A new report from Check Point Research reveals a growing trend of cyber criminals recruiting employees at banks, telecoms, and tech giants. Learn how hackers use the darknet and Telegram to offer payouts up to $15,000 for internal access to companies like Apple, Coinbase, and the Federal Reserve.

Recent research from Check Point Research (CPR) shows that cyber criminals are changing how they break into companies. Instead of just trying to guess passwords or find computer glitches, they are now paying employees to help them from the inside.

According to the report, these groups are specifically recruiting “**insiders**” at banks, telecom, and tech firms to get direct access to private networks and customer information.

****High Payouts for Sensitive Data****

CPR researchers note that the rewards for these employees can be quite high; payouts for one-time access or specific files generally range between $3,000 and $15,000. However, some data is worth even more, such as a collection of 37 million records from a cryptocurrency exchange that was seen on the **dark web** for $25,000.

Source: Check Point Research

Digging deeper, researchers found that criminals are using emotional tactics to lure staff. In July, one advertisement encouraged workers to “escape the endless work cycle” by collaborating with hackers for five- or six-figure rewards. While some ads are short and factual, others frame this betrayal as a path to financial freedom.

****Major Brands and Industries Targeted****

It is worth noting that no sector seems to be safe, as recruitment ads have specifically named large firms like Coinbase, Binance, Kraken, and **Gemini**. Even major consulting companies like Accenture and Genpact, and consumer brands like Spotify and Netflix, have been mentioned.

The threat extends to physical goods and infrastructure as well. For example, insiders are being sought at Apple, Samsung, and Xiaomi, while cloud service employees are being offered up to $10,000 for access.

(Source: Check Point Research)

In the US, staff at Cox Communications have been asked to help with **SIM-swapping**, a trick used to bypass security codes. Even the US Federal Reserve and major European banks have been targeted by those looking for transaction histories.

****The Role of Ransomware Groups****

These activities are not just happening on hidden websites because **ransomware** groups are now using Telegram to find helpers. One group with approx. 400 members recently advertised a “ransomware portal,” inviting insiders and “access brokers” to help lock down company systems for a share of the profit.

(Source: Check Point Research)

****CrowdStrike’s Insider Incident: A Prime Example of Hiring Insider Threat****

A recent internal security incident at CrowdStrike backs CPR’s findings and how real the insider threat has become. In November 2025, the cybersecurity firm **confirmed** it had terminated an employee after detecting an unauthorised leak of internal information to an external party linked to the Scattered Lapsus Hunters network.

Stopping these attacks is difficult because, as researchers explained in the **blog post**, “when internal staff disable defences,” standard security is often bypassed entirely. To stay safe, experts say companies must monitor the dark web for mentions of their brand and keep a much closer eye on who has access to their most sensitive data.

Insider Threat: Hackers Paying Company Insiders to Bypass Security

CloudSEK found over 2,000 fake sites impersonating Amazon and top brands before Cyber Monday and Black Friday. Learn the key fraud signs now to stay safe.

Shoppers looking for great deals this holiday season need to be extra careful, as a massive operation involving over 2,000 fake online stores has been found, timed perfectly to steal money and personal details during peak sales like Black Friday and Cyber Monday.

Cybersecurity firm CloudSEK recently discovered this huge network and shared its research with Hackread.com. According to CloudSEK’s analysis, these aren’t isolated incidents; they are highly organised operations using identical methods to trick people, making this one of the largest coordinated scam efforts seen this shopping season.

The fake sites were identified by their suspicious resource usage and recurring templates. This operation includes two main groups: one with over 750 interconnected sites, 170 of which impersonate Amazon using uniform banners, flipclock-style urgency timers, and misleading trust symbols. The second group comprises over 1,000 .shop domains impersonating major brands like Apple, Samsung, Dell, Ray-Ban, and Xiaomi.

****How Scammers Are Tricking Customers****

These fake shops look real because scammers have used the same basic tools (phishing kits) to quickly build thousands of similar websites. To rush buyers into purchasing, they use fake countdown timers and urgent messages about low stock.

The sites are linked because they all load their designs from the same shared source, like a digital fingerprint, which allowed CloudSEK to trace these stores back to a single criminal group. The sites are spread through social media ads, search results, and messaging apps like WhatsApp and Telegram

Researchers explain that once a shopper decides to buy, they are sent to a shell checkout page, which looks like a standard payment screen but is actually designed to steal sensitive financial details. For example, the domain amaboxreturns.com redirects payment through another unflagged domain, allowing criminals to complete fraudulent transactions without raising alarms. CloudSEK noted that these payment portals often use a China-based provider for hosting.

Use of fake trust badges, scarcity messaging, and fabricated recent-purchase pop-ups to create urgency, and Checkout pages capture full billing and payment details for financial theft (Source: CloudSEK)

“WHOIS records for georgmat.com indicate hosting through a China-based provider (Alibaba Cloud Computing Ltd.) with registration details listing Guangdong as the administrative state. The geographic mismatch between the infrastructure and the impersonated US retail brands increases suspicion and supports the assessment that the domain is being leveraged as part of a fraudulent, holiday-themed payment redirection scheme,” the blog post reads.

Researchers estimate that with a conversion rate of between 3% to 8% of visitors becoming victims, scammers could potentially earn between $2,000 and $12,000 per fake site before it gets shut down. While some fake domains have been closed, many remain active, becoming fully operational right before big sales events to maximise the number of victims.

“If left unchecked, these scams could cause significant financial losses for consumers and erode trust in global e-commerce during its busiest season,” said Ibrahim Saify, Security Researcher, CloudSEK

****What Shoppers Need to Look Out For****

Finding a deal that is too good to be true is the first sign of a scam. To stay safe, CloudSEK says shoppers should watch out for flashy banners or aggressive messages like “Limited Time!” designed to create panic; domain names that combine a brand name with extra words like safe, fast, or sale (like brandname-safe.shop); missing or fake contact information; and identical layouts across different store names.

If you see any of these warning signs, the safest choice is to avoid the site and verify the deal on the brand’s official website.

Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday

To reduce the number of harmful apps targeting Android users, Google is making some changes.

To reduce the number of harmful apps targeting Android users, Google has announced that certified Android devices will require all apps to be registered by verified developers in order to be installed.

But this new measure is not just about malware that’s found on the Google Play Store, it’s mainly about sideloaded apps (apps downloaded from outside the official Google Play Store).

Since August 31, 2023, apps on the Play Store already were subject to a D-U-N-S (Data Universal Numbering System) number requirement. Google says this has helped reduce the number of cybercriminals exploiting anonymity to distribute malware, commit financial fraud, and steal sensitive data.

To broaden this success, Google intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. In September 2026, the requirements go into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified Android device in these regions must be registered by a verified developer. The requirements will then be rolled out globally.

This initiative, branded as ‘Developer verification,’ aims to combat the widespread problem of malware from sideloaded apps. Google says its research shows that 50 times more malware comes from sideloaded sources than from Google Play itself.

So, the new rules extend to everyone distributing Android apps, including those hosting them on third-party app stores or offering APK downloads directly. For developers who distribute their apps solely through the Google Play Store there will not be much of a change.

Yet, while legitimate developers will tell you how hard it is to get their apps accepted into the Google Play Store, cybercriminals manage to sneak in their malicious apps anyway.

For a full understanding of the new requirement, we’ll need to explain what “certified Android devices” are.

A definition for a certified Android device is: an Android product—such as a smartphone, tablet, smart TV, or streaming box—that has passed a rigorous series of Google security, compatibility, and performance tests, and is officially approved by Google. Certified devices run an official version of Android and have access to Google apps and the Play Store. Uncertified devices often lack these and may not receive updates or proper security support.

This is important to know because not all Android malware is limited to phones. Take for example, the BadBox botnet which also affects devices like TV streaming boxes, tablets, and smart TVs.

In practice, a certified device encompasses all mainstream devices from Samsung, Xiaomi, Motorola, OnePlus, Oppo, Vivo, and the Google Pixel line.

Reportedly, non-certified devices are those from Huawei, Amazon Fire tablets, and a set of Chinese TV boxes and smartphones that use heavily modified OS images.

Google encourages all developers to sign up for early access as the best way to prepare and stay informed.

>  “Early participants will also get:
> 
> *   An invitation to an exclusive community discussion forum.
> *   Priority support for these new requirements.
> *   The chance to provide feedback and help us shape the experience.”

Whether these controls will be effective largely depends on enforcement and public awareness, but Google feels it marks real progress toward a safer mobile ecosystem. Let us know how you feel about this in the comments.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Developer verification: a promised lift for Android security 

ESET has discovered Spellbinder, a new tool used by the China-linked cyber espionage group TheWizards to conduct AitM…

ESET has discovered Spellbinder, a new tool used by the China-linked cyber espionage group TheWizards to conduct AitM attacks and spread their WizardNet backdoor via manipulated software updates.

A sophisticated cyber espionage operation, linked to China and active since at least 2022, has been exposed by security researchers at ESET. The group dubbed TheWizards by ESET stands out for its innovative method of infiltrating computer networks. Reportedly, it employs a custom tool, named Spellbinder, to conduct adversary-in-the-middle (AitM) attacks, to deliver a sophisticated backdoor dubbed WizardNet by ESET.

ESET’s in-depth analysis, detailed in a recent blog post, reveals that Spellbinder manipulates network traffic via IPv6 SLAAC (stateless address autoconfiguration) spoofing, effectively intercepting legitimate Chinese software updates and redirecting them to attacker-controlled servers to deliver WizardNet.

Attack Method Explained (Source: ESET)

WizardNet is a sophisticated, modular backdoor capable of receiving and executing further malicious modules from a remote C2 server. This allows TheWizards to perform a wide range of malicious activities on compromised systems.

Reportedly, after gaining initial access, attackers deploy a specific archive which, through a process called side-loading, ultimately executes Spellbinder’s malicious code. Spellbinder, evolving since its 2022 analysis, uses WinPcap to capture packets and exploits IPv6’s Network Discovery Protocol by sending crafted ICMPv6 Router Advertisement (RA) messages. T

his tricks victims into using the attacker’s machine as the gateway, enabling traffic interception. It then monitors DNS queries for targeted Chinese platforms like Tencent, Baidu, and Xiaomi, generating fake DNS responses and directing victims to attacker-controlled IPs (e.g., 43.155.1167 in 2022, 43.155.6254 in 2024) serving malicious updates.

A notable instance involved hijacking legitimate update requests for Tencent QQ software by Spellbinder in 2024, directing the software to download a malicious archive from the attacker’s server. This archive contained a harmful component that, upon execution, installed the WizardNet backdoor.

ESET’s telemetry indicates that TheWizards have been actively targeting entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. The targets range from individuals to gambling companies and other currently unknown entities.

The initial discovery involved Sogou Pinyin (a widely used Chinese input method software) downloading WizardNet. This follows a pattern of abuse targeting Sogou Pinyin’s update process. In January 2024, as detailed by ESET, the hacking group Blackwood utilized this method to deploy an implant named NSPX30.

Furthermore, earlier in 2025, the Slovak cybersecurity firm revealed another threat group known as PlushDaemon that also leveraged the same technique to distribute a custom downloader called LittleDaemon.

As detailed in their report, researchers observed potential links between TheWizards and a Chinese company Sichuan Dianke Network Security Technology (UPSEC) through the analysis of the Android malware DarkNights (DarkNimbus).

Despite TheWizards primarily using WizardNet on Windows, their infrastructure served DarkNights as a malicious update for Android Tencent QQ.

Such sophisticated manipulation of trusted update mechanisms highlights the persistent and evolving threat from state-aligned cyber espionage and the ongoing need for improving security measures and caution against these threats.

Chinese Group TheWizards Exploits IPv6 to Drop WizardNet Backdoor

PRESS RELEASE

LONDON, Jan. 20, 2025 /PRNewswire/ -- A new survey from Omdia reveals that phishing scams are the leading security threat for smartphone users, with 24% of respondents reporting they have fallen victim to these attacks. Phishing, which includes fraudulent texts, emails, or calls designed to trick individuals into revealing sensitive personal information, remains a significant concern as cybercriminals continue to exploit unsuspecting consumers.

Omdia surveyed 1,572 consumers across the Americas, Asia & Oceania, and Europe in October 2024 for the fourth annual Omdia Mobile Device Security Scorecard. The survey found that the next most common security issue was malware and viruses, followed by physical theft, such as pickpocketing, mugging, or snatching.

In Omdia's recent assessment of leading premium smartphones, Google's Pixel 9 Pro and Samsung's Galaxy S24 outperformed Apple's iPhone 16 Pro and other Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro. Anti-phishing protection proved to be a weak spot across all devices, as none successfully intercepted all phishing texts, calls and emails.  

Simulated spam calls revealed that all Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung successfully flagged suspected spam calls before users answered, while the iPhone 16 Pro lacked similar voice call protection. 

None of the tested devices fully No device flagged simulated phishing emails from Gmail as phishing, only identifying them as spam when sent from Google's SMTP. 

