their attitudes.

_This week on the Lock and Code podcast…_

Everything’s easier with AI… except having to correct it.

In just the three years since OpenAI released ChatGPT, not only has onlife life changed at home—it’s also changed at work. Some of the biggest software companies today, like Microsoft and Google, are forwarding a vision of an AI-powered future where people don’t write their own emails anymore, or make their own slide decks for presentations, or compile their own reports, or even read their own notifications, because AI will do it for them.

But it turns out that offloading this type of work onto AI has consequences.

In September, a group of researchers from Stanford University and BetterUp Labs published findings from an ongoing study into how AI-produced work impacts the people who receive that work. And it turns out that the people who receive that work aren’t its biggest fans, because it’s not just work that they’re having to read, review, and finalize. It is, as the researchers called it, “workslop.”

Workslop is:

> “AI generated work content that masquerades as good work, but lacks the substance to meaningfully advance a given task. It can appear in many different forms, including documents, slide decks, emails, and code. It often looks good, but is overly long, hard to read, fancy, or sounds off.”

Far from an indictment on AI tools in the workplace, the study instead reveals the economic and human costs that come with this new phenomenon of “workslop.” The problem, according to the researchers, is not that people are using technology to help accomplish tasks. The problem is that people are using technology to create ill-fitting work that still requires human input, review, and correction down the line.

“The insidious effect of workslop is that it shifts the burden of the work downstream, requiring the receiver to interpret, correct, or redo the work,” the researchers wrote.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Dr. Kristina Rapuano, senior research scientist at BetterUp Labs, about AI tools in the workplace, the potential lost productivity costs that come from “workslop,” and the sometimes dismal opinions that teammates develop about one another when receiving this type of work.

> “This person said, ‘Having to read through workshop is demoralizing. It takes away time I could be spending doing my job because someone was too lazy to do theirs.'”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

 Your coworker is tired of AI &#8220;workslop&#8221; (Lock and Code S06E23) 

A copyright violation sounds serious, so cybercriminals are faking messages from the DMCA to lure you into handing over your X credentials.

One of my favorite Forbes correspondents recently wrote about receiving several fake copyright-infringement notices from X.

Let’s suppose you get an email claiming it’s from X, warning:

> “We’ve received a DMCA notice regarding your account.”

Chances are, you’ll be wondering what you did wrong. DMCA (Digital Millennium Copyright Act) notices are legal requests about copyrighted content, so it makes sense that many users would worry they broke the rules and feel eager to read the warning.

Image courtesy of Forbes

> “Some recent activity on your page may not fully meet our community standards. Please take a moment to review the information below and ensure your shared content follow our usage rules.  
> Notice Date : {day received}”
> 
> *   Kindly review the material You’ve shared.
> *   If you think this notice was sent in error, you can request a check using the link below.
> 
> Review Details {button}
> 
> If no update is received within 24 hours, your page visibility may stay temporarily limited until the review is complete.
> 
> We thank you for your attention and cooperation in keeping this space respectful and positive for all.”

As usual, the scammers add some extra pressure by claiming your account may be hidden or limited if you don’t act within 24 hours.

But the “Review Details” button doesn’t lead to anything on X. It does look a lot like the X login page, but it’s fake.

Any username and password typed there go straight to the hackers—which could leave you with a compromised account.

**How to keep your X account safe**

Having your X account stolen can be a major pain for you, your followers, and your reputation (especially if you’re in the cybersecurity field). So here are some tips to keep it safe:

*   Make sure 2FA is turned on. We wrote an article about how to do this back when it was still called Twitter.
*   When entering a username and password, or any type of sensitive information, check whether the URL in the address bar matches what you expect.
*   Use a password manager. It won’t enter your details on a fake site.
*   Use an up-to-date real-time anti malware solution with a web protection component.
*   Don’t click on links in unsolicited emails and check with the sender through another channel first.
*   A real DMCA notice from X will include a full copy of the reporter’s complaint, including contact details, plus instructions for filing a counter-notice.

Pro tip: You can upload suspicious messages of any kind to Malwarebytes Scam Guard. It will tell you whether it’s likely to be a scam and advise you what to do.

