Google says it's Gemini AI will soon be able to access your messages, WhatsApp, and utilities on your phone. But we're struggling to see that as a good thing.

If you’re an Android user, you’ll need to take action if you don’t want Google’s Gemini AI to have access to your apps. That’s because, regardless of your previous settings, Google now allows Gemini to interact with third-party apps.

Through Gemini extensions, it already had the ability to integrate with apps to lend a helping hand and make Google Assistant obsolete. From an email I received in April from Google Gemini:

> **Gemini uses info from your devices and services to help you**
> 
> Gemini uses this info to provide more customized and context-aware help. Gemini accesses certain system permissions and data, like call and message logs, contacts (to help you keep in touch), and screen content (to help you act on it).
> 
> **Gemini works with apps**  
> Gemini can respond with real-time info from other tools, apps, and services like Google Keep and YouTube. To allow connected apps to generate helpful responses, Gemini shares some of your info with them. You can manage your apps in your settings.  

Then further on, it said:

> **Gemini activity and your choices**    
> When you use Gemini, Google collects your activity, like your chats (including recordings of your Gemini Live interactions), what you share with Gemini (like files, images, and screens), product usage information, feedback, and info about your location. This data is stored in Activity (if it’s on), reviewed by trained reviewers, and used to improve Google services, including generative AI.

The bit about trained reviewers was enough for me to decide against using it. There are many AI options that offer a lot more privacy.

But now, according to a Ars Technica, Google has sent an email to Android users that takes it one step further.

_Image courtesy of ArsTechnica_

> “We’ve made it easier for Gemini to interact with your device  
> We’re updating how Gemini interacts with some of the apps on your Android device.  
> Gemini will soon be able to help you use your Phone, Messages, WhatsApp, and utilities on your phone, **whether your Gemini Apps Activity is on or off**.
> 
> This change will **start automatically rolling out** on July 7, 2025.  
> If you don’t want to use these features, you can turn them off in the Apps settings page.
> 
> **If you have already turned these features off, they will remain off.**
> 
> For more details on how these features work with your data, please see the Gemini Apps Privacy Hub.”

_Note: I did not receive this email and the Gemini app is not on my phone. That could be because I’m using a Samsung phone and Samsung offers Bixby as a virtual assistant. It might be my location: sometimes Europe gets these features later. Or potentially the phone is too old (2019)._

**Good news or not?**

While Google presents this as happy news, we’re not in full agreement. Google enabling Gemini to access third-party apps promises exciting AI-driven features but also introduces significant privacy, security, and control challenges.

Android users who want to protect their data and limit AI access should check their app permissions and disable unnecessary AI integrations. However, it turns out, this is not easy. First off, there is a contradiction in Google’s statements. In one place it says the change will automatically start rolling out and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” But in another place it claims, “If you have already turned these features off, they will remain off.”

This is confusing, and even well-versed users are having problems finding the appropriate settings.

All we can do is advise you to make your own, informed, decisions as much as you can:

*   If Android introduces notifications or permission prompts for Gemini access, pay close attention and deny access where possible.
*   Regularly check app permissions in **Settings** > **Privacy** > **Permission Manager** and revoke permissions that are not essential, especially those related to sensitive data (contacts, messages, microphone, camera).
*   If possible, keep your Android OS and apps updated to benefit from security patches and improved privacy controls.
*   Don’t underestimate the importance of an active anti-malware solution on your Android phone.

If Google wants users to be happy about new features, than we’d prefer it announce them and then explain how those who like them can enable them. Don’t turn on settings that we’ve never asked for.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 No thanks: Google lets its Gemini AI access your apps, including messages 

Identity-based cyberattacks soar 156%, driven by cheap Phishing-as-a-Service & infostealer malware. Learn how criminals bypass MFA to steal credentials, access bank accounts, and compromise business emails.

According to cybersecurity researchers at eSentire, infostealer malware and advanced phishing toolkits are behind a massive 156% jump in cyberattacks targeting user logins and identity information impacting both office and remote workers.

eSentire’s report, shared with Hackread.com also noted attackers increasingly focusing on stealing login details and session cookies, which they then use to commit financial crimes like Business Email Compromise (BEC) and cryptocurrency theft.