Despite gaps in detecting phishing texts and emails, devices with Google Safe Browsing protections successfully blocked the link from opening, displaying a warning screen and requiring user confirmation to proceed. Performance across browsers varied significantly: Samsung Internet effectively blocked most links, including advanced custom URLs, while Xiaomi Mii and OnePlus Internet browsers failed to warn users about known malicious links, underscoring inconsistencies in Android device's security.

"The lack of security protection, particularly against the growing threat of phishing attacks, is eroding consumer trust," said Omdia Senior Analyst, Aaron West. "When consumers were asked if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer."  

"Despite the latest protections in place by some manufacturers, it is difficult to protect 100% against phishing attempts, highlighting the severity of the issue and potential impact to consumers. That said, smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities available) and should have a better baseline of phishing protection – such as voice call protection, and all Android devices making use of Google's Safe Browsing protections," said Hollie Hennessy, Principal Analyst, Omdia. "This needs to be paired with awareness activity from manufacturers and the wider industry to help consumers be vigilant and prepared".

ABOUT OMDIA

Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

New hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.

Source: Thomas Bethge via Alamy Stock Photo

Highlights:

*   Consumer survey shows that the most common security issues are phishing attacks, such as text or emails seeking personal information, as well as malware and physical theft. 
    

*   Hands-on device testing shows that Samsung S24 offers the best anti-phishing protection, while the Google Pixel 9 Pro leads in many other areas. 
    

*   The iPhone 16 Pro and other premium Android smartphones from Honor, Xiaomi, and OnePlus lack security features and protections. 
    

COMMENTARY  
New research from Omdia shows that the security capabilities on several of the latest consumer smartphones, including top devices from Apple, Google, and Samsung, fail to detect several types of common phishing attacks.

As part of the fourth-annual Omdia Mobile Device Security Scorecard, Omdia surveyed 1,572 consumers across 13 major countries in the Americas, Asia and Oceania, and Europe, in October 2024. This survey covered the demographics of smartphone users, their security concerns and attitudes, their perception of the most common security threats, and the key smartphone purchasing drivers.

Consumers reported that the most common security issue they encountered was phishing scams and attacks (texts, emails or calls which use false pretenses to try to get the target to give away valuable personal information), with 24% reporting to have experienced phishing. 

Omdia also asked consumers to rate how important various security features were, with anti-phishing having the largest net-importance rating. In fact, over the four years Omdia has conducted its Mobile Device Security Scorecard research, anti-phishing has been rising in importance. This is no surprise, as phishing not only becomes more common, but also as consumers become more familiar with the attacks and the potential for personal information theft or financial loss. 

The next most common security issue was malware and viruses. The third most common was physical theft, such as pickpocketing, mugging or snatching. 

**Mobile Device Security Testing Results**

For each of these security issues, Omdia tested leading premium smartphones to determine availability and effectiveness of security features and capabilities. Google's Pixel 9 Pro and Samsung's Galaxy S24 both scored highly, ahead of Apple's iPhone 16 Pro and other leading Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro.

Despite the importance consumers place on phishing prevention on mobile devices, the anti-phishing features failed to some degree on every device Omdia tested. No device caught all the attempted phishing texts, calls, and emails initiated as part of the testing.  

Several of the devices did catch simulated spam calls: All Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung, which have voice call protection, flagged suspected spam calls before the recipient could answer the call. The iPhone 16 Pro, however, did not have the same protections and did not catch the simulated spam call. 

Text messages with malicious short links were sent from an unknown number and sender ID, but these were not successfully caught by the test devices. Simulated phishing emails were sent from both Gmail and Google's Mail Delivery subsystem, but no device caught the phishing emails from Gmail; the messages were only identified as spam when sent from Google's SMTP. 

Despite not all phishing texts and emails being caught, once malicious links were opened on the devices, those that use Google Safe Browsing protections successfully blocked the link from opening. A warning screen was raised, forcing the user to bypass it to proceed.

Yet not all Android devices performed similarly: Samsung Internet blocked most links except the more sophisticated custom URLs, while the Xiaomi Mii and OnePlus Internet browsers failed to warn the user even when loading known malicious links. 

In previous years' testing, smartphones have been able to detect and successfully block or warn against the attempted phish. However, the difference year-on-year showcases the ever-changing nature of threats.

**Lack of Mobile Security Impacts Consumer Trust**

The lack of effective security protections on mobile devices, particularly against the growing threat of phishing attacks, is eroding consumer trust.

When Omdia asked consumers if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer. 

Despite some manufacturers' efforts to ensure the latest mobile device security protections are in place, Omdia notes that it is difficult to protect against 100% of phishing attempts. This highlights the severity of the issue and potential impact to consumers.

