Fake emails pretending to come from the US Social Security Administration try to get targets to install ScreenConnect for remote access.

Fake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install ScreenConnect, a remote access tool.

_This campaign was flagged and investigated by the Malwarebytes Customer Support and Research teams._

ScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely used by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to users’ computers to perform tasks such as software installation, system configuration, and to resolve issues.

Because ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate your computer as if they were physically present. This includes running scripts, executing commands, transferring files, and even installing malware—all potentially without you realizing.

This makes ScreenConnect a dangerous tool in the hands of cybercriminals. A phishing group dubbed Molatori—because of the domains they use to host the ScreenConnect client—has been found to lure their targets into installing the ScreenConnect clients by sending emails pretending to come from the Social Security Administration (SSA):

> “Your Social Security Statement is now available  
> Thank you for choosing to receive your statements electronically.  
> Your document is now ready for download:
> 
> *   Please download the attachment and follow the provided instructions.
> *   NOTE: Statements & Documents are only compatible with PC/Windows systems.”

There are some variations to this mail in circulation but the example above shows how legitimate these emails look.

The link in the email leads to the ScreenConnect support.Client.exe, but was found under several misleading names like ReceiptApirl2025Pdfc.exe, and SSAstatment11April.exe.

After cybercriminals install the client on the target’s computer, they remotely connect to it and immediately begin their malicious activities. They access and exfiltrate sensitive information such as banking details, personal identification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial fraud, and other harmful acts. Experts have identified financial fraud as the primary objective of the Molatori group.

There are several circumstances that make this campaign hard to detect:

*   The cybercriminals send phishing emails from compromised WordPress sites, so the domains themselves appear legitimate and not malicious.
*   They often embed the email content as an image, which prevents email filters from effectively scanning and blocking the message.
*   ScreenConnect is a legitimate application which happens to be abused because of its capabilities.

**What we can do**

When receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for phishing:

*   Verify the source of the email through independent sources.
*   Don’t click on links until you are sure they are non-malicous.
*   Don’t open downloaded files or attachments until you are sure they are safe.
*   Use an up-to-date and active anti-malware solution.
*   If you suspect an email isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.

**Malwarebytes users are protected**

Malwarebytes will detect suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.

And blocks connections to these associated domains:

*   atmolatori\[.\]icu
*   gomolatori\[.\]cyou
*   molatoriby\[.\]cyou
*   molatorier\[.\]cyou
*   molatorier\[.\]icu
*   molatoriist\[.\]cyou
*   molatorila\[.\]cyou
*   molatoriora\[.\]cyou
*   molatoriora\[.\]icu
*   molatoripro\[.\]cyou
*   molatoripro\[.\]icu
*   molatorisy\[.\]cyou
*   molatorisy\[.\]icu
*   onmolatori\[.\]icu
*   promolatori\[.\]icu
*   samolatori\[.\]cyou
*   samolatori\[.\]icu
*   umolatori\[.\]icu

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Fake Social Security Statement emails trick users into installing remote tool 

A former Disney employee has been sentenced to three years in prison for computer fraud and identity theft.

A former Disney employee, Michael Scheuer, will serve three years in prison for computer fraud and aggravated identity theft after a digital sabotage campaign against his ex-employer. In addition to his sentence, he must pay nearly US$688,000 in restitution.

Scheuer, a former menu production manager at Walt Disney World, launched his campaign after being fired for misconduct in June 2024. He broke into the internal menu creation system for Disney park restaurants, falsely labeling certain foods as allergy-safe when they weren’t. This included changing items with peanuts to be listed as peanut-free, which could be fatal for individuals with peanut allergies. In some cases, he altered wine region labels to reference locations of recent mass shootings.

He also tampered with prices, inserted profanity, switched QR codes to link to a site promoting a boycott of Israel over its invasion of Gaza, and changed the menu font to Wingdings — a symbol-based typeface instead of standard letters and numbers.

Fortunately, Disney detected the changes before they reached customers.

