This week on the Lock and Code podcast, we speak with Lena Cohen about whether our phones are really listening to us to deliver ads.

_This week on the Lock and Code podcast…_

It has probably happened to you before.

You and a friend are _talking_—not texting, not DMing, not FaceTiming—but _talking_, physically face-to-face, about, say, an upcoming vacation, a new music festival, or a job offer you just got.

And then, that same week, you start noticing some eerily specific ads. There’s the Instagram ad about carry-on luggage, the TikTok ad about earplugs, and the countless ads you encounter simply scrolling through the internet about laptop bags.

And so you think, “Is my phone listening to me?”

This question has been around for years and, today, it’s far from a conspiracy theory. Modern smartphones can and do listen to users for voice searches, smart assistant integration, and, obviously, phone calls. It’s not too outlandish to believe, then, that the microphones on smartphones could be used to listen to other conversations without users knowing about it.

Recent news stories don’t help, either.

In January, Apple agreed to pay $95 million to settle a lawsuit alleging that the company had eavesdropped on users’ conversations through its smart assistant Siri, and that it shared the recorded conversations with marketers for ad targeting. The lead plaintiff in the case specifically claimed that she and her daughter were recorded without their consent, which resulted in them receiving multiple ads for Air Jordans.

In agreeing to pay the settlement, though, Apple denied any wrongdoing, with a spokesperson telling the BBC:

“Siri data has never been used to build marketing profiles and it has never been sold to anyone for any purpose.”

But statements like this have done little to ease public anxiety. Tech companies have been caught in multiple lies in the past, privacy invasions happen thousands of times a day, and ad targeting feels extreme entirely because it is.

Where, then, does the truth lie?

Today, on the Lock and Code podcast with David Ruiz, we speak with Electronic Frontier Foundation Staff Technologist Lena Cohen about the most mind-boggling forms of corporate surveillance—including an experimental ad-tracking technology that emitted ultrasonic sound waves—specific audience segments that marketing companies make when targeting people with ads, and, of course, whether our phones are really listening to us.

> “Companies are collecting so much information about us and in such covert ways that it really feels like they’re listening to us.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Is your phone listening to you? (Lock and Code S06E07) 

Heavy incoming traffic: A new wave of toll fee scams are sweeping America.

Back in August 2024, we warned about a relatively new type of SMS phishing (or smishing) scam that was doing the rounds.

Now a new wave of toll fee scams are working their way round the US. These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, like E-ZPass, The Toll Roads, SunPass, or TxTag.

The texts usually create a sense of urgency—a common tactic of scammers, by telling you there is only a limited time left to act or there will be dire consequences.

The phishing sites are typically out to steal personal information and/or payment details. Reportedly, some users get up to 7 such messages in a day.

Many state departments are issuing warnings. For example, the Wisconsin Department of Transportation (WisDOT) Division of Motor Vehicles (DMV) recently warned consumers of reported phishing attempts via text, and the Arizona Department of Transportation even published a reminder that the state highway system doesn’t have toll roads, because of these scams.

A typical text message might look like this:

> “Your toll payment for E-ZPass Lane must be settled by {a date in the very near future}. To avoid fines and the suspension of your driving privileges, kindly pay by the due date.
> 
> Pay here: {malicious link}
> 
> (Please reply with “Y”, then exit the text message. Open it again, click the link, or copy it into your browser and open it.)”

 The malicious links are often fabricated to look legitimate by including an existing domain name before the actual domain name. E.g. e-zpass.com- roadioe\[.\]cc.

**How to avoid falling for toll fee scams**

*   Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
*   Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
*   If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
*   Never interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
*   If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
*   The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

**Indicators of Compromise (IoCs)**

Domains involved in toll fee scams:

com-roadioe\[.\]cc

uoshxkdhkz\[.\]top

com-zgoupbb\[.\]top

forfeitzm\[.\]top

sunpass-verification\[.\]top

com-tollbilljhy\[.\]top

com-etc-bbzj\[.\]vip

com-tollbilltid\[.\]vip

com-tollbilltwd\[.\]vip

paytollrbzx\[.\]vip

com-ticketvb\[.\]xin

com-emzwepr\[.\]xin

com-ustolls\[.\]xin

com-tollbilaz\[.\]xin

etc-tollad\[.\]xin

roadetctre\[.\]xin

Did you know that Malwarebytes for mobile scans your texts for scams and blocks known malicious sites?

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Toll fee scams are back and heading your way 

A list of topics we covered in the week of March 31 to April 6 of 2025

April 4, 2025 - A security researcher found a flaw in Verizon call record requests that may have put millions of Americans at risk

April 3, 2025 - Up to one in five of the most popular mobile VPNs are owned by Chinese companies that do their best to hide the fact.

April 3, 2025 - Phishers are putting QR codes as images in attachments because it helps them bypass email filters.

April 3, 2025 - Worried parents tracking their children with T-Mobile SyncUP devices suddenly found that they were looking at the location of random other children. And could not locate their own.

April 2, 2025 - A generative AI nudify service has been found storing explicit deepfakes in an unprotected cloud database.

 A week in security (March 31 &#8211; April 6) 

A security researcher found a flaw in Verizon call record requests that may have put millions of Americans at risk

Security researcher Evan Connelly discovered an enormous flaw affecting one of the largest telecommunications companies in the world that could allow any single person to view the recent incoming call log for potentially any Verizon phone number.

“In short, anyone could lookup data for anyone,” Connelly said.

A vulnerability in the Verizon Call Filter iOS app allowed anyone to request the call logs of millions of US Verizon customers. The Verizon Call Filter app for iOS allows customers to view a log of their recent calls. This log will show them the phone numbers and an associated timestamp.

To request such a log the app sends a request to a server to fetch the data belonging to the phone number in question.  The network request to the server contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps.

But, as it turns out, there were no checks to make sure that the number the information was requested about and the number that sent the request matched.

So, the researcher was able to craft requests for any given phone number and get the call logs for that number, without the ownership of that number. The consequence: anyone could look up data for any Verizon Wireless customer.

The researcher did not check whether every Verizon Wireless customer was affected by this flaw.

> “The issue I discovered impacted at least those who have the Verizon Call Filter service enabled (I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted).”

But it looks as if the Verizon Call Filter is enabled by default, so at least a great many Verizon Wireless customers would be impacted.

This is not just a privacy concern. For some people this could be a security hazard. For people in a domestic abuse situation, public figures, or those of interest to resourceful cyberattackers, a history of calls and frequent callers falling in the wrong hands can put people at physical risk or even compromise national security.

An attacker with access to someone’s call history could figure out their daily habits, see who they talk to most often, and guess their personal relationships. There is no available information whether this flaw was ever actively abused.

Thankfully, Verizon took the issue seriously and fixed it promptly.

Timeline:

*   2/22/2025 – Issue discovered and reported to Verizon
*   2/24/2025 – Acknowledgment from Verizon of the report
*   3/23/2025 – Researcher requested an update as the issue appeared fixed
*   3/25/2025 – Confirmation from Verizon that the issue is resolved

**Verizon call filter**

The Verizon Call Filter is a useful tool against robocalls, since it’s a screening and filtering tool that helps you manage nuisance calls. Verizon uses a Know Your Customer (KYC) scoring system to identify spam call networks and block their calls before they reach your phone. Based on your settings, blocked calls will either go to voicemail or stopped altogether.

If you no longer want to use Call Filter, it’s easy to turn it off. Here’s how:

**On iPhone:**

1.  Open the Call Filter app.
2.  Go to Settings.
3.  Tap Manage Plan and select Turn Off Call Filter.

Alternatively, you can disable it from your iPhone’s settings by going to Settings > Phone > Call Blocking & Identification and toggling off the Call Filter option.

**On Android:**

1.  Open the Call Filter app (it might already be installed on your device).
2.  Tap Account, then Manage Plan.
3.  Follow the steps to disable Call Filter.

