### Impact
Setting lower EVM call gas allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state. 

If executed on the distribution precompile when claiming funds, it could cause funds to be transferred to a user without resetting the claimable rewards to 0. The vulnerability could also be used to cause indeterministic execution by failing at other points in the code, halting validators.

Any evmOS or Cosmos EVM chain using precompiles is affected.

### Patches
The vulnerability was patched by wrapping each precompile execution into an atomic function that reverts any partially committed state on error.

- [evmos/os](https://github.com/evmos/os) patch file: https://drive.google.com/file/d/1LfC0WSrQOqwTOW3qfaE6t8Jqf1PLVtS_/

For chains using a different file structure, you must manually apply the diff:

### **In `x/evm/statedb.go`:**

Add the following function:
```go
func (s *StateDB) RevertMultiStore(cms storetypes.CacheMultiStore, events sdk.Events) {
	s.cacheCtx = s.cacheCtx.WithMultiStore(cms)
	s.writeCache = func() {
		// rollback the events to the ones
		// on the snapshot
		s.ctx.EventManager().EmitEvents(events)
		cms.Write()
	}
}
```

### **In `x/evm/statedb/journal.go`:**

Replace the `Revert` function with the following:
```go
func (pc precompileCallChange) Revert(s *StateDB) {
	// rollback multi store from cache ctx to the previous
	// state stored in the snapshot
	s.RevertMultiStore(pc.multiStore, pc.events)
}
```

### **In `precompiles/common/precompile.go`:**

Change the function signature in `HandleGasError` to:
```go
func HandleGasError(ctx sdk.Context, contract *vm.Contract, initialGas storetypes.Gas, err *error, stateDB *statedb.StateDB, snapshot snapshot) func() {
...
}
```

In the `HandleGasError` function, add the following line in the switch statement in the `case storetypes.ErrorOutOfGas:` case:
```go
stateDB.RevertMultiStore(snapshot.MultiStore, snapshot.Events)
```

Add the following function:
```go
// RunAtomic is used within the Run function of each Precompile implementation.
// It handles rolling back to the provided snapshot if an error is returned from the core precompile logic.
// Note: This is only required for stateful precompiles.
func (p Precompile) RunAtomic(s snapshot, stateDB *statedb.StateDB, fn func() ([]byte, error)) ([]byte, error) {
	bz, err := fn()
	if err != nil {
		// revert to snapshot on error
		stateDB.RevertMultiStore(s.MultiStore, s.Events)
	}
	return bz, err
}
```

### **All Precompiles:**
Finally, in each precompile, locate the `Run` function, and wrap each switch statement and return values into `p.RunAtomic`. For example:
```go
// Run executes the precompiled contract IBC transfer methods defined in the ABI.
func (p Precompile) Run(evm *vm.EVM, contract *vm.Contract, readOnly bool) (bz []byte, err error) {
	ctx, stateDB, snapshot, method, initialGas, args, err := p.RunSetup(evm, contract, readOnly, p.IsTransaction)
	if err != nil {
		return nil, err
	}

	// This handles any out of gas errors that may occur during the execution of a precompile tx or query.
	// It avoids panics and returns the out of gas error so the EVM can continue gracefully.
	defer cmn.HandleGasError(ctx, contract, initialGas, &err, stateDB, snapshot)()

        // === WRAP HERE ===
	return p.RunAtomic(snapshot, stateDB, func() ([]byte, error) {
		switch method.Name {
		// TODO Approval transactions => need cosmos-sdk v0.46 & ibc-go v6.2.0
		// Authorization Methods:
		case exampleCase:
			bz, err = p.example(ctx, evm.Origin, stateDB, method, args)
		default:
			return nil, fmt.Errorf(cmn.ErrUnknownMethod, method.Name)
		}

		if err != nil {
			return nil, err
		}

		cost := ctx.GasMeter().GasConsumed() - initialGas

		if !contract.UseGas(cost) {
			return nil, vm.ErrOutOfGas
		}

		if err := p.AddJournalEntries(stateDB, snapshot); err != nil {
			return nil, err
		}

		return bz, nil
	})
}
```


### Workarounds
There are no workarounds for chains that make use of precompiles. A coordinated upgrade is necessary to patch the issue.

### Testing
A test was introduced in the distribution precompile to ensure that partial state writes no longer occur when a lower gas amount is set.

**Impact**

Setting lower EVM call gas allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state.

If executed on the distribution precompile when claiming funds, it could cause funds to be transferred to a user without resetting the claimable rewards to 0. The vulnerability could also be used to cause indeterministic execution by failing at other points in the code, halting validators.

Any evmOS or Cosmos EVM chain using precompiles is affected.

**Patches**

The vulnerability was patched by wrapping each precompile execution into an atomic function that reverts any partially committed state on error.

*   evmos/os patch file: https://drive.google.com/file/d/1LfC0WSrQOqwTOW3qfaE6t8Jqf1PLVtS\_/

For chains using a different file structure, you must manually apply the diff:

****In x/evm/statedb.go:****

Add the following function:

func (s \*StateDB) RevertMultiStore(cms storetypes.CacheMultiStore, events sdk.Events) {
	s.cacheCtx \= s.cacheCtx.WithMultiStore(cms)
	s.writeCache \= func() {
		// rollback the events to the ones
		// on the snapshot
		s.ctx.EventManager().EmitEvents(events)
		cms.Write()
	}
}

****In x/evm/statedb/journal.go:****

Replace the Revert function with the following:

func (pc precompileCallChange) Revert(s \*StateDB) {
	// rollback multi store from cache ctx to the previous
	// state stored in the snapshot
	s.RevertMultiStore(pc.multiStore, pc.events)
}

****In precompiles/common/precompile.go:****

Change the function signature in HandleGasError to:

func HandleGasError(ctx sdk.Context, contract \*vm.Contract, initialGas storetypes.Gas, err \*error, stateDB \*statedb.StateDB, snapshot snapshot) func() {
...
}

In the HandleGasError function, add the following line in the switch statement in the case storetypes.ErrorOutOfGas: case:

stateDB.RevertMultiStore(snapshot.MultiStore, snapshot.Events)

Add the following function:

// RunAtomic is used within the Run function of each Precompile implementation.
// It handles rolling back to the provided snapshot if an error is returned from the core precompile logic.
// Note: This is only required for stateful precompiles.
func (p Precompile) RunAtomic(s snapshot, stateDB \*statedb.StateDB, fn func() (\[\]byte, error)) (\[\]byte, error) {
	bz, err := fn()
	if err != nil {
		// revert to snapshot on error
		stateDB.RevertMultiStore(s.MultiStore, s.Events)
	}
	return bz, err
}

****All Precompiles:****

Finally, in each precompile, locate the Run function, and wrap each switch statement and return values into p.RunAtomic. For example:

// Run executes the precompiled contract IBC transfer methods defined in the ABI.
func (p Precompile) Run(evm \*vm.EVM, contract \*vm.Contract, readOnly bool) (bz \[\]byte, err error) {
	ctx, stateDB, snapshot, method, initialGas, args, err := p.RunSetup(evm, contract, readOnly, p.IsTransaction)
	if err != nil {
		return nil, err
	}

	// This handles any out of gas errors that may occur during the execution of a precompile tx or query.
	// It avoids panics and returns the out of gas error so the EVM can continue gracefully.
	defer cmn.HandleGasError(ctx, contract, initialGas, &err, stateDB, snapshot)()

        // === WRAP HERE ===
	return p.RunAtomic(snapshot, stateDB, func() (\[\]byte, error) {
		switch method.Name {
		// TODO Approval transactions => need cosmos-sdk v0.46 & ibc-go v6.2.0
		// Authorization Methods:
		case exampleCase:
			bz, err \= p.example(ctx, evm.Origin, stateDB, method, args)
		default:
			return nil, fmt.Errorf(cmn.ErrUnknownMethod, method.Name)
		}

		if err != nil {
			return nil, err
		}

		cost := ctx.GasMeter().GasConsumed() \- initialGas

		if !contract.UseGas(cost) {
			return nil, vm.ErrOutOfGas
		}

		if err := p.AddJournalEntries(stateDB, snapshot); err != nil {
			return nil, err
		}

		return bz, nil
	})
}

**Workarounds**

There are no workarounds for chains that make use of precompiles. A coordinated upgrade is necessary to patch the issue.

**Testing**

A test was introduced in the distribution precompile to ensure that partial state writes no longer occur when a lower gas amount is set.

**References**

*   GHSA-mjfq-3qr2-6g84
*   cosmos/evm@0fff8c1
*   https://drive.google.com/file/d/1LfC0WSrQOqwTOW3qfaE6t8Jqf1PLVtS\_

GHSA-mjfq-3qr2-6g84: Cosmos EVM Allows Partial Precompile State Writes

Russell Vought, acting director of the Consumer Financial Protection Bureau, has canceled plans to more tightly regulate the sale of Americans’ sensitive personal data.