Scheuer didn’t stop with menu manipulation. He deployed a bot to repeatedly try logging into at least 14 employee accounts, locking out staff and rendering the accounts unusable. Investigators later found a “dox” folder on his computer, containing personal identifiable information (PII) of his targets. “Doxing” — also spelled “doxxing” — refers to collecting and exposing someone’s personal information to intimidate, shame, or harass them.

After authorities arrested Scheuer in October 2024, he pleaded guilty and expressed remorse. However, prosecutors pushed for a 70-month sentence due to the scope and seriousness of his actions.

Scheuer’s lawyer David Haas said:

> “Mr. Scheuer remains remorseful and apologetic to the victims. We are grateful that the Judge heard all of our arguments and mitigation when fashioning a sentence that was half of what the Government was seeking.”

Several cybersecurity mistakes were made both sides of this conflict.

*   Disney should have disabled the accounts used by the disgruntled ex-employee, especially when the company was aware his termination was contentious.
*   While Scheuer used a VPN, the range of his IP addresses was in the same range as when he still worked for Disney and used the same VPN.
*   The use of Wingdings messed up the menu system so bad that the Menu Creator became inoperable and the action was bound to be found out.
*   Changing menu items to falsely claim there are no peanuts in them could have had fatal consequences.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Digital rampage saw ex-Disney employee remove nut allergy info from menus, dox co-workers, and more 

AI search service Perplexity AI doesn't just want you using its app—it wants to take over your web browsing experience too.

AI search service Perplexity AI doesn’t just want you using its app—it wants to take over your web browsing experience too. The company is planning to launch its own browser, called Comet, next month. But what does this mean for your privacy?

Launched in 2022, Perplexity AI is an AI-powered search engine. It combines web crawling with natural language models to collect and distill data from around the web to answer users’ questions. Its freemium model gives users access to basic features powered by a simpler AI model, while the paid version lets people experiment with different kinds of more powerful AI models from companies including ChatGPT and Anthropic.

The company, which has surfed the enthusiasm over AI to rack up a valuation of $9bn, has big ambitions. In January, it submitted a proposal to merge with TikTok. Now the Comet project sees it tackle a tricky product category.

Browsers are notoriously difficult products to build, which is why so few organizations have done it, and why those that do often use the same underlying Chromium engine. It’s also likely why Perplexity has already delayed and scaled down its browser development. Nevertheless, CEO Aravind Srinivas feels that it’s worth building a product in a category that has mostly been free for users.

One of the main reasons, as he admits, is so Perplexity can get its hands on more data about its users. Simply harvesting your direct queries to the Perplexity AI app isn’t enough, he explained on the TBPN podcast.

> “We want to get data even outside the app to better understand you. Because some of the problems that people \[solve\] in these AIs are purely work related. It’s not that personal.

Taking AI-powered interactions outside the AI app into the browser bridges that chasm, he says:

> “On the other hand, like what are the things you’re buying? Which hotels are you going \[to\]? Which restaurants are you going to? What are you spending time browsing? \[These things\] tell us so much more about you that we plan to use all the context to build a better user profile.”

That extensive data profile will help it tailor highly targeted advertising to individuals. It would then serve these up via its Discover feed, he said, which is an online news service that the company runs based on surfing other web sites.

This highlights a worrying but unsurprising trend in tech: privacy tends to be a casualty when new technologies emerge. The smartphone (essentially a mobile sensor package in your pocket) is probably the biggest example of this, but we also saw it when researchers caught Apple passing accidentally-captured audio picked up by Siri to third-party contractors, and later keeping snippets of conversations from customers who opted out.

More recently, Meta’s Ray-Ban smart glasses – which capture whatever the wearer is looking at and listening to – has also come under fire. Meta includes a hardware switch to ensure that users can turn recordings off. However, in 2021 Regulators criticized what they felt was a very small indicator light on the glasses to show that they were recording, and multiple EU regulators raised concerns about their privacy.

Tech companies often take a measured approach when describing how they slurp up user data. In a way it’s refreshing that people like Srinivas are at least happy or oblivious enough to say the quiet part out loud. It means that people know what they’re dealing with and can make an informed decision.