If you suspect your account may be compromised:

*   Change your password.
*   Make sure your email account associated with the account is secure.
*   Revoke connections to third-party applications.
*   Update your password in the third-party applications that you trust.
*   Contact Support if you can’t log in after trying the above.

Here are the full instructions from X for users who believe their accounts have been compromised.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Scammers are sending bogus copyright warnings to steal your X login 

A list of topics we covered in the week of November 10 to November 16 of 2025

November 14, 2025 - Contacted out of the blue for a virtual interview? Be cautious. Attackers are using fake interviews to slip malware onto your device.

November 14, 2025 - Apple's Digital ID makes travel smoother and saves you from digging for documents, but it comes with privacy and security trade-offs. We break down the pros and cons.

November 13, 2025 - Google’s suing Lighthouse, a Chinese Phishing-as-a-Service platform that uses Google’s branding on scam sites to trick victims.

November 13, 2025 - In 2025, receiving a .vbs “invoice” is like finding a floppy disk in your mailbox. It's retro, suspicious, and definitely not something you should run.

November 12, 2025 - Think twice before clicking that "Secure Message" alert from your organization's spam filters. It might be a phish built to steal your credentials.

 A week in security (November 10 &#8211; November 16) 

Contacted out of the blue for a virtual interview? Be cautious. Attackers are using fake interviews to slip malware onto your device.

One of our customers was contacted on LinkedIn about a job offer. The initial message was followed up by an email:

> “Thank you for your interest in the Senior Construction Manager position at {company}. After reviewing your background, we were impressed with your experience and would like to invite you to the next stage of our selection process — a virtual interview.
> 
> In this session, we’ll discuss your project management experience, leadership approach, and how your expertise aligns with {company}’s current and upcoming construction initiatives.
> 
> A Zoom link will be shared in a follow-up email, which will allow you to select a time that’s most convenient for you.
> 
> If you have any questions in the meantime, please don’t hesitate to reach out. I look forward to speaking with you soon.
> 
> Warm regards,”

I edited out the company name and the name of the supposed recruiter, but when we Googled that alleged recruiter’s name, he does work at the impersonated company (just not in HR). That’s not unique, though. We’ve heard several variants of very similar stories involving other companies and other names.

Other red flags included the fact that the email came from a Gmail address (not a company domain), and that the company has no openings for a Senior Construction Manager.

When our target replied they were looking forward to the interview, they received the “Meeting invitation” by email:

> “Hi There,
> 
>       {recruiter} INVITED YOU TO A ZOOM REMOTE MEETING
> 
> Please click the button below to view the invitation within 30 days. By acceptance, you’ll be able to message and call each other.
> 
>                View Invitation {button}
> 
> To see the list of invited guests, click here.
> 
> Thank you.
> 
> Zoom”

Both links in this email were shortened t\[.\]co links that redirected to meetingzs\[.\]com/bt.

That site is currently unavailable, but users have reported seeing fake Windows update warnings, or notifications about having to install updates for their meeting application (Zoom, Teams—name your favorite). Our logs show that we blocked meetingzs\[.\]com for phishing and hosting a file called GoToResolveUnattendedUpdater.exe.

While this file is not malicious in itself, it can be abused by cybercriminals. It’s associated with LogMeIn Resolve, a remote support tool, which attackers can fake or misuse to execute ransomware payloads once installed.

This tactic is part of a broader trend where attackers pose as recruiters or trusted contacts, inviting targets to meetings and requiring them to install software updates to participate. Those updates, however, can be malware installers or Remote Monitoring and Management (RMM) tools which can give attackers direct access to your device.

This type of attack is a prime example of how social engineering is becoming the primary way to gain initial access to you or your company’s system.

**How to stay safe**

The best way to stay safe is to be able to recognize attacks like these, but there are some other things you can do.

*   Always keep your operating system, software, and security tools updated regularly with the latest patches to close vulnerabilities.
*   Use a real-time anti-malware solution with a web protection component.
*   Be extremely cautious with unsolicited communications, especially those inviting you to meetings or requesting software installs or updates; verify the sender and context independently.
*   Avoid clicking on links or downloading attachments from unknown or unexpected sources. Verify their authenticity first.
*   Compare the URL in the browsers’ address bar to what you’re expecting.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes