A renewed warning about toll fee scams has gone out. This time it comes from the DMVs of several US states.

Over a year ago the FBI warned about what was then a new form of smishing (phishing via SMS) scam: text messages that demanded payment for toll fees.

The FTC sent out a similar warning in January, 2025. Then, in April another wave of toll fee scams began doing the rounds.

Now the Departments of Motor Vehicles (DMVs) of New York, Florida, and California are warning residents not to fall for the text message scams that try to trick users into clicking a link by telling them they owe a “small amount” in toll fees.

The amount of smishing messages is a major problem. Reportedly, in April of 2025 alone, Americans received 19.2 billion automated spam texts which amounts to roughly 63 spam texts for every single person in the country.

And it seems to be paying off for the cybercriminals involved in fraud. The FTC’s 2024 Annual Data Book shows that 16% of the reported fraud attempts were text-based, with a criminal revenue of some $470 Million.

**How to avoid falling for toll fee scams**

*   Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
*   Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
*   If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
*   Try never to interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
*   If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
*   Malwarebytes Mobile Security for Android includes a “Text Protection” feature that alerts users about potentially fraudulent or phishing text messages, helping to prevent scams and other online threats. This feature scans incoming text messages for suspicious content, such as malicious links or suspicious phrases, and warns the user to be cautious. 
*   On Malwarebytes Mobile Security for iOS, our text filtering feature scans incoming messages for suspicious content—such as malicious links—and automatically moves them to your Junk folder before you have a chance to interact with them by mistake.
*   The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 New warning issued over toll fee scams 

A huge dataset with all kinds of sensitive information, likely to be the result of infostealers, has been found unsecured online.

A recent discovery by cybersecurity researcher Jeremiah Fowler of an unsecured database containing over 184 million unique login credentials has once again highlighted the growing threat posed by infostealers. While the sheer volume of exposed data—including emails, passwords, and authorization URLs—is alarming, the real concern is not just about the exposure itself, but in how cybercriminals collect and weaponize these credentials.

This trove of data from a wide range of services like email providers, Microsoft, Facebook, Instagram, Snapchat, Roblox, and many more, doesn’t appear to have been leaked by accident by someone who obtained the data legitimately. More likely, it was amassed by infostealers—malicious software (malware) that are designed specifically to gather sensitive information from infected devices. These malware variants silently extract credentials stored in browsers, email clients, messaging apps, and even crypto wallets. They often arrive via phishing emails, malicious websites, or bundled with cracked software.

An infamous example of an infostealer is the Lumma Stealer, which recently suffered a serious disruption of its infrastructure by authorities. Unfortunately, there are several others which may not be as widespread as Lumma, but at least at the same level of sophistication.

What this means is that the exposed credentials are likely just a fraction of what cybercriminals have already harvested from likely millions of victims worldwide. Each infected device can yield dozens or hundreds of credential sets, multiplying the scale of the problem far beyond a single breach. If a criminal can tie all these different types of stolen information to one person, like the operator of an infostealer would, it would be easy to use those details for identity theft.

The database has since been removed from public view.

**How many people are affected?**

Given the volume of credentials found, it’s reasonable to assume that millions of individuals had their data included in the exposed database. Since one infected system can leak multiple credentials tied to different accounts and services, the number of victims is likely far smaller than the number of exposed credentials but still alarmingly high.

Infostealers have evolved beyond simple password grabbers. Modern variants can capture autofill data, cookies, screenshots, and keystrokes, giving attackers a comprehensive toolkit to bypass security measures and launch sophisticated attacks. The stolen credentials fuel credential stuffing attacks (where an attacker uses reused logins stolen from one service to access another), account takeovers, identity theft, corporate espionage, and targeted phishing campaigns.

The fact that these credentials span a wide range of services, from social media platforms like Facebook and Instagram to financial institutions, healthcare portals, and even government accounts shows how pervasive infostealer infections have become, enabling attackers to build detailed profiles of victims’ digital lives.