As an alternative you can use Malwarebytes Mobile Security for iOS or Malwarebytes Mobile Security for Android to block scam calls.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Flaw in Verizon call record requests put millions of Americans at risk 

Up to one in five of the most popular mobile VPNs are owned by Chinese companies that do their best to hide the fact.

Up to one in five of the most popular mobile VPNs for iOS last year are owned by Chinese companies that do their best to hide the fact. In at least one case, the owner is on a US blacklist.

That’s according to a report from the non-profit Tech Transparency Project (TTP), who investigated the top 100 mobile VPN apps downloaded from Apple’s App Store as documented by mobile intelligence company AppMagic.

Mobile VPNs are apps that connect your smartphone to the internet via different computers around the world. People use them to make it look as though they’re connecting from elsewhere, often to dodge local censorship or to access commercial content not available in their region, or just because they’re concerned about privacy.

The downside is that you must be able to trust the company that operates those computers. After all, they get to see all of your traffic as it passes through those channels.

The TTP warns that a large proportion of the most popular mobile VPN apps in the Apple App Store are owned by Chinese companies. These include Qihoo 360, which is classified as a Chinese military company by the US Department of Defense.

**Several mobile VPNs linked to Chinese military**

According to the TTP report, Qihoo acquired an app development company called Guangzhou Quanyong. The company developed several mobile apps for Innovative Connecting Pte. Ltd, a Singapore-registered company owned by another company called Lemon Seed, registered in the Cayman Islands.

Innovative Connecting developed an app called Turbo VPN, which was marketed to Spanish-speaking people in the US as a way to circumvent proposed restrictions when accessing Chinese-owned social network TikTok. The company developed several other VPNs in the top 100, including VPN Proxy Master and Thunder VPN. It is also responsible for others that didn’t make it into the top 100: Snap VPN, and Signal Secure VPN.

Chinese company 360 Security Technology, also known as Qihoo 360, purchased Lemon Seed, according to its 2019 annual report.

Not only is Qihoo 360 classified as a Chinese military company in the US, in June 2025 the US government also placed Qihoo 360 on its Entity List, which is a list of companies maintained under the US government’s Export Administration Regulations (EAR).

The Entity List identifies entities that the US believes pose a risk to its national security. It added Qihoo 360 and others to the list citing “reasonable cause to believe that these entities pose a significant risk of becoming involved in activities — the procurement of commodities and technologies for military end-use in China—that are contrary to the national security interests of the United States.”

Three months later, Qihoo 360 sold a package of assets under the banner ‘Project L’, which the TTP investigation believes contained Lemon Seed based on the description of its acquisition date in the public filing.

In spite of the sale, TTP suggests an ongoing link between the two companies after the sale, based on March 2025 filings that list its sole director as Chen Ningyi, who shows up on a Qihoo 360 patent in 2017 and who appears to be a general manager for Qihoo’s mobile security app 360 Mobile Guard.

**Shell companies and proxy ownership**

Apps developed by Innovative Connecting aren’t the only with possible links to China, according to the report. It traced several back to companies in Hong Kong. The island city has come under increasingly strict Chinese control lately with the passage a year ago of Article 23, a bill applying strict penalties for a broad array of activities deemed anti-Chinese.

The report found several VPN apps registered to Hong Kong companies, often owned by people or entities on the mainland. These included X-VPN, VPNIFY, VPN Bucks, LinkWorldVPN, VPN Proxy OvpnSpider, and Best VPN Proxy AppVPN.

It also found some registered in other parts of the world that appeared to be Chinese products operating through proxies. One, WireVPN – Fast VPN & Proxy, was registered in the UK but is controlled by a single Chinese national via a shell company. It shares a privacy policy with another similarly-named product registered in Belize called Wirevpn – Secure & Fast VPN. Both use language lifted directly from Chinese privacy regulations.

While VPNs are a useful way to achieve some privacy online, this report highlights the importance of due diligence when choosing a technology provider. Not all VPNs are created equal – and just because they’re in Apple’s App Store doesn’t mean that they’re automatically above board.

**How to find a VPN you can trust**

**Consider the jurisdiction:**

*   As evidenced by the TTP report, the VPN provider’s location matters. Be wary of VPNs based in countries that require intelligence-sharing with their governments

**Look for these security features:**

*   Strong encryption protocols (like 256-bit ChaCha20) are vital.
*   A “kill switch” is important; it disconnects your internet connection if the VPN drops, preventing data leaks.
*   Look for VPNs that support secure protocols like WireGuard

**Read the privacy policy:**

*   A “no-log” policy is essential. This means the VPN provider should not track, store, or share your browsing history, IP address, or any of your network data
*   Carefully read the privacy policy to understand what data is collected and how it’s used.

**Consider Malwarebytes Privacy VPN:**

Of course we’d say that. But with a 256-bit ChaCha20 encryption, lightning-fast Wireguard protocols, and a strict no-log policy, you can be sure that Malwarebytes Privacy VPN **will never** track, store, or share any network data.

 Popular VPNs are routing traffic via Chinese companies, including one with link to military 

Phishers are putting QR codes as images in attachments because it helps them bypass email filters.

Recently we’ve been seeing quite a few phishing campaigns using QR codes in email attachments.

The lure and the targets are varied, but the use of a QR code to get someone to visit the phishing site is fast becoming a preferred method for cybercriminals.

There are several reasons why cybercriminals might want to use QR codes:

*   The QR code is likely to be scanned with a phone, which are often less well protected against malicious websites or even completely unprotected.
*   Phones are also likely personal devices which provide attackers with a direct path to sensitive personal accounts. For example, banking apps will be often be installed on the same device.
*   QR codes are impossible for humans to identify as malicious at first glance.
*   Links in emails are usually analyzed by email filters, whereas QR codes can be embedded as an image which many email filters will ignore.
*   The use of QR codes in other applications like banking apps, may invoke a certain level of trust.

Combined with other known phishing techniques, QR codes provide criminals with a potent tool for collecting usernames and passwords, distributing malware, and other malicious activities.

Since any QR code scanner should show you the URL before following the link, the phishers often combine the use of QR codes with that of URL shorteners to further hide the real destination.

The attackers can even embed the QR codes in professionally designed documents mimicking HR portals, payroll updates, tax reviews, or e-signature services (e.g. DocuSign, Adobe), which increases the perceived legitimacy of the phish. Here’s one example we’ve seen:

> “To conveniently access and navigate the contents of the updated Employee Handbook, please scan the QR code provided below. This will direct you to the digital version of the handbook for easy reference and exploration.
> 
> {QR code}
> 
> Should you have any questions, Please do not hesitate to contact the HR department.”

The employee handbook example above comes from a four-page document showing a handbook which has been allegedly changed, and ends with specific instructions to open the QR code with the camera app of the smartphone:

> “Step-by-step guide
> 
> 1\. Open your camera app:
> 
> Launch the camera app on your smartphone
> 
> 2\. Point at the QR code:
> 
> Align your camera lens with the QR code, ensuring it is fully visible within the frame.
> 
> 3\. Wait for recognition:
> 
> Your phone will automatically detect the QR code and display a notification or link on the screen.
> 
> 4\. Access the content:
> 
> Tap on the notification or link to open the information associated with the QR code.”

The QR code in this example took anyone that followed the link to a website that redirected based on the email address. Personal email addresses would see generic advertising, but corporate email addresses would be prompted to log in with their Microsoft account.

So, this one was clearly looking to compromise a corporate account, but you can easily imagine how a phisher with another goal in mind could use a list of email addresses obtained in a breach, and with such a list run a targeted campaign.

Malwarebytes customers were protected against this phishing site.

Android warning (in Dutch)

**What can you do to avoid QR code phishing?******Keep your device up to date****

Many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.

You’ll get notifications when updates are available for you, but you can also check for them yourself. For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

**Scan a QR code with the same security mindset as clicking a link**

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link, and look for another way to get the information or download you want.

Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable features like these.

**Use anti-malware protection on your devices**

Your mobile devices are in need of protection just as much as your computer. Malwarebytes protects devices with Malwarebytes for Android and Malwarebytes for iOS.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 QR codes sent in attachments are the new favorite for phishers 

Worried parents tracking their children with T-Mobile SyncUP devices suddenly found that they were looking at the location of random other children. And could not locate their own.

Not one but several worried parents that tracked their children by using T-Mobile tracking devices suddenly found that they were looking at the location of random other children. And could not locate their own.

T-Mobile sells a small GPS tracker called SyncUP, which can be used to track, among others, the locations of young children who don’t have cell phones yet. SyncUP uses a combination of GPS technology, Wi-Fi, and T-Mobile’s LTE nationwide network to locate registered devices and comes in the form of a small tag, a car tracker or a kids watch.

According to our friends at 404 Media, several users reported receiving information that came from another tracker, not their own. And from some of the statements it’s very clear that the disclosed locations belonged to other children because of the names and pictures associated with the accounts.

One woman who spoke to 404 Media could see the location address where the random children were, as well as their name and the last time the location was updated. In many cases, the time said “just now” or “one minute ago.”

> “I was probably shown more than eight children. I would log in and I couldn’t see my children but I could see a kid in California. I refreshed and then I had no trackers, and then I refreshed again and would see a different child.” 

Car owners using SyncUP Drive, the car tracking device, reported similar problems.

Here are some of the potential issues that this mix up could bring up:

*   A big concern about tracking devices is their vulnerability to hacking, potentially exposing personal data. No hacking was needed here. Every time some of the users tried they would get the location of a different tracker.
*   Without consent, tracking devices can infringe on individuals’ privacy rights. While you may say this is mainly about tracking without consent, nobody consented to strangers tracking their children.
*   GPS tracking must comply with privacy laws like the Electronic Communications Privacy Act (ECPA) and the Driver’s Privacy Protection Act (DPPA) to prevent unauthorized surveillance. Did T-Mobile fail to comply, even if only for a short time?
*   Inaccurate tracking, or not being able to track, can compromise personal safety if devices are used for emergency services or monitoring vulnerable individuals.
*   Repeated problems can erode the trust in the underlying GPS tracking technology.

This raises the question for parents to ask themselves: What’s worse, not knowing where your child is exactly or running the risk of exposing their location to other people?

Privacy concerns surrounding tracking devices are multifaceted. On one hand, these devices are designed to give users a sense of safety and security by providing accurate location information. However, they also pose risks if not properly secured.

We have reported multiple times about stalkerware users getting exposed by security flaws in the apps they used. While SyncUP may be more secure than some of the stalkerware apps we wrote about, this incident shows it’s not watertight either.

T-Mobile did not disclose the exact problem, but told 404 Media the incident is now resolved:

> “Yesterday we fully resolved a temporary system issue with our SyncUP products that resulted from a planned technology update. We are in the process of understanding potential impacts to a small number of customers and will reach out to any as needed. We apologize for any inconvenience.”

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Location, name, and photos of random kids shown to parents in child tracker mix up 

A generative AI nudify service has been found storing explicit deepfakes in an unprotected cloud database.

Yesterday, we told you about how millions of pictures from specialized dating apps had been stored online without any kind of password protection.

Now it’s the turn of an AI “nudify” service.

A researcher, famous for finding unprotected cloud storage buckets, has uncovered an unprotected AWS bucket belonging to the nudify service.

The rising popularity of these nudify services apparently has caused a selection of companies without any security awareness to hop on the money train. Millions of people use these services to turn normal pictures into nude images, and it only takes a few minutes.

South Korean AI company GenNomis by AI-NOMIS or somebody acting at their behalf stored 93,485 images and json files with a total size of 47.8 GB in a non-password-protected nor encrypted, but publicly exposed database.