That said, Omdia asserts that smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities on the market) and should have more effective baseline phishing protection in place — such as voice call protection, and all Android devices making use of Google’s Safe Browsing protections. 

Omdia sees the value in the phishing protection features implemented by the leading smartphone vendors, and how this can help to protect consumers — at least in most instances, based on Omdia's latest round of testing.

However, these features need to be paired with awareness activity from manufacturers, as well as the wider industry, to help consumers be vigilant and prepared for the instance when a security threat evades a protection mechanism. Such awareness adds an important additional layer of protection against the rising number of scams targeting consumers through their mobile devices.

**About the Authors**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Senior Analyst, Smartphones, Omdia

Aaron West provides expertise and analysis of the smartphone market, joining Omdia in 2022. His areas of reporting include the active smartphone installed base, eSIM development, mmWave 5G, sustainability, and the foldable smartphone market.

Aaron has a range of research and publishing experience. He graduated with a degree in theoretical physics before moving into consumer product testing, with a focus on sustainability and the environment.

In this role, he was responsible for research project management, including comparative testing of technology products and consumer surveys. He also reported on the energy efficiency and longevity of home appliances, as well as the product lifecycle and obsolescence of smartphones.

Phishing Attacks Are the Most Common Smartphone Security Issue for Consumers

Austrian privacy non-profit None of Your Business (noyb) has filed complaints accusing companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi of violating data protection regulations in the European Union by unlawfully transferring users' data to China.
The advocacy group is seeking an immediate suspension of such transfers, stating the companies in question cannot shield user data

European Privacy Group Sues TikTok and AliExpress for Illicit Data Transfers to China

From "spying" air fryers to 3 million rogue toothbrushes, here are the strangest stories about internet-connected home goods in 2024.

The holidays are upon us, which means now is the perfect time for gratitude, warmth, and—because modern society has thrust it upon us—gift buying.

It’s Bluey and dig kits and LEGOs for kids, Fortnite and AirPods and backpacks for tweens, and, for an adult you particularly love, it’s televisions, air fryers, e-readers, vacuums, dog-feeders, and more, which all seemingly require a mobile app to function.

“The Internet of Things” is the now-accepted term to describe countless home products that connect to the internet so that they can be controlled and monitored from a mobile app or from a web browser on your computer. The benefits are obvious for shoppers. Thermostats can be turned off during vacation, home doorbells can be answered while at work, and gaming consoles can download videogames as children sleep on Christmas Eve.

And while some of these internet-connected smart devices can sound a little dumb—cue the $400 “smart juicer” that a Bloomberg reporter outperformed with her bare hands—there are legitimate cybersecurity risks at hand. Capable of collecting data and connecting to the internet, smart devices can also fall victim to leaking that data to hackers online.

As we enter the new year, Malwarebytes Labs is looking back at some of the strangest, scariest, and most dumbfounding smart device stories this past year. Read on and enjoy.

****The million-car track hack****

The latest vehicles filling up the local car lot might not strike you as “smart devices,” but upon closer inspection, these cars, SUVs, trucks, and minivans absolutely are. Replete with cameras and sensors that can track location, speed, distance travelled, seatbelt use, and even a driver’s eye movements, modern vehicles are, as many have described them, “smartphones on wheels.”

For years, the cybersecurity of these particularly mobile mobiles (sorry) was passable.

When a group of security researchers hacked into a Jeep Cherokee’s steering and braking systems in 2014, they were building off earlier research that required the hacker’s laptop to be physically connected to the Jeep itself—a comforting reality when imagining shadowy cybercriminals wresting control from a driver while sat behind a computer console hundreds of miles away. And while the security researchers were able to eventually hack the Jeep Cherokee without a physical connection, the work involved was still robust.

But early this year, a separate group of security researchers revealed that they could remotely lock, unlock, start, turn off, and geolocate more than a million Kia vehicles by knowing nothing more than the vehicle’s license plate number. The researchers could also activate a vehicle’s horn, lights, and camera.

The vulnerability wasn’t in the vehicles themselves, but in Kia’s online infrastructure (Kia fixed the vulnerability before the researchers published their findings).

In short, the researchers posed as Kia _dealers_ when using an online Kia web portal and, by entering the Vehicle Identification Number—which could be revealed separately through license plate numbers—they could assign certain features like remote start and geolocation to a new account, which the security researchers controlled.