**What you can do**

There is no way to tell whether anyone else found the exposed database before it was removed from public access. However, the exposure of such a massive dataset should serve as a wake-up call. While the breach itself may no longer be the immediate threat, infostealer malware remains an ongoing and growing threat. Here are some practical steps to protect yourself:

*   Change your passwords regularly, and don’t reuse them across multiple accounts. Use unique, complex passwords for every service.
*   Enable two-factor authentication (2FA) wherever possible. This makes it harder for criminals to take over your account.
*   Regularly audit and clean your email inbox of sensitive documents and old passwords. Jeremiah pointed out that “people unknowingly treat their email accounts like free cloud storage and keep years’ worth of sensitive documents, such as tax forms, medical records, contracts, and passwords without considering how sensitive they are.”
*   Use an up-to-date and active anti-malware solution  that can detect and remove infostealer malware.
*   Be careful about what you download and educate yourself on recognizing phishing emails, as these remain the most common infection vectors.

Given the scale and sophistication of infostealer operations, it’s not enough to wait for breach notifications to find out whether your credentials have been compromised. That’s why proactive monitoring is essential.

You can use Malwarebytes’ free Digital Footprint Portal to see if any of your data has been stolen by an infostealer and exposed online. We have many millions of stolen records in our database that stem from Lumma stealers alone and are being traded on the dark web. Just put in the email address you use the most, and we’ll tell you what information is out there about you.

Don’t wait for a data breach to impact you. Check your digital footprint and stay one step ahead of cybercriminals.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 184 million logins for Instagram, Roblox, Facebook, Snapchat, and more exposed online 

A list of topics we covered in the week of May 19 to May 25 of 2025

May 22, 2025 - The Lumma infostealer infrastructure has suffered a serious blow by a coordinated action of the DOJ and Microsoft.

May 22, 2025 - A stalkerware company that recently leaked millions of users' personal information online has taken all of its assets offline without any explanation.

May 22, 2025 - Cybercriminals are using AI-based tools to generate voice clones of the voices of senior US officials in order to scam people.

May 20, 2025 - The bankrupt 23andMe, along with all of its genetic data, has been bought by US drugmaker Regeneron Pharmaceuticals.

May 20, 2025 - You'd hope that spending $6,000 on a printer would give you a secure experience, free from viruses and other malware. However, in the case of Procolored printers, you'd be wrong.

 A week in security (May 19 &#8211; May 25) 

The Lumma infostealer infrastructure has suffered a serious blow by a coordinated action of the DOJ and Microsoft.

The US Department of Justice (DOJ) and Microsoft have disrupted the infrastructure of the Lumma information stealer (infostealer).

Lumma Stealer, also known as LummaC or LummaC2, first emerged in late 2022 and quickly established itself as one of the most prolific infostealers. Infostealers is the name we use for a group of malware that collects sensitive information from infected devices and sends the data to an operator. Depending on the type of infostealer and the goals of the operator, infostealers can be interested in taking anything from usernames and passwords to credit card details, and cryptocurrency wallets.

Lumma operates under a malware-as-a-service (MaaS) model, meaning its creators sell access to the malware on underground marketplaces and platforms like Telegram. This model allows hundreds of cybercriminals worldwide to deploy Lumma for their own malicious campaigns.

What makes Lumma particularly dangerous is its wide range of targets and its evolving sophistication. It doesn’t just grab browser-stored passwords or cookies. It’s also capable of extracting autofill data, email credentials, FTP client data, and even two-factor authentication tokens and backup codes, which enables attackers to bypass additional security layers.

As Matthew R. Galeotti, head of the Justice Department’s Criminal Division put it:

> “Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft.”

Over the last few months alone, Microsoft identified over 394,000 Windows computers infected with Lumma worldwide. The FBI estimates that Lumma has been involved in around 10 million infections globally.

Using a court order from the US District Court for the Northern District of Georgia, Microsoft’s DCU seized and facilitated a takedown, suspension, and blocking of approximately 2,300 malicious domains that were part of the infostealer’s backbone.

Most of the seized domains served as user panels, where Lumma customers are able to access and deploy the infostealer, so this will stop the criminals from being able to to access Lumma in order to compromise computers and steal victim information.