Looking at the service, GenNomis is an AI-powered image generation platform that allows users to transform text descriptions into images, create AI personas, turn images to videos, face-swap images, remove backgrounds, etc., and all that without restrictions. It also provides a marketplace, where users can buy and sell these images as “artwork.”

The researcher saw numerous pornographic images, including what appeared to be disturbing AI-generated portrayals of very young people. Even though the GenNomis guidelines prohibit explicit images of children and any other illegal activities, the researcher found many of them. That doesn’t mean they were available to buy on the platform, but they were at least created.

Some of the deepfakes are hard to discern from real images, and as such may lead to serious privacy, ethical, and legal risks. Not to mention the humiliation for the owners of those images or parts thereof who didn’t consent. Sadly, there are many examples where young people have taken their own lives over sextortion attempts.

The researcher contacted the company about what he had found. He told The Register:

> “They took it down immediately with no reply.”

**Keep your children safe from nudify services**

We’ve seen many cases where social media and other platforms have used the content of their users to train their AI. Some people have a tendency to shrug it off because they don’t see the dangers, but let us explain the possible problems.

In this case, it’s at the extreme end of what the content could be used for.

*   Deepfakes: Users of this generative AI could have used the nudify service on publicly available pictures to create explicit deepfakes without consent. AI generated content, like deepfakes, can be used to spread misinformation, damage your reputation or privacy, or defraud people you know.
*   Metadata: Users often forget that the images they upload to social media also contain metadata, such as where the photo was taken. This information could potentially be sold to third parties or used in ways the photographer didn’t intend.
*   Intellectual property. Never upload anything you didn’t create or own. Artists and photographers may feel their work is being exploited without proper compensation or attribution.
*   Bias: AI models trained on biased datasets can perpetuate and amplify societal biases.
*   Facial recognition: Although facial recognition is not the hot topic it once used to be, it still exists. And actions or statements done by your images (real or not) may be linked to your persona.
*   Memory: Once a picture is online, it is almost impossible to get it completely removed. It may continue to exist in caches, backups, and snapshots.

If you want to continue using social media platforms that is obviously your choice, but consider the above when uploading pictures of you, your loved ones, or even complete strangers.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 &#8220;Nudify&#8221; deepfakes stored unprotected online 

A number of specialized dating apps leaked the--not so--secret storage location of 1.5 Million more or less explicit images

A researcher found millions of pictures from specialized dating apps for iOS stored online without any kind of password protection.

The pictures, some of which are explicit, stem from dating apps that all have a specific audience. The five platforms, all developed by M.A.D. Mobile are kink sites BDSM People and Chica, and LGBTQ+ apps Pink, Brish, and Translove.

As we reported not too long ago, many iOS apps leak at least one hard coded secret. We consider hard coded secrets in the source code of the apps as exposed because they are relatively easy to find and abuse by cybercriminals. And those secrets can have serious consequences for the apps’ users

Cybernews’ Aras Nazarovas found the storage location (a Google Cloud Storage bucket) used by the apps by reverse engineering the code. To his surprise, he could access the unencrypted and otherwise unprotected photos without needing any password.

As soon as he saw the first image, he knew this storage should not have been public. Not only did it contain profile pictures, it also included pictures sent in private messages, including some removed by moderators.

In total, nearly 1.5 million user-uploaded images were available to anyone stumbling over the storage bucket. Although the images are not linked to any user accounts or other private information, it is not unthinkable that cybercriminals could figure out some of the identities by using commonly available face search engines.

Many of these search engines use Artificial Intelligence (AI) for facial recognition combined with reverse image search technology to find other photos of a person published online, based on a picture submitted by the user.

Although officially intended only for self-searches, many of them don’t bother to check whether that’s actually the case.

Coupled to the identity of the person in the picture, these images could expose users to extortion, as well as an increased risk of hostility. As if online dating isn’t nervewracking enough, especially for those looking in special categories, the last we need is to see our explicit images exposed.

M.A.D Mobile was warned about the leak in January, but didn’t take any action to protect the storage until the BBC contacted the company on Friday. The issue has now been fixed.