Comments on the podcast were limited, but at least one commenter seemed to have done just that. “That’s creepy af,” they posted. “I hope nobody is going to actively use the browser. Screw that!”

The most telling aspect of all this? We searched through the podcast and the word ‘privacy’ didn’t come up once. In an industry that constantly dazzles consumers with new and shiny technology, it’s more important than ever that you keep your eyes open and focused on the financial motives underpinning it all.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 What privacy? Perplexity wants your data, builds browser to track you and serve ads 

WorkComposer, an employee monitoring app, has leaked millions of screenshots through an unprotected AWS S3 bucket.

Unfortunately, spyware apps with poor reputations and even weaker security practices are all too common.

I’ve lost count of how many blogs I’ve written about stalkerware\-type apps that not only exposed the people they spied on but also ended up exposing the spies themselves.

However, perhaps one would expect an employee monitoring app to be of a higher standard. Not in this case.

Cybernews recently uncovered that employee monitoring app WorkComposer left over 21 million images exposed in an unsecured Amazon AWS S3 bucket. These images show a frame-by-frame activity log of remote workers.

This is not just bad news for those remote workers, it could be even worse for the WorkComposer customers that can see internal communications, confidential business documents, and log in pages exposed to anyone that stumbled over the unprotected bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

The WorkComposer software logs keystrokes, tracks how long an employee spends on each app, and records desktop screenshots every few minutes. This means those 21 million images could reveal everything from work processes to employees’ private information.

Although there are no indications that cybercriminals gained access to the same bucket, WorkComposer has failed to respond to any notifications and queries. It did secure the access after being notified, but did not provide any comments.

This incident echoes a previous Cybernews investigation that found WebWork, another remote team tracker, leaked over 13 million screenshots containing emails, passwords, and other sensitive work data.

**What to do if your employer used WorkComposer**

There are some actions you can take if you are, or suspect you may have been monitored by WorkComposer.

*   **Change the passwords that may have been seen.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for phishing attacks.** Cybercriminals may use the information to craft convincing phishing emails, SMS, or messages pretending to be from trusted sources. Do not click on suspicious links or respond to unexpected messages requesting personal or work information.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
*   **Report suspicious activity.** If you notice any suspicious emails, messages, or unauthorized access attempts, report them immediately to your IT department or manager. Early reporting can help contain potential damage and prevent further breaches.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Employee monitoring app exposes users, leaks 21+ million screenshots 

A list of topics we covered in the week of April 21 to April 27 of 2025

April 28, 2025 - WorkComposer, an employee monitoring app, has leaked millions of screenshots through an unprotected AWS S3 bucket.

April 25, 2025 - After hearing about ChatGPT o3 ability at geo-guessing we decided to run some tests and the tested AIs didn't fail to amaze us

April 24, 2025 - Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

April 24, 2025 - A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

April 24, 2025 - Blue Shield of California said it accidentally leaked the personal data of 4.7 million individuals to Google after a Google Analytics misconfiguration.

 A week in security (April 21 &#8211; April 27) 

After hearing about ChatGPT o3 ability at geo-guessing we decided to run some tests and the tested AIs didn't fail to amaze us

If you are worried about revealing your exact location—or if you maybe even fib about it at times—there are some good reasons to worry about what is visible in background photos, because Artificial Intelligence (AI) is getting very good at guessing where you are based on the smallest of clues. And that might even include audio clues, if given the right data.

Our curiosity was triggered by this article in TechRadar claiming that ChatGPT o3 can geo-guess your location from almost any photo. So, we decided to do some tests and removed the metadata from a few selected photographs that I took myself and never published anywhere (for quality reasons, obviously).

Metadata can include technical details like camera settings, date and time, location, and descriptive information like captions or keywords. And we wanted to test the AI’s capability on the picture itself—not on additional data included in the file. I also used a VPN so I didn’t give away my current location.

We started with an easy one. A landmark in a relatively large city, but from a strange perspective. The picture was part of a selfie taken through a window of an office building in Cork.

view over Cork, Ireland

It was no real surprise that ChatGPT got this right.