The Consumer Financial Protection Bureau (CFPB) has canceled plans to introduce new rules designed to limit the ability of US data brokers to sell sensitive information about Americans, including financial data, credit history, and Social Security numbers.

The CFPB proposed the new rule in early December under former director Rohit Chopra, who said the changes were necessary to combat commercial surveillance practices that “threaten our personal safety and undermine America’s national security.”

The agency quietly withdrew the proposal on Tuesday morning, publishing a notice in the Federal Register declaring the rule no longer “necessary or appropriate.”

The CFPB received more than 600 comments from the public this year concerning the proposal, titled Protecting Americans from Harmful Data Broker Practices. The rule was crafted to ensure that data brokers obtain Americans’ consent before selling or sharing sensitive personal information, including financial data such as income. US credit agencies are already required to abide by such regulations under the Fair Credit Reporting Act, one of the nation’s oldest privacy laws.

In its notice, the CFPB’s acting director, Russell Vought, wrote that he was withdrawing the proposal “in light of updates to Bureau policies,” and that it did not align with the agency’s “current interpretation of the FCRA,” which he added the CFPB is “in the process of revising.”

The CFPB did not immediately respond to a request for comment.

Data brokers operate within a multibillion-dollar industry built on the collection and sale of detailed personal information—often without individuals’ knowledge or consent. These companies create extensive profiles on nearly every American, including highly sensitive data such as precise location history, political affiliations, and religious beliefs. This information is frequently resold for purposes ranging from marketing to law enforcement surveillance.

Many people are unaware that data brokers even exist, let alone that their personal information is being traded. In January, the Texas Attorney General’s Office, led by attorney general Ken Paxton, accused Arity—a data broker owned by Allstate—of unlawfully collecting, using, and selling driving data from over 45 million Americans to insurance companies without their consent.

The harms from data brokers can be severe–even violent. The Safety Net Project, part of the National Network to End Domestic Violence, warns that people-search websites, which compile information from data brokers, can serve as tools for abusers to track down information about their victims.

Last year, Gravy Analytics—which processes billions of location signals daily—suffered a data breach that may have exposed the movements of millions of individuals, including politicians and military personnel.

“Russell Vought is undoing years of painstaking, bipartisan work in order to prop up data brokers’ predatory, and profitable, surveillance of Americans,” says Sean Vitka, executive director of Demand Progress, a nonprofit that supported the rule. Added Vitka: “By withdrawing the CFPB’s data broker rulemaking, the Trump administration is ensuring that Americans will continue to be bombarded by scam texts, calls and emails, and that military members and their families can be targeted by spies and blackmailers.”

Vought, who also serves as director of the White House Office of Management and Budget, received a letter on Monday from the Financial Technology Association (FTA) calling for the rule to be withdrawn, claiming the rules exceed the agency’s statutory mandate and would be “harmful to financial institutions’ efforts to detect and prevent fraud.” The FTA is a US-based trade organization that represents the interests of fintech companies and their executives.

Privacy advocates have long pressed regulators to use the Fair Credit Reporting Act to crack down on the data broker industry. Common Defense, a veteran-led nonprofit, urged the CFPB to take action in November, blaming data brokers for recklessly exposing sensitive information about US service members that placed them at “substantial risk” of being blackmailed, scammed, or targeted by hostile foreign actors.

A 2023 study cited by the group—funded by the US Military Academy at West Point—concluded that the current data broker ecosystem is a threat to US national security, permitting the sale of sensitive personal data that can be used not only to identify service members and “other politically sensitive targets,” but also to offer details about medical conditions, financial problems, and political and religious beliefs. “Foreign and malign actors with access to these datasets could uncover information about high-level targets, such as military service members, that could be used for coercion, reputational damage, and blackmail,” the authors report.

Common Defense political director Naveed Shah, an Iraq War veteran, condemned the move to spike the proposed changes, accusing Vought of putting the profits of data brokers before the safety of millions of service members. "For the sake of military families and our national security, the administration must reverse course and ensure that these critical privacy protections are enacted," Shah says.

Investigations by WIRED have shown that data brokers have collected and made cheaply available information that can be used to reliably track the locations of American military and intelligence personnel overseas, including in and around sensitive installations where US nuclear weapons are reportedly stored.