It’s important to stipulate that the apps are exclusive to iOS and do not have Android or web alternatives.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Intimate images from kink and LGBTQ+ dating apps left exposed online 

With tax season in full swing, we're seeing scammers flexing their social engineering muscles. Be prepared.

Tax season is in full force, and with the filing deadline fast approaching on April 15, scammers are happy to use that sense of urgency to coax us into handing them our cash.

In one example, one of our customers recently received an email with an attachment titled “Urgent reminder.” The attachment was a PDF file with a QR code in it.

> “Tax Services Department
> 
> Important Tax Review and Update Required by
> 
> 2025-03-16!
> 
> Dear receiver,
> 
> As part of our ongoing efforts to ensure compliance with the latest tax regulations, we
> 
> are conducting a mandatory review and update of your tax records. This update must
> 
> be completed by 2025-03-16 to avoid any potential penalties or disruptions to your
> 
> account.
> 
> To proceed with the update, please scan the QR code below with your mobile device or
> 
> click the link provided to access the secure tax portal. Once logged in, follow the
> 
> prompts to review and confirm your tax information.
> 
> Thank you for your prompt attention to this matter.
> 
> Tax Services Team
> 
> This is an automated message. Please do not reply to this email.”

If the receiver were to scan the QR code, they would be sent to a phishing site. The destination is hidden through a clever use of doubleclick.net redirects.

Lucky for our customer, Malwarebytes had already blocked the real destination.

Malwarebytes blocks fmhjhctk.ru

When we disabled our protection to see where the QR code led, we first had to pass the bot protection:

And then we were asked for our Microsoft credentials with the email address already filled out.

Entering your password will send your credentials to a Russian receiver, who will decide what the most profitable way to use them is. Perhaps they’ll sell the details on the dark web, or use them for themselves to get access to your Microsoft accounts.

But that’s just one example of a tax scam.

The IRS’s annual Dirty Dozen list of tax scams shows common schemes that threaten your tax and financial information. And, although these scams do appear year-round, tax season is when they reach their peak level.

One of the pitfalls the IRS warns about is bad tax advice provided on social media, as submitting false information to the IRS could land you in serious trouble. An example is the so-called “self-employment tax credit” which does exist in some countries, but the US is not one of them. Last year the misinformation was so rampant that the IRS issued a warning about it.

The other big type of scams are phishing emails, like we saw above. Even though scammers can use Artificial Intelligence to create convincing emails that appear to come from the IRS, there are often some tell-tale signs of social engineering attempts:

*   Too good to be true: Huge, unexpected tax returns are usually just an incentive to get you to surrender private information in the hopes of obtaining that sum.
*   Urgency is always implied, because the scammers do not want you to think things through.
*   The IRS rarely contacts people by email. And when it does, it is only to send general information and in an ongoing case with an assigned IRS employee. So receiving an email should be an immediate pause for thought.

**Avoiding scams**

These days it has become increasingly difficult to navigate your way online without being exposed to a scam. People have become accustomed to trusting their search engine and naturally follow the different paths laid in front of them.

While some websites look obviously fake to someone, they may fool someone else. At the same time, the tools to build convincing schemes are readily available to anyone for free.

*   Before calling a number, ensure that it is legitimate by visiting the official site directly.
*   Beware of unsolicited phone calls or emails, especially those that ask you to act immediately.
*   Beware of impersonators who may hide behind sponsored results and instead click on organic search results.
*   Always check the website you visit by looking at the address bar. If in doubt, close the page and open a new one.
*   If a website asks you for a small fee upfront it likely is trying to get your credit card information to sell you more expensive services.
*   Never send sensitive personal information such as your bank account, charge card, or Social Security number by email. Instead use a secure method such as your online account or another application on IRS.gov.
*   Use security software that blocks phishing domains and other scam sites. Malwarebytes Premium does this, leaving your computer and financial assets protected.

The IRS has a specific page dedicated to helping you identify if it’s really them reaching out to you or a scammer. Study that guide before making any rash decisions.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Source

Malwarebytes