> “Alright, let’s break this one down — this does have some standout features that make it easier to geo-locate. Here’s the reasoning step by step:”

> **🧱 Architectural Clues:**
> 
> *   The old stone building in the foreground has **Georgian-style windows and masonry**, which are common in parts of the British Isles, especially in **Ireland** and **the UK**.
> *   The clock tower in the back-left with the **green copper dome** is particularly distinctive and often used in civic buildings in Ireland.
> *   The **mix of historical and modern buildings**, with the newer glass-fronted offices across a small river or canal, suggests urban regeneration in a historically rich city.

> **🌉 Infrastructure and Environment:**
> 
> *   The modern bridge with a **blue banner advertisement** and the **tree-lined waterfront** hints at a city that integrates riverways into its urban design.
> *   The road signs and general driving direction suggest **left-hand traffic**, supporting a guess of **Ireland or the UK**.

> **🏛** **Key Landmark:**
> 
> The building with the green dome in the background looks **very much like the clock tower of Cork City Hall in Ireland**. The angle of the shot shows the old Custom House building in front, and the modern offices across the **River Lee**, which runs through Cork.

This was spot on. But surely ChatGPT is not the only AI good at geo-guessing, so we used the same picture to test Perplexity as well.

> “This image provides several strong clues for geo-guessing:
> 
> The architecture of the foreground building is classic Georgian or early Victorian, with grey stone and sash windows—styles common in the British Isles, especially Ireland and the UK.
> 
> The river, modern glass buildings, and the steel bridge suggest a city that blends historical and contemporary elements.
> 
> The most distinctive feature is the clock tower with a green dome in the background. This is a well-known landmark: the Cork Courthouse clock tower in Cork, Ireland.
> 
> The bridge over the river and the combination of old and new buildings align with the area around the River Lee in Cork city centre.
> 
> **Conclusion**
> 
> This photo was taken in Cork, Ireland, looking out over the River Lee. The stone building in the foreground is part of the historic courthouse complex, and the green-domed clock tower is a prominent feature of Cork’s skyline. The modern glass buildings and bridge further confirm this as central Cork, a city known for its mix of heritage and modern development.”

Perplexity provided almost the same level of accuracy, so we decided to raise the difficulty level. A lot.

Landscaping in progress around Dutch holiday home

You’ll have to agree that this photo doesn’t give away a lot. But the AI tools took some unexpected clues from the picture.

Here is what ChatGPT determined:

> **🧩 Visual Clues:**
> 
> 1.  **Architecture:**
>     *   The buildings are modular and prefabricated in appearance, with light-colored paneling and dark window/door frames.
>     *   This type of house is common in northern Europe, especially in the Netherlands, Germany, Denmark, or parts of the UK.
> 2.  **Landscape:**
>     *   Very flat terrain with closely trimmed hedges and grassy areas.
>     *   This suggests low-lying regions—again pointing to places like the Netherlands or Belgium.
> 3.  **Infrastructure & Construction Tools:**
>     *   The pavers being laid and the wheelbarrows used (particularly the yellow color and shape) are very common in northern and western European construction.
> 4.  **Weather and Lighting:**
>     *   Overcast sky and soft, diffused lighting typical of northern Europe in autumn or early spring.
> 5.  **Small Details:**
>     *   The small shed in the back, the organization of tools, and cleanliness/horticulture are consistent with Dutch/German design sensibilities.
>     *   The wheelbarrow has the brand name “Fort”, which is a Dutch manufacturer—this is a **very strong clue**.
> 
> **🌍** **Likely Guess:**
> 
> **The Netherlands** 🇳🇱
> 
> **📍****Narrowing it Down:**
> 
> Given the modular housing, flat landscape, and Fort-brand wheelbarrow, this could be a holiday park, construction site, or suburban area in the Dutch countryside. Possibly in a province like **North Holland**, **South Holland**, or **Friesland** where such structures and environments are typical.

I must admit I was amazed that it mentioned South Holland which is where this photograph was taken.