WIRED reported in February that US data brokers were using Google's ad-tech tools to sell access to information about devices linked to military service members and national security decisionmakers, as well as federal contractors that manufacture and export classified defense-related technologies. Experts say it proves trivial for foreign adversaries to de-anonymize the data.

"Data brokers inflict severe harm on individuals by degrading privacy, threatening national security, enabling scams and fraud, endangering public officials and survivors of domestic violence, and putting immigrant populations at risk,” says Caroline Kraczon, law fellow at the Electronic Privacy Information Center focused on consumer protection.

“The CFPB had a critical opportunity to address these harms by clarifying that data brokers must follow the Fair Credit Reporting Act,” adds Kraczon. “This withdrawal is deeply disappointing and another attack in the administration’s war against consumers on behalf of corporate interests."

Last month, more than 1,400 CFPB employees had their positions at the agency terminated, leaving the agency with a staff of around 300 people. Elon Musk, whose so-called Department of Government Efficiency (DOGE) has spearheaded the White House's efforts to radically restructure the federal government by slashing the size of its workforce, last November called on President Donald Trump to “delete” the CFPB, whose job includes shielding Americans from predatory lending practices.

_Update 10 am ET, May 15, 2025: Clarified the types of companies represented by the Financial Technology Association._

CFPB Quietly Kills Rule to Shield Americans From Data Brokers

Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning…

Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning $88 million. Find out how they used fake identities and technology to commit the fraud.

North Korean hackers used stolen identities to get remote IT jobs at US companies and non-profits, raking in at least $88 million over six years. The US Department of Justice indicted fourteen North Korean nationals on December 12, 2024, for their involvement. Security firm Flashpoint conducted a unique investigation, analysing data from the hackers’ own infected computers to uncover their tactics and exclusive details on this scheme.

Flashpoint’s investigation revealed the use of fake companies named in the indictment, including “Baby Box Info,” “Helix US,” and “Cubix Tech US,” to create believable resumes and provide fraudulent references. Researchers tracked infected computers, notably one in Lahore, Pakistan, which held login credentials for email addresses associated with these fake entities. The username “jsilver617,” potentially tied to a fake US identity “J.S.,” was found on one of these machines, which was used to apply for numerous tech jobs in 2023.

A critical piece of evidence was the extensive use of Google Translate between English and Korean, found in the browser history of an infected computer, which hinted at the hackers’ origins. Translated messages exposed their methods for creating fake job references, even including fabricated contact information for individuals at the sham companies. One translated message, posing as an HR manager from “Cubix,” provided false employment verification details.

Further communications hinted at a hierarchical structure within the operation and discussed “tradecraft,” such as strategies to avoid using webcams during online meetings. Frustration with a remote worker’s poor performance was also evident in a translated message stating, “It’s proof that you’re a failure.”

The investigation also uncovered discussions about shipping electronic devices, likely laptops and phones for their remote work setups. This aligns with Hackread.com’s recent reporting of Laptop Farms where US-based collaborators received devices for remote access by North Korean workers, with prominent North Korean group Nickel Tapestry identified as the key perpetrator.

In this case, one translated message inquired about the delivery of laptops to Nigeria. Browser history revealed tracking numbers for international courier services, including a shipment possibly originating from Dubai.

Translation provided by Flashpoint:

    We need to make the Abdul's voices heard for a week. After that we can turn off the camera. They are very sensitive to voices. They might not ask Abdul to turn on the video if they don't think there is a difference in thg voices.&op=translate
    
    ---
    
    and you know that was same some that we have already summitted your profile, at that time they told that your rate is high and gave offer to another person , but that offer is backout and now they have backfill of it. please let me know if we can submit your profile at $65/hr on C2C/1099. this time prime vendor is different, but client is same.&op=translate
    
    ---
    
    I didn't complain when you didn't get the assignment for two months. But this is a different matter. It's proof that you're a failure and if you're like this, you won't be able to handle this job well.&op=translate

The investigation also revealed the use of AnyDesk remote desktop software on the infected machines, suggesting the North Korean operatives accessed the US company systems remotely. This detail highlights the direct access they gained to sensitive company networks.

“Ever since its discovery, Fortune 500 companies, technology and cryptocurrency industries have been reporting even more secret DPRK agents siphoning funds, intellectual property, and information,” Flashpoint’s investigation, shared with Hackread.com, revealed.

Flashpoint’s inside look at this operation, achieved by analyzing compromised credentials and infostealer logs, provides a detailed understanding of North Korea’s sophisticated and profitable cyber fraud targeting US organizations.