****The Rise of Phishing and Infostealers-as-a-Service****

A key factor driving this surge, as per the report (PDF) is the availability of Phishing-as-a-Service (PhaaS) platforms, which lower the technical skill and cost needed for criminals to launch attacks. Platforms like Tycoon 2FA, for example, offer pre-made phishing pages for popular platforms like Microsoft 365 and Google Workspace for as little as $200 to $300 per month.

Typical Tycoon 2FA Campaign Structure (Source: eSentire)

These services use clever Adversary-in-the-Middle (AitM) techniques, acting as a go-between to capture login credentials and even authentication tokens in real-time, often bypassing multi-factor authentication (MFA) within minutes. BEC cases, specifically, have seen a 60% year-on-year increase, making up 41% of all attacks in the first quarter of 2025.

Typical Tycoon 2FA Campaign Structure (Source: eSentire)

A recent State of Browser Security Report by Menlo Security identified over 752,000 browser-based phishing attacks across more than 800 businesses, a 140% increase from the previous year, highlighting how browsers have become a major target. This trend also includes an emerging infostealer named Acreed, first seen in February 2025, which is now competing in these dark online markets, especially after law enforcement disrupted the infrastructure of another prominent infostealer, Lumma Stealer, in May 2025.

****Protecting Your Online Identity****

The rapid shift from opportunistic attacks to systematic, service-driven operations means that criminals are moving from stealing credentials to committing fraud within hours. With 78% of identified PhaaS operations originating from the United States (though this often reflects hosting location, not the attacker’s true base), the global reach of these threats is significant.

Organizations and individuals are strongly advised to enhance their cybersecurity. This includes adopting phishing-resistant authentication methods, establishing continuous monitoring for unusual login attempts or changes, and remaining alert about unsolicited emails and attachments. The speed and sophistication of these identity-based attacks make proactive defence measures more critical than ever.

_“_This report effectively mirrors the trends observed by Ontinue’s Cyber Defense Center over the past year. With the rise of a lucrative underground economy powered by Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, even low-skilled threat actors can now gain initial access without exploiting technical vulnerabilities,_“_ said Will Bailey, Senior SOC Analyst at Ontinue.

_“_As a result, phishing and identity-based attacks have become a persistent cat-and-mouse game between attackers and defenders,_“_ Will warned. _“_This underscores the critical need for a 24/7 Managed Detection and Response (MDR) service that includes identity threat detection and response enabling organizations to revoke session tokens and terminate active sessions in real time,_“_ he advised.

Infostealers-as-a-Service Push Identity Hacks to Record Highs

A color picker for Google's browser with more than 100,000 downloads hijacks sessions every time a user navigates to a new webpage and also redirects them to malicious sites.

Chrome Store Features Extension Poisoned With Sophisticated Spyware

Dr.Web reports Android malware surge in Q2 with adware, banking trojans and crypto theft hidden in fake apps, firmware and spyware targeting users.

A series of malicious apps and stealthy spyware is targeting Android users worldwide, with new data showing how cybercriminals keep finding ways to slip threats onto devices and even official app stores.

According to new findings from Dr.Web Security Space, adware is still the most common threat on mobile devices, but what is noticeable this time is how attackers keep finding new tricks to spread it.

****Adware Still Tops the Charts****

Adware Trojans continued to dominate, led by the Android.HiddenAds family. Although detections dropped by just over 80%, HiddenAds variants are still the most active group, often masquerading as harmless apps and vanishing from home screens once installed. Android.MobiDash adware trojans saw a jump of over 11%, proving that intrusive ads are still a reliable money maker for threat actors, revealed Dr.Web’s **report**.

****Fake Apps Fraud****

Android.FakeApp malware ranked third on the threat list, with activity dropping by a quarter. These malicious apps frequently pose as **finance tools, games or utilities** but instead, redirect users to gambling or phishing sites. Fake finance apps tricked Turkish and French-speaking users, promising easy income control or investment advice while silently pushing them to fraudulent sites.