While the vulnerability did not provide access to any of the vehicles’ steering systems or acceleration or braking, it still posed an enormous privacy and security risk, said researcher Sam Curry in speaking to the outlet Wired:

> “If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car. If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.”

****Whispering sweet nothings into your air fryer****

There’s a modern urban legend that our smartphones listen to our in-person conversations to deliver eerily relevant ads, and while there’s no proof this is true, there are certainly a few stories that raise nearby suspicions.

Take, for instance, the case of the nosy air fryers.

On November 5, a UK consumer rights group named “Which?” published research into several categories of smart devices—TVs, smart watches, etc.—and what they discovered about three models of air fryers surprised many.

In testing the Xiaomi Mi Smart Air Fryer, the Cosori CAF-LI401S, and the self-titled Aigostar, the researchers discovered that the associated air fryer mobile apps for Android requested a startling amount of information:

> “\[As\] well as knowing customers’ precise location, all three products wanted permission to record audio on the user’s phone, for no specified reason.”

The connected app for the Xiaomi air fryer “connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (depending on the location of the user).” When creating an account for the Aigostar air fryer, the connected app asked users to divulge their gender and date of birth, without stating why that was necessary. The request, however, could be declined. The Aigostar app, like the Xiaomi app, sent personal data to servers in China, but this data sharing practice was clarified in the companies’ privacy policies, the researchers wrote.

The companies in the report pushed back on the characterizations from Which?, with a Xiaomi representative clarifying that “the permission to record audio on Xiaomi Home app is not applicable to Xiaomi Smart Air Fryer which does not operate directly through voice commands and video chat.” A representative for Cosori expressed frustration that the researchers at Which? did not share “specific test reports” with the company, as well.

The truth, then, may be somewhere in the middle. The air fryer mobile apps in question may request more information than necessary to function, but that could also be because the apps are trying to service the needs of many different types of products all at once.

****A toothbrush tall tale****

Let’s play a game of telephone: A Swiss newspaper interviews a cybersecurity expert about a _hypothetical_ cyberattack and, days later, dozens of news outlets report that hypothetical as the truth.

This story did happen, and it would be far more disturbing if it wasn’t also tinged with a hint of humor, and that’s because the tall-tale-turned-“truth” involved a massive cyberattack launched by… toothbrushes.

In February, a Swiss newspaper article included an anecdote about a “Distributed Denial-of-Service” attack, or DDoS attack. DDoS attacks involve sending loads of connection requests (like regular internet traffic) to a certain webpage as a way to briefly overwhelm that web page and take it down. But the interesting thing about DDoS attacks is that they don’t require a laptop or a smartphone to make those requests—all they need is a device that can connect to the internet.

In the Swiss newspaper’s account, those devices were 3 million toothbrushes. Translated from the article’s original language in German, it read:

> “She’s at home in the bathroom, but she’s part of a large-scale cyberattack. The electric toothbrush is programmed with Java, and criminals have, unnoticed, installed malware on it—like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.”

The article, which noted that the whole scenario could’ve been ripped out of “Hollywood,” contextualized why the attack was so scary: It “actually happened.”

But it most assuredly had not.

The article had no details about the attack, so there was no company named, no toothbrush model specified, and no response from any organization. But none of that mattered as countless news outlets aggregated the original article, because what _did_ matter was the virality of the whole affair. There was a device that seemingly everyone agreed had no reason to connect to the internet, and—would you look at that—it led to major consequences.

In reality, the consequences were to the truth.

This holiday season, let’s do better than the silliest, most needless IoT devices, and let’s connect to what matters instead.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Connected contraptions cause conniption for 2024 

A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

In the hit virtual reality game _Gorilla Tag_, you swing your arms to pull your primate character around—clambering through virtual worlds, climbing up trees and, above all, trying to avoid an infectious mob of other gamers. If you’re caught, you join the horde. However, some kids playing the game claim to have found a way to cheat and easily “tag” opponents.

Over the past year, teenagers have produced video tutorials showing how to side-load a virtual private network (VPN) onto Meta’s virtual reality headsets and use the location-changing technology to get ahead in the game. Using a VPN, according to the tutorials, introduces a delay that makes it easier to sneak up and tag other players.

While the workaround is likely to be an annoying but relatively harmless bit of in-game cheating, there’s a catch. The free VPN app that the video tutorials point to, Big Mama VPN, is also selling access to its users’ home internet connections—with buyers essentially piggybacking on the VR headset’s IP address to hide their own online activity.