North Korean Hackers Stole $88M by Posing as US Tech Workers

A new extra-secure mode for Android 16 will let at-risk users lock their devices down.

With the rise of mercenary spyware and other targeted threats, tech giants like Apple, Google, and Microsoft have spent the last few years trying to figure out how to protect the digital lives of their most at-risk, vulnerable users around the world. On mobile, the launch of Apple's iOS Lockdown Mode in 2022 was one concerted effort to shed nonessential functionality in favor of maximum security—a trade-off most users wouldn't want to make, but that could be very worth it for a public figure, activist, journalist, or dissident living under daily scrutiny and threat of attack. For years, Google has offered a program for a similar demographic called Advanced Protection that focuses on adding additional layers of monitoring and security to vulnerable users' Google accounts, a core piece of many people's digital lives that could be devastating if compromised. Now, Google is extending Advanced Protection with a suite of features for Android 16.

On Tuesday, the company announced an Advanced Protection mode for phones running the newest version of Android. At its core, the mode is designed around imposing strong security settings on all apps and services to silo data as much as possible and reduce interactions with unsecured web services and previously unknown, untrusted individuals. Advanced Protection on Android is meant to be as usable and flexible as possible, though, leaning on Google's rapidly expanding on-device AI scanning capabilities to provide monitoring and alerts without having to completely eliminate features. Still, the mode imposes restrictions that can't be turned off, like blocking phones from connecting to historic 2G data networks and disabling Chrome's Javascript optimizer, which could alter or break some web functionality on some sites.

“There are two classes of things that we use to defend the user. One is you obviously harden the system, so you try to lock things down, you prevent many forms of attacks," says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. "But two is you can't always prevent every attack entirely. But if you can detect that you've been compromised, you can take some sort of corrective action. In consumer security on mobile this detection has never really been a possibility, so that's one of the big things we've done here."

This monitoring and detection capability, known as Intrusion Logging, uses end-to-end encryption to indelibly store logs from your device in the cloud such that they can't be accessed by Google or any party aside from you, but also in a form that can't be deleted or modified, even if your device and Google account are compromised.

Logging and system monitoring tools are common on laptops and desktops—not to mention in enterprise IT environments—but offering the capabilities for consumers on mobile devices is more unusual. As with any scheme that takes data off a device and puts it in the cloud, the system does introduce some new risks, but Google and Google Cloud Services already run many end-to-end encrypted platforms for users, and Kleidermacher notes that the ability to create indelible logs that can't be manipulated or deleted by a sophisticated attacker is invaluable in addressing targeted attacks.

“The main innovation here is you have an audit log mechanism to detect compromise that is actually resistant to device tampering,” he says. “It's bringing intrusion detection to the consumer. So if you as a consumer suspect a problem and you're not sure, you can pull the logs down from the cloud. You can share them with a security expert, you can share them with an NGO, and they can use tools for analysis.”

Another feature that is on by default and can't be turned off in Advanced Protection is Android's Memory Tagging Extension (MTE). The feature, which debuted for Google's Pixel line and is starting to be adopted in processors on other devices, is a hardware security protection related to how a system manages its memory. If an attacker attempts to exploit a memory vulnerability such as a so-called buffer overflow, MTE will cause the process to fail, stopping the attack in its tracks. Memory corruption bugs are a common tool used by hackers, so neutering the entire class of vulnerabilities makes it much more difficult to attack a device.

Most Advanced Protection features will launch next week with Android 16, but Google says that Intrusion Logging is coming later this year along with features like USB protections that will prevent untrusted peripherals from using your phone's charging port for data transfers. And Google is also offering an API for integrating Advanced Protection directly into third-party apps. When a user turns Advanced Protection on, Android will impose enhanced defenses broadly across the operating system, but third-party integration will enable deeper defenses within non-Google apps.

“You want to prevent as much as you can, and a lot of these features are locking down the phone in ways that will make some attacks just much, much harder for attackers, more expensive, or even impossible,” Kleidermacher says.

Courtesy of Google

Google’s Advanced Protection for Vulnerable Users Comes to Android

Android’s “Scam Detection” protection in Google Messages will now be able to flag even more types of digital fraud.

Digital scammers have never been so successful. Last year Americans lost $16.6 billion to online crimes, with almost 200,000 people reporting scams like phishing and spoofing to the FBI. More than $470 million was stolen in scams that started with a text message last year, according to the Federal Trade Commission. And as the biggest mobile operating system maker in the world, Google has been scrambling to do something, building out tools to warn consumers about potential scams.