Perplexity did not come as close as ChatGPT, but the tool did reach this conclusion:

> “Based on architectural style, landscaping, and contextual clues, this scene is almost certainly from the Netherlands. It showcases the country’s embrace of modular housing and practical, tidy outdoor spaces, reflecting broader trends in Dutch residential design and sustainable living.”

Which is still a lot better than I expected when I selected that picture.

**Bird songs**

So, modern AI tools can pick up visible clues. But then I had another idea—call it an epiphany if you will—which deserves a brief explanation. I use an app called Merlin Bird ID which is able to identify birds based on their singing.

Some bird species are a lot more local than others, so I asked Perplexity:

> “Would it be possible to do geo-guessing based on bird songs? And how many species do you think it would take to make a good guess?”

The answer:

> “How Many Species Are Needed?
> 
> One Species: Sometimes, a single species is enough if it’s highly range-restricted (e.g., endemic to an island or a small region). However, this is rare.
> 
> A Few Species (3–5): In most cases, hearing three to five distinct species can allow for a strong guess, especially if their ranges only overlap in a limited area.
> 
> More Species, More Precision: The more species you can identify, the more precisely you can geo-locate. With about 10–15 species, especially if some are local specialties, you can often narrow it down to a specific region, habitat, or even a particular park or reserve.”

So, I tried an experiment and offered both AI tools (ChatGPT and Perplexity) a list of bird song matches made from my Merlin Bird ID app. Here is the bird list, and what they tell us about where those birds are located:

**Latin Name**

**Common Name**

**Clue**

**Fringilla coelebs**

Chaffinch

Common across Europe

**Turdus merula**

Eurasian Blackbird

Also common across Europe

**Parus major**

Great Tit

Ubiquitous, widespread

**Grus grus**

Common Crane

Migratory — breeds in Scandinavia, Baltics, parts of Central Europe; passage bird elsewhere

**Carduelis carduelis**

European Goldfinch

Europe and western Asia

**Turdus viscivorus**

Mistle Thrush

Forests, open woodland — common in Europe

**Certhia brachydactyla**

Short-toed Treecreeper

Tells us something — this species avoids northern/colder parts of Europe (rare in the UK, absent in Scandinavia)

**Ardea alba**

Great Egret

Formerly rare in Europe, but now expanding — increasingly common in wetlands and rivers of Central and Southern Europe

**Sylvia atricapilla**

Eurasian Blackcap

Woodland; migratory in north, resident in south

**Anthus trivialis**

Tree Pipit

Breeds in open woodlands across Europe; migratory

**Vanellus vanellus**

Northern Lapwing

Farmland, wet grasslands; declining in the west but still widespread

In analyzing this list, Perplexity was the “winner,” able to more accurately guess my location:

> “Given all of these factors, my best guess is that you were somewhere in Northern Europe, likely Germany, Denmark, the Netherlands, or the UK. Without more information about habitat (e.g., forest, farmland, coast), it’s difficult to narrow it down further.”

Here was ChatGPT’s response to the same bird song list:

> **🗺️** **My Final Geo-Guess:**
> 
> You were likely in **Germany** — possibly in **northern or eastern Germany** (e.g., Brandenburg or Mecklenburg-Vorpommern), which is:
> 
> *   On the **Grus grus migration route**
> *   Rich in mixed forests and wetlands
> *   Within the range of **Certhia brachydactyla**
> *   Likely to host **all the species** you heard, in late April

In reality, the birds were recorded near the Dutch-German border, which put ChatGPT off by almost 400 miles, whereas Perplexity mentioned both countries I was in or close to, but covered a large area with its geo-guess.

**Conclusion**

If you’re making selfies or vlogging and you don’t want to give away your location, you’ll need to be very aware of your visual and auditory surroundings. A wheelbarrow of a specific brand or the sound of a bird with a limited habitat are enough to provide hints about your location. With enough hints, AI can deduce your exact location.

With social media being used for AI training, it is likely that these results will rapidly gain even more in accuracy.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 AI is getting “creepy good” at geo-guessing 

Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

Be careful when talking to people you’ve not met with before over the Zoom video conferencing system; you might get more than you bargained for. Two CEOs were recently targeted by a Zoom-based attack. One spotted it in time – and sadly, one did not.