****Banking Trojans Make a Comeback****

While some banking trojans like Android.BankBot and Android.SpyMax declined, Android.Banker surged by over 70% compared to the previous quarter. This spike highlights how cybercriminals keep targeting financial data with new variants, despite global awareness campaigns urging users to stick to official app stores.

****Crypto Theft Hidden in Firmware****

One of the most alarming revelations is a large-scale crypto theft campaign discovered in April. Attackers slipped a trojan named Android.Clipper.31 into a modified version of WhatsApp and even embedded it in the firmware of low-cost Android phones.

This trojan secretly **swaps legitimate crypto wallet addresses** for the attackers’ own and sends user images to a remote server, hunting for wallet seed phrases hidden in screenshots or photos.

****Spyware Targets Military Personnel****

Another concerning discovery made by Dr.Web and **reported by Hackread.com** in April 2025, was spyware hidden inside a fake version of Alpine Quest, a mapping app. Distributed through a bogus Telegram channel and a local app catalogue, Android.Spy.1292.origin was designed to gather sensitive data from Russian military personnel, including location files, messages and phone book contacts.

****Threats Found on Google Play****

Despite tighter controls, Dr.Web’s researchers continue to find dozens of **malicious or unwanted apps on Google Play** (Apple App Store is **not** a secure place either). Recent finds include adware modules disguised in cryptocurrency news apps and finance-themed fake apps that redirect users to shady sites instead of offering any real service.

This new wave of cybersecurity threats simply goes on to show that Android’s open nature still makes it a favourite target for criminals pushing ads, spyware and banking malware. Even official app stores are not completely safe, therefore, users must keep their devices protected with up-to-date security software and stay cautious with any new app, no matter how harmless it appears.

Malware Surge Hits Android: Adware, Trojans and Crypto Theft Lead Q2 Threats

Plus: Iran-linked hackers threaten to release Trump campaign emails, Chinese hackers still in US telecoms networks, and an abusive deepfake website plans an expansion.

In recent years, North Korea has deployed thousands of so-called IT workers to infiltrate Western businesses, get paid salaries, and send money back to support the regime. As the schemes have become more successful, they have grown increasingly elaborate and employed new tactics to evade detection.

But this week, the United States Justice Department revealed one of its biggest operations to tackle IT workers to date. The DOJ says it has identified six Americans who allegedly helped enable the schemes and has arrested one of them. Law enforcement officials searched 29 “laptop farms” in 16 states and seized more than 200 computers, as well as web domains and financial accounts.

Meanwhile, a group of young cybercriminals has been causing chaos around the world, leaving grocery stores empty and temporarily grounding some flights in the wake of their crippling cyberattacks. After a quiet period in 2024, the Scattered Spider hackers have returned this year and are ruthlessly targeting retailers, insurers, and airlines.

Also this week, we’ve detailed how LGBTIQ+ organizations in El Salvador are helping activists chronicle attacks against their community and better protect themselves against state surveillance.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Cell-site simulators, often known as stingrays or IMSI catchers, are some of the most stealthy and powerful surveillance tools in operation today. The devices, which impersonate cell towers and intercept communications, can collect call metadata, location information, and other traffic about what you do on your devices. They’ve increasingly been used by law enforcement and immigration officials.

However, according to reporting from Android Authority and Ars Technica, upcoming hardware advances has led to Google upping its efforts to combat the potential snooping. Starting in Android 16, compatible devices will be able to identify when networks request device identifiers, such as device or SIM IDs, and issue alerts when you are connecting to a non-encrypted cell network. Examples of alerts show warnings that “calls, messages, and data are vulnerable to interception” when connected to insecure networks. There will also be notifications when you move back to an encrypted network. An option to turn on these notifications appears on a mobile network security settings page alongside the option to avoid 2G networks, which could help block some IMSI catchers from connecting to your device. However, while the settings will reportedly be available in Android 16, it may take some time for Android devices to widely use the required hardware.