Government agencies and researchers sometimes alter DNS addresses to lead the traffic to their own servers (called sinkholes). By redirecting the seized domains to Microsoft-controlled sinkholes, investigators can now monitor ongoing attacks and provide intelligence to help defend against similar threats in the future. This takedown slows down cybercriminals, disrupts their revenue streams, and buys time and knowledge for defenders to strengthen security.

**How to protect yourself**

Even with the Lumma infrastructure disrupted, the threat of information stealers remains very real and evolving. Here are some practical steps to reduce your risk:

*   **Use strong, unique passwords** for every account and consider a reputable password manager to keep track of them.
*   **Enable multi-factor authentication (MFA)** wherever possible. Although Lumma tries to bypass 2FA, having it still adds a crucial layer of defense.
*   **Be cautious with emails and downloads.** Lumma often spreads through phishing emails and malicious downloads, sometimes disguised as legitimate CAPTCHAs or antivirus software.
*   **Keep your software and operating system updated** to patch vulnerabilities that malware can exploit.
*   **Regularly monitor your financial and online accounts** for suspicious activity.
*   **Educate yourself about phishing and social engineering tactics** to avoid falling victim to trickery.
*   **Use an up-to-date real-time anti-malware solution** to block install attempts and detect active information stealers.

By understanding how threats like Lumma operate and by taking the necessary steps to protect ourselves, we can reduce the risk of falling prey to these invisible thieves.

You can use Malwarebytes’ free Digital Footprint Portal to see if any of your data has been stolen by a Lumma infostealer. We have many millions of stolen records stemming from Lumma stealers that are being traded on the Dark Web in our database.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Lumma information stealer infrastructure disrupted 

A stalkerware company that recently leaked millions of users' personal information online has taken all of its assets offline without any explanation.

A stalkerware company that recently leaked millions of users’ personal information online has taken all of its assets offline without any explanation. Now Malwarebytes has learned that the company has taken down other apps too.

Back in February, news emerged of a stalkerware app compromise. Reporters at Techcrunch revealed a vulnerability in three such apps: Spyzie, Cocospy, and Spyic. The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them. It also gave up approximately 3.2 million email addresses entered by the customers that bought and installed these apps on their targets’ devices.

The bug was so easy to exploit that Techcrunch and the researcher involved wouldn’t divulge it, to protect the compromised details.

Now, the apps have gone dark. Techcrunch revealed that the software has stopped working, and the websites advertising it have disappeared. The spyware’s Amazon Web Services storage has also been deleted. The publication speculated that the apps, which were branded separately but looked nearly identical, were possibly shut down to avoid legal repercussions over the data leak.

Stalkerware apps are designed to hide themselves once installed on a person’s phone. They collect data including the location of the device, messages sent by the user, and their contacts.

Spyzie’s web site, now no longer available, marketed the software as a tool to keep an eye on your kids. It advertised itself as “100% hidden and invisible so you never get caught”. It also offered to collect their browser history, WhatsApp messages (including deleted ones), Facebook messages, and call logs. Spyzie claimed to have over a million users in more than 190 countries.

These aren’t the only three apps that the same organization took down. According to archived records of the Spyzie site, it was operated by FamiSoft Limited. That company also produced another app targeting kids called Teensafe (its website is also now down). Other apps now taken down that the company claimed to have operated include Spyier, Neatspy, Fonemonitor, Spyine, and Minspy.

Stalkerware is typically installed by those with direct access to a user’s phone or computer, and typically doesn’t need you to root or jailbreak the device. Spyzie targeted both Android and iPhone platforms. While frequently marketed as a way to keep children safe, theses are also frequently used by abusive partners or ex-partners, as explained by the Federal Trade Commission. The Coalition against Stalkerware, of which Malwabytes is a founding member, offers advice on what to do if you’re being targeted by a stalker.

There have been several instances over the years of stalkerware apps leaking data. It’s especially pernicious because in many cases it isn’t just the email addresses of the stalkerware’s customers that is compromised; it’s the personal details of the people whose phones are being spied upon.