The attack is by a crime group that the Security Alliance call ELUSIVE COMET in a warning about the threat last month. ELUSIVE COMET targets its victims by luring them into a Zoom video call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

The group typically approaches victims with a supposed media opportunity to get them interested, and then sets up an introductory Zoom call. During that video meeting, the attacker keeps their screen switched off, but sends a remote control request to the victim.

Remote control is a feature in the Zoom app that allows someone else to take control of your PC. It’s great if, for example, you’re not very tech-savvy and you want your grandchild to fix your computer from the other side of the country. It’s less good if you agree to a remote control request from someone you don’t know – especially if you don’t know you’re doing so.

That’s what happens to victims during their fraudulent call from ELUSIVE COMET. When the remote control request comes through to the victim, the notification says “<Participant> is requesting remote control of your system” where <Participant> is the participant’s screen name. In this takeover attempt, the attacker changes their screen name to ‘Zoom’ before sending the remote control request so it appears as though the app itself is requesting control.

Some rushed or distracted people might assume that’s a valid request from the app, perhaps as a precursor to recording a call or displaying new content. If the victim accepts, it’s game over, and the attacker can take full control of the victim’s system.

**Zoom takeovers in action**

ELUSIVE COMET tried this trick on the CEO of cybersecurity consulting company Trail of Bits, but it didn’t work on him. After receiving an invitation to appear on “Bloomberg Crypto,” he suspected something was amiss.

The attackers approached him via the X social media network and refused to switch to email when asked. Then they used a third-party booking system called Calendly to arrange the call. While Calendly is a legitimate service, the attackers hadn’t branded their Calendly pages with Bloomberg’s logo, which the CEO felt was suspicious. After checking into some of the data gathered on the group in the Security Alliance advisory, the CEO realized what was happening.

Sadly, that wasn’t the case for Jake Gallen, who owns a cryptocurrency company called Emblem Vault. As he describes in a postmortem thread on X earler this month, he also got a media invitation from an X account, this time called @tacticalinvest\_, to appear on a podcast. He took the bait.

“While the interview was ongoing @tacticalinvest\_ was downloading malware on my computer known as goopdate,” he reports, “which was powerful enough to steal >$100k in digital assets from my Bitcoin and Ethereum wallets, as well as log into my twitter, gmail, and other accounts.”

Gallen did his due diligence. Before he took the meeting, he did some research and found that the account had a large audience, with a history of consistent posts and videos. There was also a YouTube account. This illustrates just how sneaky some of these attackers can be, and how even tech-savvy people can be duped.

While you might not be a business owner or influencer looking for exposure, it’s worth paying attention to who you let into Zoom meetings, and who you give control of the meeting to. Let’s not also forget that there’s an ongoing trend of people ‘Zoombombing’ by infiltrating others’ meetings.

**How to stay safe**

One of the easiest approaches is to avoid installing Zoom’s app and simply use it in the browser where possible. Running Zoom in the browser limits its functionality, including not allowing remote control of your system. Zoom gives you this option when you attempt to join a meeting without opening the app.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Zoom attack tricks victims into allowing remote access to install malware and steal money 

A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data and send it to cybercriminals half a world away. All you have to do is install the software and tap your card to your phone – and criminals excel at persuading you to do just that.

The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC). This enables your phone to read the data on a supporting payment card when it comes close enough. It’s how tap-to-pay machines found in retailers and ATMs work their magic.

Attackers get the malicious software via a malware-as-a-service model. This enables them to become affiliates for the developers of the software, who typically offer it for a percentage of the attackers’ takings. They can then focus on finding and targeting victims with social engineering attacks, which Cleafy says they’ve been doing in Italy.

**How the attack works**

First the attackers have to get the malware onto someone’s Android phone. That starts with a fraudulent ‘smishing’ message sent via SMS or WhatsApp, often impersonating a bank and asking the user to call.

The telephone number connects the victim to the attacker, who then persuades them to give up their PIN and log into their bank account. From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. This contains the SuperCard X malware.