**Iran-Linked Hackers Threaten to Release 100 GB of Trump Campaign Emails**

Ahead of the presidential election last November, Iran-linked hackers attacked Donald Trump’s presidential campaign and stole scores of emails in an apparent bid to influence the election results. Some of the emails were distributed to journalists and the Biden campaign. This week, following the Israel-Iran conflict and US intervention with “bunker-buster” bombs, the hackers behind the email compromise reemerged, telling Reuters that they may disclose or sell more of the stolen emails.

The cybercriminals claimed they had stolen 100 GB of emails, including some from Susie Wiles, the White House chief of staff. The cache of emails also allegedly includes those from Lindsey Halligan, a Trump lawyer, adviser Roger Stone, and adult film star Stormy Daniels. The hackers, who have used the name Robert, told Reuters they wanted to “broadcast this matter.” It is unclear whether they will act upon the threats.

In response, US officials claimed that the threat from the hackers was a “calculated smear campaign” by a foreign power. “A hostile foreign adversary is threatening to illegally exploit purportedly stolen and unverified material in an effort to distract, discredit, and divide,” Marci McCarthy, a spokesperson for the Cybersecurity and Infrastructure Security Agency, said in a statement.

**Chinese Hackers Lay “Dormant” in US Telecoms Networks, FBI Says**

Over the past few years, Chinese hacker group Salt Typhoon has been on a hacking rampage against US telecoms networks, successfully breaking into at least nine firms and gaining access to Americans’ texts and calls. Brett Leatherman, the recently appointed leader of the FBI’s cyber division, tells Cyberscoop that the Chinese hackers are now “largely contained” and lying “dormant” in the networks. The groups have not been kicked out of networks, Leatherman said, since the longer they are in the systems there are more ways they can find to “create points of persistence.” “Right now, we’re very focused on resilience and deterrence and providing significant support to victims,” Leatherman said.

**Explicit Deepfake Website Leaks User Information, Has Expansion Plans Revealed**

Deepfake platforms that allow people to create nonconsensual, often illegal, harmful images of women without clothes on have boomed in recent years. Now a former whistleblower and leaked documents from one of the largest so-called “nudify” apps, Clothoff, claims the service has a multimillion-euro budget and is planning an aggressive expansion where it will create nonconsensual explicit images of celebrities and influencers, according to reporting by German publication Der Spiegel. The alleged expansion has a marketing budget of €150,000 (around $176,000) per country to promote the images of celebrities and influencers, according to the report. It says more than “three dozen people” work for Clothoff, and the publication identified some of the potential key operators of the platform. Documents exposed online also revealed customer email addresses. A spokesperson who claimed to represent Clothoff denied there were more than 30 people as part of the central team and told Der Spiegel it does not have a multimillion-euro budget.

Android May Soon Warn You About Fake Cell Towers

Google has been ordered by a court in the U.S. state of California to pay $314 million over charges that it misused Android device users' cellular data when they were idle to passively send information to the company.
The verdict marks an end to a legal class-action complaint that was originally filed in August 2019.
In their lawsuit, the plaintiffs argued that Google's Android operating system

Google Ordered to Pay $314M for Misusing Android Users' Cellular Data Without Permission

This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing.

Thursday, July 3, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”  

This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.” 

I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for. 

Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.

There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.

My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend. 

And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar? 

I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes… 

*   _“You’re gonna need a bigger boat.”_ Overprepare. Expect things to go wrong.  
*   _“It’s only an island if you look at it from the water.”_ Perspective matters. Make sure your alerts are honed to spot the things that really matter. 
*   _“Smile, you son of a…”_ Sometimes, your last line of defense is your defining moment. Should everything else fail, make sure you have something left in the tank. 

In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points. 

If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open... 

_Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with._ 

_Bruce’s story is why_ _Cisco Talos Incident Response_ _exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see._ 

_Enjoy the Fourth of July weekend, and remember to listen out for the_ duh dun.

**The one big thing **

Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems. 

**Why do I care? **

Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you're not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate. 

**So now what? **

Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.

**Top security headlines of the week **

**Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects**   
The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News) 

**International Criminal Court hit by new 'sophisticated' cyberattack**   
In a statement yesterday, the ICC revealed that it had contained a "sophisticated and targeted" cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer) 

**Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black**   
After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek) 

**Ahold Delhaize Data Breach Impacts 2.2 Million People**   
The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek) 

**Germany asks Google, Apple remove DeepSeek AI from app stores**   
The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers.