Those people may often not be aware that they’re being surveilled, or might have been forced to install the software against their wishes. They are victimized twice: once when an individual invades their privacy, and twice when crummy infrastructure exposes their information more widely. If a customer really is using such software as a way of protecting their children, they might want to reconsider their choices.

Are you a victim of domestic abuse, or are you worried that someone else is? If you’re in the US, you can contact the National Domestic Abuse Hotline. If you’re in the UK, the government has a useful resource page to help victims and the charity Refuge operates a hotline.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Stalkerware apps go dark after data breach 

Cybercriminals are using AI-based tools to generate voice clones of the voices of senior US officials in order to scam people.

The FBI has issued a warning about an ongoing malicious text and voice messaging campaign that impersonates senior US officials.

The targets are predominantly current or former US federal or state government officials and their contacts. In the course of this campaign, the cybercriminals have used test messages as well as Artificial Intelligence (AI)-generated voice messages.

After establishing contact, the criminals often send targets a malicious link which the sender claims will take the conversation to a different platform. On this messaging platform, the attacker may push malware or introduce hyperlinks that direct targets to a site under the criminals’ control in order to steal login information, like user names and passwords.

The AI-generated audio used in the vishing campaign is designed to impersonate public figures or a target’s friends or family to increase the believability of the malicious schemes. A vishing attack is a type of phishing attack in which a threat actor uses social engineering tactics via voice communication to scam a target—the word “vishing” is a combination of “voice” and “phishing.”

Due to the rapid developments in AI, vishing attacks are becoming more common and more convincing. We have seen reports about callers pretending to be employers, family, and now government officials. What they have in common is that they are after information they can use to steal money or sensitive information from the victim.

**How to stay safe**

Because these campaigns are very sophisticated and targeted, it’s important to stay vigilant. Some recommendations:

*   Independently verify the identity of the person contacting you, via a different method.
*   Carefully examine the origin of the message. The criminals typically use software to generate phone numbers that are not attributed to a specific mobile phone or subscriber.
*   Listen closely to the tone and word choice of the caller. Do they match those of the person allegedly calling you? And pay attention to any kind of voice call lag time.
*   AI-generated content has advanced to the point that it is often difficult to identify. When in doubt about the authenticity of someone wishing to communicate with you, contact your relevant security officials or the FBI for help.

If you believe you have been the victim of the campaign described above, contact your relevant security officials and report the incident to your local FBI Field Office or the Internet Crime Complaint Center (IC3) at www.ic3.gov. Be sure to include as much detailed information as possible.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Scammers are using AI to impersonate senior officials, warns FBI 

The bankrupt 23andMe, along with all of its genetic data, has been bought by US drugmaker Regeneron Pharmaceuticals.

The bankrupt genetic testing company 23andMe has been scooped up by drug producer Regeneron Pharmaceuticals for $256 million dollars.

But why would a pharmaceutical company like Regeneron buy a bankrupt genetics testing company like 23andMe for such a large amount of money?

Well, Regeneron is a leading biotechnology company that invents, develops, and monetizes life-transforming medicines for people with serious diseases. So, it seems obvious that Regeneron’s primary interest lies in the genetic data collected by 23andMe, and the situation raises complex ethical, privacy, and security concerns that customers should understand and address.

Regeneron has pledged to uphold data privacy and security, working closely with a court-appointed Customer Privacy Ombudsman, acknowledging the importance of customer data protection and the ethical use of genetic information.

Dr. George Yancopoulos, Regeneron’s president, said in a statement:

> “We believe we can help 23andMe deliver and build upon its mission to help people learn about their own DNA and how to improve their personal health, while furthering Regeneron’s efforts to improve the health and wellness of many.”

However, the scenario is less grim than the fears uttered by Senator Cassidy, chair of the US Senate Health, Education, Labor, and Pensions Committee, who expressed concerns about foreign adversaries, including the Chinese Communist Party, acquiring the sensitive genetic data of millions of Americans through 23andMe.