Finally comes the payoff. The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. The malware then captures the card details, which it then sends to the attacker’s own Android phone. They can then use the phone as a cloned card for contactless payments. If you’ve ever tapped your phone instead of your card to pay for something, you’ll know how easy that is to do.

**Where did SuperCard X come from?**

Like much malware, SuperCard X didn’t come out of nowhere. Cleafy says that it shares code with another piece of malware called NGate, discovered last year. Both of these are likely built on concepts first outlined in NFCGate, a freely available open-source NFC software tool developed by German’s Technical University of Darmstadt.

SuperCard X’s developers have focused on making this software as stealthy as possible. Most antivirus programs for Android fail to spot it, says Cleafy. That’s because it asks for as few privileges as possible on the phone, and it doesn’t include many of the features that other malware has. In short, the less that a malicious program does on a phone, the smaller its footprint is and the more silent it can be.

This malware is a cybercriminal’s favorite for several reasons. Rather than attacking people with accounts at a particular bank, it works against anyone with a payment card, increasing the attacker’s scope. It’s also instant, compared to thefts by wire transfer, which can take days to complete.

It is important to note that payment framework**s** like Google Pay, Apple Pay, Samsung Pay, and som b**a**nk-specific wallet apps  use dynamic cryptographic tokens — which are similar in concept to the “rolling codes” often used in car keyless entry systems — to prevent signal replay attacks.

**How to protect yourself**

But, as with many things, the best defense is you. In this case, protection is simple. The cybercriminals behind this attack can’t do anything unless you install the software on your phone, and so they go through several steps to convince you to do so.

Be skeptical of text messages from people you don’t know, especially those claiming to be urgent. Scammers typically try and panic you into a fast response. When they get you on the phone, they can befriend you, further impeding your ability to think critically and say “no”.

If you can’t help yourself and feel compelled to take action, check in with a trusted family member if available to get their perspective. If you’re still convinced, then at least verify the message first. Call your financial institution through an official number – not through the one in the text message. We’ll bet a steak dinner that they won’t know what you’re talking about.

Never give personal details to anyone you don’t know who contacts you via text message, and never change your banking details at their request. And if anyone asks you to install software sent via text message, refuse and end the communication.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android malware turns phones into malicious tap-to-pay machines 

Blue Shield of California said it accidentally leaked the personal data of 4.7 million individuals to Google after a Google Analytics misconfiguration.

Blue Shield of California leaked the personal data of 4.7 million people to Google after a Google Analytics misconfiguration. The tech giant may have used this data for targeted advertising, according to Blue Shield, which is one of the largest health insurers in the US.

In a data breach notice on its website, Blue Shield says it had begun notifying “certain members of a potential data breach that may have included elements of their protected health information.”

Blue Shield a nonprofit health insurer serving nearly 6 million members, used Google Analytics to monitor how customers interacted with its websites to improve services. However, a configuration error in Google Analytics allowed sensitive member data to spill to Google Ads, potentially exposing customer data for almost three years. This likely included protected health information.

Blue Shield stated, “Google may have used this data to show targeted ad campaigns to individual members.”

The transmission of data took place between April 2021 and January 2024. The leaked information includes various details such as the type of health insurance plan, postal code and city, gender, family size, account IDs, names of insured persons, and search queries related to finding a doctor, which could reveal members’ health concerns or needs.

Blue Shield said there was no leak of other types of personal information, such as Social Security numbers, driver’s license numbers, or banking or credit card information.

After discovering the leak, Blue Shield said it reviewed all its websites to ensure no other tracking software was sharing protected health information with third parties.

Usually in a data breach we can point at cybercriminals that went out of their way to obtain the data. In this case, a simple misconfiguration shared data with an entity—that already knows so much about us—that then used the information for targeted advertising.

Maybe this case can serve as a cautionary tale about using analytics tools in areas where misconfigurations can lead to severe privacy violations, especially when sensitive data is involved.

Blue Shield is notifying all customers who may have accessed their member information on the potentially impacted Blue Shield websites during the relevant time frame.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Source

Malwarebytes