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Beers with Talos: Terms and conceptions may apply**  
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836**   
MD5: c94c094513f02d63be5ae3415bba8031   
VirusTotal: https://www.virustotal.com/gui/file/cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836/details  
Typical Filename: setup   
Claimed Product: N/A   
Detection Name: W32.Variant:Gen.28iv.1201 

**SHA 256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**   
MD5: 79b075dc4fce7321f3be049719f3ce27   
VirusTotal: https://www.virustotal.com/gui/file/57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536/details   
Typical Filename: RemCom.exe   
Claimed Product: N/A   
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0**   
MD5: 8d74e04c022cadad5b05888d1cafedd0  
VirusTotal: https://www.virustotal.com/gui/file/061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0/details  
Typical Filename: smhost.exe   
Claimed Product: N/A   
Detection Name: Artemis:Lazy.27fx.in14.Talos

**SHA 256: 2eb95ef4c4c24f1e38a5c8b556d78b71c8a8fb2589ed8c5b95e9d18659bde293**  
MD5: N/A  
VirusTotal: N/A, use https://talosintelligence.com/sha\_searches  
Typical Filename: N/A  
Claimed Product: N/A  
Detection Name: W32.2EB95EF4C4-100.SBX.TG

A message from Bruce the mechanical shark

Silent Push exposes thousands of fake e-commerce websites spoofing major brands like Apple and Michael Kors. Learn how this Chinese phishing scam targets shoppers and steals financial data, impacting global consumers.

Cybersecurity firm Silent Push has exposed a massive phishing scam originating from China, which has created thousands of fake e-commerce websites designed to trick online shoppers. These fraudulent sites mimic well-known brands and aim to steal sensitive financial information, impacting both English and Spanish-speaking consumers worldwide.

According to Silent Push’s research, shared with Hackread.com ahead of its publishing on July 2nd, 2025, the investigation began after a crucial tip from Mexican journalist Ignacio Gómez Villaseñor.

Villaseñor’s May 26, 2025, X/Twitter post highlighted a threat actor specifically targeting Hot Sale 2025, a major annual sales event in Mexico, similar to Black Friday in the United States. It ran from May 26 to June 3, 2025, and is sponsored by the Asociación Mexicana de Ventas Online (AMVO).

****How the Scam Works****

The scammers create convincing fake versions of popular retail websites, including those of Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans. While these sites appear to offer products, they do not process actual purchases. Instead, they are designed to capture credit card details entered by unsuspecting users.

The “harborfrieghtshop” fake website (Source: Silent Push)

A key finding from tests carried out by Publimetro México, as reported by Gómez Villaseñor, was that “by entering false bank card data into these portals, the system reacts as if you were actually processing a payment.”

This includes displaying “reserved cart” timers and logos of legitimate payment services like Visa, MasterCard, PayPal, Oxxo, and SPEI. This elaborate simulation is intended to build trust and allow the criminals to steal information without immediate suspicion.

****Credit Card Theft and More****

Silent Push also found that some of these fake websites, such as rizzingupcartcom, integrated real Google Pay purchase widgets. While Google Pay typically offers enhanced security by using virtual card numbers, the threat actors still exploit this by simply not delivering the “purchased” goods after payment, researchers noted. This means even payments made through Google Pay are at risk of leading to financial loss, even if the direct credit card details are not compromised.

Silent Push has high confidence in the Chinese origin of this network, based on a private technical fingerprint found within the scam’s infrastructure, which includes Chinese words and characters. The sheer scale of the operation is significant, with thousands of fraudulent domains identified.

Many of these sites show sloppy errors, like harborfrieghtshop (a misspelling of Harbor Freight) which strangely displayed a cloned version of the Wrangler Jeans site. Other examples include guitarcentersalecom, which offered children’s accessories instead of musical instruments, and nordstromltemscom (note the “l” instead of an “i” in “items”) which was a direct copy of the fake Guitar Center site.