Ahead of Google’s Android 16 launch next week, the company said on Tuesday that it is expanding its recently launched AI flagging feature for the Google Messages app, known as Scam Detection, to provide alerts on potentially nefarious messages like possible crypto scams, financial impersonation, gift card and prize scams, technical support scams, and more. Combined with other AI security features for Google Messages—all of which run locally on users’ devices and do not share data or message content with the company—Android is now detecting roughly 2 billion suspicious messages a month.

“The fraud is truly heartbreaking,” says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. “There’s really a very huge amount—almost epidemic and a scourge to humanity—of financial scams that are all across the world.”

Scammers operate all over the world, but Chinese scam groups particularly are behind millions of fraudulent messages, demanding things like “toll” payments or information for alleged postal service deliveries. When people click the links and enter their details, including payment information, scammers steal their data. In some cases, the scams are designed as a sort of smash-and-grab, where attackers quickly trick users into giving up some crumbs of information, like a pair of login credentials or a credit card number. These scams tend to be more formulaic and are potentially easier to detect. The more complex challenge is in detecting highly involved investment or romance scams—often called pig butchering scams—that build and evolve over months of messaging while scammers build a rapport with their targets before tricking them into handing over their life savings or even going into debt to send more money.

“It takes time for them to get to the scam—it’s not just click on the link,” Kleidermacher says. “By having the AI on-device, you can actually watch and observe these more sophisticated conversations and then detect their scams.”

Courtesy of Google

Courtesy of Google

In a screenshot of the Scam Detection feature provided by Google, an encrypted RSC chat shows a typical scam message saying an EZ Pass toll payment is outstanding. The message adds that the “legal ability” to drive may be revoked if the payment is not made. The message includes a link that directs someone toward a malicious payment website. The Scam Detection overlay at the bottom of the screen says that “suspicious activity” has been detected in the message and offers a way to report and block the sender, alongside an option that allows people to flag that it is not a scam.

Google is far from the only company using AI to try to combat scammers and stop them from reaching people’s inboxes. Some have turned to using AI to directly fight back against scammers. The British telecom company O2, for example, created an “AI Granny” that is set up to keep scammers on the phone and waste their time. And the online scam baiter Kitboga has created a series of bots to make simultaneous calls to call centers that run scams.

Meanwhile, in recent months, Meta, which owns WhatsApp, Messenger, and Instagram, has started to introduce pop-up warnings when people are asked to make payments in chat messages. Elsewhere, cybersecurity company F-Secure has created a beta tool to help people identify if a message and sender are likely scammers and block messages. Putting a layer of friction in place that nudges people away from messaging accounts they don’t know or replying to messages asking for details can reduce the chances that scammers are successful.

Google’s Kleidermacher says that the company is seeing “really positive impact” from using its machine learning systems to detect potential scam messages in real time. As the protections continue to mature, he notes that the underlying system could eventually proliferate beyond just the Google Messages app into third-party communication platforms.

For now, some of that expansion is starting within Google’s own products. The company also said on Tuesday that it is in the early phases of testing ways to incorporate scam detection for phone calls, but the capability has not been widely deployed.

Google Is Using On-Device AI to Spot Scam Texts and Investment Fraud

Popular student engagement platform iClicker’s website was compromised with a ClickFix attack. A fake “I’m not a robot”…

Popular student engagement platform iClicker’s website was compromised with a ClickFix attack. A fake “I’m not a robot” check tricked users into installing malware. Learn who was affected and how to stay safe.

A popular digital classroom used in many universities, called iClicker, was recently targeted by hackers. This tool, owned by Macmillan, helps teachers track attendance and ask students questions in class. Millions of students and thousands of teachers across the US, including the University of Michigan and the University of Florida, use iClicker.

According to the University of Michigan’s Safe Computing Team’s advisory, between April 12th and 16th, 2025, the iClicker website was compromised, showing a fake CAPTCHA to the site’s visitors, and asking them to click “I’m not a robot.”

Source: University of Michigan

When a Windows user clicked on this fake check, a hidden PowerShell command was copied to their device. They were prompted to open a special window on their computer (by pressing the Windows key and the letter ‘R’ at the same time), paste this command (by pressing Ctrl and ‘V’), and then press Enter. Doing this would run the hidden command.