This technique of rerouting traffic, which is best known as a residential proxy and more commonly happens through phones, has become increasingly popular with cybercriminals who use proxy networks to conduct cyberattacks and use botnets. While the Big Mama VPN works as it is supposed to, the company’s associated proxy services have been heavily touted on cybercrime forums and publicly linked to at least one cyberattack.

Researchers at cybersecurity company Trend Micro first spotted Meta’s VR headsets appearing in its threat intelligence residential proxy data earlier this year, before tracking down that teenagers were using Big Mama to play _Gorilla Tag_. An unpublished analysis that Trend Micro shared with WIRED says its data shows that the VR headsets were the third most popular devices using the Big Mama VPN app, after devices from Samsung and Xiaomi.

“If you’ve downloaded it, there’s a very high likelihood that your device is for sale in the marketplace for Big Mama,” says Stephen Hilt, a senior threat researcher at Trend Micro. Hilt says that while Big Mama VPN may be being used because it is free, doesn’t require users to create an account, and apparently doesn’t have any data limits, security researchers have long warned that using free VPNs can open people up to privacy and security risks.

These risks may be amplified when that app is linked to a residential proxy. Proxies can “allow people with malicious intent to use your internet connection to potentially use it for their attacks, meaning that your device and your home IP address may be involved in a cyberattack against a corporation or a nation state,” Hilt says.

"Gorilla Tag is a place to have fun with your friends and be playful and creative—anything that disturbs that is not cool with us,” a spokesperson for Gorilla Tag creator Another Axiom says, adding they use “anti-cheat mechanisms” to detect suspicious behavior. Meta did not respond to a request for comment about VPNs being side-loaded onto its headsets.

**Proxies Rising**

Big Mama is made up of two parts: There’s the free VPN app, which is available on the Google Play store for Android devices and has been downloaded more than 1 million times. Then there’s the Big Mama Proxy Network, which allows people (among other options) to buy shared access to “real” 4G and home Wi-Fi IP addresses for as little as 40 cents for 24 hours.

Vincent Hinderer, a cyber threat intelligence team manager who has researched the wider residential proxy market at Orange Cyberdefense, says there are various scenarios where residential proxies are used, both for people who are having traffic routed through their devices and also those buying and selling proxy services. “It’s sometimes a gray zone legally and ethically,” Hinderer says.

For proxy networks, Hinderer says, one end of the spectrum is where networks could be used as a way for companies to scrape pricing details from their competitors' websites. Other uses can include ad verification or people scalping sneakers during sales. They may be considered ethically murky but not necessarily illegal.

At the other end of the scale, according to Orange’s research, residential proxy networks have broadly been used for cyber espionage by Russian hackers, in social engineering efforts, as part of DDoS attacks, phishing, botnets, and more. “We have cybercriminals using them knowingly,” Hinderer says of residential proxy networks generally, with Orange Cyberdefense having frequently seen proxy traffic in logs linked to cyberattacks it has investigated. Orange’s research did not specifically look at uses of Big Mama's services.

Some people can consent to having their devices used in proxy networks and be paid for their connections, Hinderer says, while others may be included because they agreed to it in a service’s terms and conditions—something research has long shown people don’t often read or understand.

Big Mama doesn’t make it a secret that people who use its VPN will have other traffic routed through their networks. Within the app it says it “may transport other customer’s traffic through” the device that’s connected to the VPN, while it is also mentioned in the terms of use and on a FAQ page about how the app is free.

The Big Mama Network page advertises its proxies as being available to be used for ad verification, buying online tickets, price comparison, web scraping, SEO, and a host of other use cases. When a user signs up, they’re shown a list of locations proxy devices are located in, their internet service provider, and how much each connection costs.

This marketplace, at the time of writing, lists 21,000 IP addresses for sale in the United Arab Emirates, 4,000 in the US, and tens to hundreds of other IP addresses in a host of other countries. Payments can only be made in cryptocurrency. Its terms of service say the network is only provided for “legal purposes,” and people using it for fraud or other illicit activities will be banned.

Despite this, cybercriminals appear to have taken a keen interest in the service. Trend Micro’s analysis claims Big Mama has been regularly promoted on underground forums where cybercriminals discuss buying tools for malicious purposes. The posts started in 2020. Similarly, Israeli security firm Kela has found more than 1,000 posts relating to the Big Mama proxy network across 40 different forums and Telegram channels.