Despite some of these sites being taken down, thousands were still active as of June 2025, highlighting the persistent nature of this threat. Silent Push continues to track this widespread phishing campaign and urges consumers to be cautious when shopping online.

New Fake Marketplace From China Mimics Top Retail Brands for Fraud

The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense.

Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens.

A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims.

Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again.

“There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.”

Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.

“They slowed down, and we saw them dissipate for a while throughout 2024,” says Adam Meyers, a senior vice president for counter-adversary operations at the security company CrowdStrike. “Then they’ve roared back in the last couple of months, first hitting retail and then hitting insurance companies and most recently targeting airlines.”

Scattered Spider first emerged as a high-profile group toward the end of 2023 as its members moved from SIM swapping attacks to launching crippling ransomware attacks on Caesar’s Entertainment and MGM Resorts. The latter cost MGM around $100 million to recover from. Researchers emphasize that the collective is financially motivated, made up of mostly English-speaking teenagers and young men who are often based in the US or UK. The Scattered Spider hackers are considered an offshoot of the Com, an amorphous network of potentially thousands of trolls and criminals, many of whom engage in harassment, extortion, and child exploitation.

Scattered Spider members have increasingly coalesced around a tactic of using targeted social engineering to get a foothold inside company networks. Attackers may impersonate a staff member who is locked out of their company email account and contact the firm’s IT help desk to get access, before resetting multifactor authentication credentials. Researchers say that the group has also used a tactic of creating convincing phishing websites where the URLs often include the name of the target organization along with words like “okta,” “vpn” or “helpdesk.” Once inside networks, the hackers deploy various types of ransomware or steal data that is used to extort companies.

Meyers says Crowdstrike believes that Scattered Spider has roughly four core members, which drive the targeting of potential victims and “leverage” resources from the wider Com ecosystem as needed. The exact structure and size of Scattered Spider is unclear, but researchers agree that the group relies on an array of third-party services to carry out its attacks.

“Deterrence is extremely difficult because we’re essentially fighting a marketplace where a lot of the actors are replaceable,” Google’s Hultquist says. “For instance, Scattered Spider has worked with multiple ransomware services, so if one goes down there’s always someone to replace them.”

Aiden Sinnott, a senior threat researcher at cybersecurity company Sophos’ Counter Threat Unit, says that Scattered Spider and the Com more broadly are connected through relationships and communities on Discord servers or Telegram groups. “It’s this kind of evolving group where maybe new younger threat actors are coming in,” Sinnott says. “You can see this natural escalation progression as they learn skills of each other, and they're very big on sharing their wins as well.”

Some Scattered Spider members may target big-name companies, while others are involved in less high-profile activity. “There are groups, or individuals, who are really focused on hacking Coinbase accounts and stealing crypto and things like that,” Sinnott says. “So they’re not even focused on these big corporate organizations.”

As Hultquist puts it, "the activity is extremely resilient, because instead of fighting a single actor, we’re really fighting a marketplace.”

A Group of Young Cybercriminals Poses the ‘Most Imminent Threat’ of Cyberattacks Right Now

Google has released an urgent update for the Chrome browser to patch a vulnerability which has already been exploited.

Google has released an update for its Chrome browser to patch an actively exploited flaw.

This update is crucial since it addresses an actively exploited vulnerability which can be exploited when the user visits a malicious website. It doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The update brings the Stable channel to 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac and 138.0.7204.96 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerability.

You can find more elaborate update instructions and the version number information in our article on how to update Chrome on every operating system.

**Technical details on the vulnerability**

The vulnerability, tracked as CVE-2025-6554 is a type confusion in V8 in Google Chrome that, prior to 138.0.7204.96, could have allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.

A type confusion bug happens when code doesn’t verify the object type passed to it, and then uses the object without type-checking. Unfortunately, this bug occurs on the V8 JavaScript engine, Google’s open-source JavaScript engine.

The browser mistakenly treats a piece of data as the wrong type, which lets attackers manipulate memory in unintended ways. This can allow them to perform unauthorized read and write operations in the browser’s memory.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025. The TAG group focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

**We don’t just report on** **browser vulnerabilities**, Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

Tag

#google