Regeneron already manages genetic data from nearly three million people, so 23andMe’s 15 million customers significantly expand this resource. Besides the genetic data itself, Regeneron likely values the consumer genetics business infrastructure and research services that 23andMe built, which can complement Regeneron’s pharmaceutical pipeline and personalized medicine efforts.

Genetic data is uniquely sensitive because it contains deeply personal information about an individual’s health risks, ancestry, and even family relationships. Unlike traditional medical records protected under HIPAA, 23andMe’s genetic data is covered primarily by consumer privacy laws, which offer weaker protections.

**What can consumers do to protect their data?**

Customers should actively manage their data on 23andMe by reviewing policies, deleting data if desired, and staying vigilant about how their sensitive genetic information is used.

People that have submitted samples to 23andMe have three different options, each providing a different level of privacy.

****1\. Delete your genetic data from 23andMe****

For 23andMe customers who want to delete their data from 23andMe:

*   Log into your account and navigate to **Settings**.
*   Under **Settings**, scroll to the section titled **23andMe data**. Select **View**.
*   You will be asked to enter your date of birth for extra security. 
*   In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (make sure you’re using a personal, not public, computer). Once you’re finished, scroll to the bottom and select **Permanently delete data**.
*   You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account. 

****2\. Destroy your 23andMe test sample****

If you previously opted to have your saliva sample and DNA stored by 23andMe, but want to change that preference, you can do so from your account settings page, under “Preferences.”

****3\. Revoke permission for your genetic data to be used for research****

If you previously consented to 23andMe and third-party researchers using your genetic data and sample for research, you may withdraw consent from the account settings page, under **Research and Product Consents**.

**Check if you were caught up in the 23AndMe data breach**

Additionally, you may want to **check if your data was exposed in the 2023 data breach**. We recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the breach, and then to take additional steps to protect yourself (we’ll walk you through those).

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 23andMe and its customers&#8217; genetic data bought by a pharmaceutical org 

You'd hope that spending $6,000 on a printer would give you a secure experience, free from viruses and other malware. However, in the case of Procolored printers, you'd be wrong.

 Malware-infected printer delivered something extra to Windows users 

This week on the Lock and Code podcast, we speak with Nick Melvoin about the Los Angeles Unified School District smartphone ban for students.

_This week on the Lock and Code podcast…_

There’s a problem in class today, and the second largest school district in the United States is trying to solve it.

After looking at the growing body of research that has associated increased smartphone and social media usage with increased levels of anxiety, depression, suicidal thoughts, and isolation—especially amongst adolescents and teenagers—Los Angeles Unified School District (LAUSD) implemented a cellphone ban across its 1,000 schools for its more than 500,000 students.

Under the ban, students who are kindergartners all the way through high school seniors cannot use cellphones, smartphones, smart watches, earbuds, smart glasses, and any other electronic devices that can send messages, receive calls, or browse the internet. Phones are not allowed at lunch or during passing periods between classes, and, under the ban, individual schools decide how students’ phones are stored, be that in lockers, in magnetically sealed pouches, or just placed into sleeves at the front door of every classroom, away from students’ reach.

The ban was approved by the Los Angeles Unified School District through what is called a “resolution”—which the board voted on last year. LAUSD Board Member Nick Melvoin, who sponsored the resolution, said the overall ban was the right decision to help students.  

“The research is clear: widespread use of smartphones and social media by kids and adolescents is harmful to their mental health, distracts from learning, and stifles meaningful in-person interaction.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with LAUSD Board Member Nick Melvoin about the smartphone ban, how exceptions were determined, where opposition arose, and whether it is “working.” Melvoin also speaks about the biggest changes he has seen in the first few months of the cellphone ban, especially the simple reintroduction of noise in hallways.

> “\[During a school visit last year,\] every single kid was on their phone, every single kid. They were standing there looking, texting again, sometimes texting someone who was within a few feet of them, and it was quiet.”

Tune in today to listen to the full episode.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 How Los Angeles banned smartphones in schools (Lock and Code S06E10) 

Make sure your Chrome is on the latest version, to patch against an actively exploited vulnerability that can be used to steal sensitive information from websites.

Source

Malwarebytes