Kela’s analysis, shared with WIRED, shows accounts called “bigmama\_network” and “bigmama” posted across at least 10 forums, including cybercrime forums such as WWHClub, Exploit, and Carder. The ads list prices, free trials, and the Telegram and other contact details of Big Mama.

It is unclear who made these posts, and Big Mama tells WIRED that it does not advertise.

Posts from these accounts also said, among other things, that “anonymous” bitcoin payments are available. The majority of the posts, Kela’s analysis says, were made by the accounts around 2020 and 2021. Although, an account called “bigmama\_network” has been posting on the clearweb Blackhat World SEO forum until October this year, where it has claimed its Telegram account has been deleted multiple times.

In other posts during the last year, according to the Kela analysis, cybercrime forum users have recommended Big Mama or shared tips about the configurations people should use. In April this year, security company Cisco Talos said it had seen traffic from the Big Mama Proxy, alongside other proxies, being used by attackers trying to brute force their way into a variety of company systems.

**Mixed Messages**

Big Mama has few details about its ownership or leadership on its website. The company’s terms of service say that a business called BigMama SRL is registered in Romania, although a previous version of its website from 2022, and at least one live page now, lists a legal address for BigMama LLC in Wyoming. The US-based business was dissolved in April and is now listed as inactive, according to the Wyoming Secretary of State’s website.

A person using the name Alex A responded to an email from WIRED about how Big Mama operates. In the email, they say that information about free users’ connections being sold to third parties through the Big Mama Network is “duplicated on the app market and in the application itself several times,” and people have to accept the terms of conditions to use the VPN. They say the Big Mama VPN is officially only available from the Google Play Store.

“We do not advertise and have never advertised our services on the forums you have mentioned,” the email says. They say they were not aware of the April findings from Talos about its network being used as part of a cyberattack. “We do block spam, DDOS, SSH as well as local network etc. We log user activity to cooperate with law enforcement agencies,” the email says.

The Alex A persona asked WIRED to send it more details about the adverts on cybercrime forums, details about the Talos findings, and information about teenagers using Big Mama on Oculus devices, saying they would be “happy” to answer further questions. However, they did not respond to any further emails with additional details about the research findings and questions about their security measures, whether they believe someone was impersonating Big Mama to post on cybercrime forums, the identity of Alex A, or who runs the company.

During its analysis, Trend Micro’s Hilt says that the company also found a security vulnerability within the Big Mama VPN, which could have allowed a proxy user to access someone’s local network if exploited. The company says it reported the flaw to Big Mama, which fixed it within a week, a detail Alex A confirmed.

Ultimately, Hilt says, there are potential risks whenever anyone downloads and uses a free VPN. “All free VPNs come with a trade-off of privacy or security concerns,” he says. That applies to people side-loading them onto their VR headsets. “If you’re downloading applications from the internet that aren't from the official stores, there’s always the inherent risk that it isn’t what you think it is. And that comes true even with Oculus devices.”

This VPN Lets Anyone Use Your Internet Connection. What Could Go Wrong?

Consumer group Which? found privacy issues in connected air fryers. How smart do we want and need our appliances to be?

Consumer group Which? has warned shoppers to be selective when it comes to buying smart air fryers from Xiaomi, Cosori, and Aigostar.

We’ve learned to expect that “smart” appliances come with privacy risks—toothbrushes aside—but I really hadn’t given my air fryer any thought. Now things are about to change.

You don’t need to worry about the air fryers sending reports about your eating habits to your healthcare provider just yet. But according to Which?, the air fryers’ associated phone apps wanted to know customers’ precise locations, as well as permission to record audio on the user’s phone.

The researchers also found evidence that the Aigostar and Xiaomi fryers both sent people’s personal data to servers in China. This was specified in the privacy notice, but we know not everyone reads a privacy notice.

When buying any kind of smart device, it’s worth doing these things:

*   **Question the permissions an app asks for on your phone**. Does it serve a purpose for you, the user, or is it just some vendor being nosy?
*   **Read the privacy policy**. The vendors are counting on it that you won’t but there are times that privacy policies are very revealing.
*   **Ask yourself if the appliance needs to be smart**. What’s in it for you, and what’s the price you’re going to pay?

An easy solution is not to install the app, and don’t provide manufacturers with personal data they do not need to know. They may need your name for the warranty, but your gender, age, and—most of the time—your address isn’t needed.

You shouldn’t be surprised to find out that appliances that are activated by voice commands are listening to you. How else do you expect them to know you are giving them an order?

It’s what they do with the information and how well they are secured against abuse by third parties that we should be concerned with.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#xiaomi