This trick, known as a ClickFix attack, is a way to fool people into downloading malware.  A Reddit user tested this command on Any.Run and found it would connect to a server on the internet to download another set of instructions, depending on who was visiting the website. If it was a real person using a regular computer, the instructions would download malware, which could give the attacker complete control over the device.

 This malware was likely designed to steal personal information, such as usernames, passwords, credit card details, and even cryptocurrency wallet information stored on the computer.

In case the visitor was a system used by security experts to analyze malware, the hidden command would instead download a harmless program from Microsoft so that the attackers could evade detection.

In its security bulletin, iClicker confirmed that its main system and user information were safe, explaining that a third party put a fake security check on their website before users logged in.

As previously reported by Hackread.com, ClickFix has become a growing concern in the cybersecurity world. In March 2024, we reported the increasing use of ClickFix attacks by cybercrime groups like TA571 and ClearFake. Later, in October 2024, security firm Sekoia observed more ClickFix attacks using fake Google Meet, Chrome, and Facebook pages to spread malware.

Recently, in April 2025, Hackread.com reported that government-backed hacking groups from countries like North Korea, Iran, and Russia used this method in their spying operations and even published a detailed blog post on how to protect yourself from ClickFix attacks.

iClicker advises anyone who visited their website between April 12th and 16th and clicked on the fake security check to immediately change all the passwords saved on their computer, including the iClicker password and use a password manager to maximize account security. People who only used the iClicker mobile app or did not see the fake security check were safe from this particular attack.

Debbie Gordon, CEO and Founder at Cloud Range commented on the development stating, “This incident shows how easily attackers can turn a simple user interaction, like clicking a CAPTCHA, into a full compromise.”

“The real question is: how quickly can your team detect and contain it? That’s the essence of incident response readiness. Simulation-based training gives defenders the muscle memory they need to spot behavioural red flags, investigate effectively, and coordinate containment actions in real-time before small lapses become major breaches.”

iClicker Website Hacked with Fake CAPTCHA in ClickFix Attack

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone…

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone looking to streamline your personal digital workflow, improving your efficiency can save you time, reduce stress, and boost performance. Here are some practical strategies to enhance your digital efficiency.

****1\. Streamline Your Digital Workspace****

A cluttered digital environment can slow you down significantly. Organize your desktop, categorize your files, and declutter unnecessary applications. Use cloud storage services like Dropbox or Google Drive to keep essential documents accessible and secure, reducing the need for excessive local storage.

Use productivity tools like Trello, Asana, or Notion to effectively manage tasks and projects. These platforms help you visualize your workload, prioritize tasks, and collaborate seamlessly with others.

****2\. Automate Repetitive Tasks****

Automation is a game-changer when it comes to digital efficiency. Identify repetitive tasks that consume your time and automate them. For instance:

*   **Email filtering and sorting**: Use rules and filters to automatically categorize incoming messages.
*   **Social media scheduling**: Use platforms like Buffer or Hootsuite to schedule posts in advance, saving you from constant manual posting.
*   **Data entry and reporting**: Utilize tools such as Zapier or Integromat to automate workflows between different apps.

Automating routine processes frees up valuable time for more strategic and creative tasks.

****3\. Optimize Your Internet and Hosting Solutions****

Slow-loading websites and unreliable hosting services can hamper your efficiency, especially if you rely on web-based applications. Upgrading to a reliable DS hosting solution can significantly boost your website’s performance, ensuring faster loading times and improved reliability. Dedicated servers offer more control, security, and better resource allocation compared to shared hosting, making them ideal for businesses or resource-intensive applications.

****4\. Use Keyboard Shortcuts and Productivity Hacks****

Mastering keyboard shortcuts can drastically decrease the time spent navigating your computer or specific applications. For example:

*   **Ctrl + C** and **Ctrl + V** for copy-paste
*   **Ctrl + Z** to undo
*   **Alt + Tab** to switch between windows quickly.

In addition, explore browser extensions like LastPass for password management or Grammarly for real-time grammar checks, making your digital activities more streamlined and error-free.

****5\. Limit Digital Distractions****

Distractions are one of the main barriers to digital efficiency. Use website blockers like Freedom or StayFocusd to limit time-wasting sites during work hours. Turn off unnecessary notifications and schedule regular tech-free breaks to improve your focus. You can also investigate app blockers for your smartphone to limit distractions more generally. 

****6\. Leverage Cloud-Based Collaboration Tools****

For teams, cloud-based collaboration tools are essential for maintaining efficiency. Platforms like Slack, Microsoft Teams, and Google Workspace allow for real-time communication, file sharing, and collaboration, decreasing the need for lengthy email threads and streamlining project management.

****Final Thoughts****

Improving your digital efficiency doesn’t require a massive overhaul, it’s about making small, intentional changes to your workflow. From investing in reliable DS hosting to automating repetitive tasks, every improvement adds up to significant time and productivity gains. Embrace these strategies and watch your digital efficiency soar.

(Image by Moondance from Pixabay)

Practical Ways to Improve Your Digital Efficiency

A list of topics we covered in the week of May 4 to May 10 of 2025

May 9, 2025 - Google announced it will equip Chrome with an AI driven method to detect and block Tech Support Scam websites

May 8, 2025 - As per a recent FBI warning, criminals are phishing users of payroll, and similar platforms to not only steal their credentials but also their funds.

May 8, 2025 - We're rolling out a brand new feature in Malwarebytes for iOS: the ability to block Google sponsored ads directly on Safari.  

May 8, 2025 - The age of AI guessing our passwords is upon us, and we need to change the ways we authenticate and use passwords where we have no alternatives.

May 8, 2025 - Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

 A week in security (May 4 &#8211; May 10) 

Google has agreed to pay the U.S. state of Texas nearly $1.4 billion to settle two lawsuits that accused the company of tracking users' personal location and maintaining their facial recognition data without consent.
The $1.375 billion payment dwarfs the fines the tech giant has paid to settle similar lawsuits brought by other U.S. states. In November 2022, it paid $391 million to a group of 40

Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection

Google announced it will equip Chrome with an AI driven method to detect and block Tech Support Scam websites

Google has expressed plans to use Artificial Intelligence (AI) to stop tech support scams in Chrome.

With the launch of Chrome version 137, Google plans to use the on-device Gemini Nano large language model (LLM) to recognize and block tech support scams.

Users already have the ability to chose Enhanced Protection under **Settings > Privacy and security > Security > Safe Browsing.**

Safe Browsing settings

Google’s reasoning, and we agree, is that LLMs are fairly good at understanding and classifying the varied, complex nature of websites. Meaning that, since many malicious sites have a very short lifespan, it is more effective to learn and recognize their behavior rather than keep adding a host of domain names to a block-list (something which Google has frustrated with the introduction of Manifest V3, by the way).

Tech support scams typically follow a certain pattern that should be simple to learn:

*   They make your browser tab full screen
*   Display the number they want you to call all over the place
*   Show the visitor fake ongoing scans and alerts

These are just a few of the characteristics I’d teach the LLM. I’m not speaking for Google here. They just mention they’ll be looking at usage of the Keyboard Lock API.

On that, the Keyboard Lock API is a web technology that allows websites to “capture” keyboard input, meaning they can prevent certain key combinations (or all keys) from working as they normally do in your browser or operating system. Originally, this tool was designed for legitimate purposes, like making web games or remote desktop apps more immersive by stopping accidental key presses from interrupting the experience. But tech support scammers exploit the Keyboard Lock API to make it harder for victims to escape their scam pages. This means that when a visitor tries to close the scam page or switch to another program, nothing happens, making them feel trapped on the site. Which also makes them think their system is actually infected.

Google explains why it went for the on-device method, saying it allows them to see the threats at the same moment the users see them and in the same way the users see them.

> “We’ve found that the average malicious site exists for less than 10 minutes, so on-device protection allows us to detect and block attacks that haven’t been crawled before.”

**How it works**

When the user lands on a suspicious page, which is decided by the on-device LLM, based on specific triggers like the Keyboard Lock API, Chrome provides the LLM with the contents of the page that the user is on and queries it to extract security signals, such as the intent of the page. This information is then sent to a Safe Browsing server for a final verdict.

If Safe Browsing decides the website is malicious, Chrome will block the content and show the user a big warning screen, called an “interstitial.”

Image courtesy of Google

By making the target think their system is infected, tech support scammers try to gain remote access or obtain payment information. Google says:

> “Tech Support scams are an increasingly prevalent form of cybercrime, characterized by deceptive tactics aimed at extorting money or gaining unauthorized access to sensitive data.”

Malwarebytes’ Browser Guard data over the last month shows that 30% of the fraudulent websites we blocked through the browser extensions are tech support scams.

30% of the three fraud categories are TSS

So, it’s nice of Google to let Chrome help us take care of some of those, but Chrome is not the only browser. We’re even hearing stories from users that ran into a website telling them their Windows machine was infected while they were using the Safari browser on their iPad.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#google