Malware Bytes

Claude for Chrome flaw could let rogue extensions access your Gmail

Malware Bytes Security - 7 hours 13 min ago

First reported in May, ClaudeBleed is basically a “fake remote control” problem. A sneaky browser extension can pretend to be Claude’s own website and secretly drive the Claude for Chrome extension to read your data and take action in your accounts.

The Claude for Chrome browser extension is an assistant that has the user’s permission to access services like Gmail or Google Drive when you ask it to. ClaudeBleed happens because the extension can’t reliably tell the difference between the user asking for help and a malicious script asking on their behalf.

So instead of you clicking a button to say “Claude, read this email,” a rogue extension can whisper the same request behind your back, and Claude obliges. Or it can have Claude draft or send an email in your name.

Once a malicious extension can send commands to Claude as if it were you, it can:

  • Ask Claude to read your Gmail, fetch Google Drive files, or clone private GitHub repositories, depending on what tools Claude for Chrome exposes.
  • Have Claude send emails or manipulate documents under your logged‑in session, with no obvious indication that the request didn’t come from you.
  • Leave you seeing only a normal‑looking Claude interaction or brief permission prompt, while the real driver is the rogue extension running in the background.

Anthropic acknowledged the researchers’ reports the next day, then closed both of them as resolved. But according to the researchers, while Anthropic’s fix addressed some symptoms, it left the fundamental privilege handoff and agency controls brittle. For example, an allowlist patch changed what could be asked, but not who could ask it.

After examining the latest version of Claude for Chrome, Manifold Security wrote:

“Eight Claude for Chrome releases later, the bypass is still six lines of JavaScript. We reported it to Anthropic in May. The code is unchanged in the latest version.”

How to stay safe

Users should remember that Claude for Chrome is still officially in beta before trusting it to perform tasks automatically. Some pointers:

  • Turn off Act without asking in Claude for Chrome. This removes the assistant’s ability to perform actions without your approval, making it much harder for a rogue extension to abuse its permissions.
  • Review your Chrome extensions and remove anything you don’t fully trust. Any extension that can run scripts on claude.ai may be able to trigger Claude’s tasks, so keep your extension list as small as possible. If you don’t recognize or use an extension, remove it.
  • Be cautious about giving AI browser assistants access to sensitive accounts like Gmail, Google Docs, and Google Calendar. Limiting which services the assistant can access reduces your exposure if something goes wrong.
  • Until Anthropic ships a more comprehensive fix, consider disabling Claude for Chrome on systems where you handle sensitive mail, documents, or business accounts.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Categories: Malware Bytes

July 2026 Patch Tuesday fixes 622 Microsoft CVEs, including three zero-days

Malware Bytes Security - 9 hours 18 min ago

Just one month ago, June 2026 Patch Tuesday broke Microsoft’s previous record with 206 CVEs and three zero‑days. July now triples that count, reinforcing that the era of “small” Patch Tuesdays may be over as AI‑driven vulnerability discovery ramps up.

The update includes 59 critical vulnerabilities, as well as three publicly disclosed zero-days. Microsoft classifies these as zero-days because information about the vulnerabilities became public before patches were available. Two are known to be actively exploited by attackers.

How to apply patches and check if you’re protected

These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

1. Open Settings

  • Click the Start button, then open Settings.

2. Go to Windows Update

  • Select Windows Update (usually at the bottom of the menu on the left).

3. Check for updates

  • Click Check for updates. Windows will search for the latest security updates.
  • If you’ve enabled Get the latest updates as soon as they’re available under More options, you may be prompted to restart immediately. If so, restart your computer to complete the update. Otherwise, continue to the next step.

4. Download and install

  • If updates are available, they’ll start downloading automatically. When they’re ready, click Install or Restart now if prompted. Your computer may need a restart to finish the update.

5. Double-check you’re up to date

  • After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set.
Technical details

Let’s look at the three zero-days.

First is a Windows BitLocker security feature bypass vulnerability, tracked as CVE-2026-50661. It is not known to be actively exploited. Microsoft describes it as:

“Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.”

In other words, even if you’ve encrypted your machine with BitLocker, an attacker could exploit this vulnerability to access your data if they have physical access to your computer.

Next is the actively exploited CVE-2026-56155, an Active Directory Federation Services (ADFS) elevation of privilege (EoP) vulnerability. ADFS is a Microsoft software component that provides single sign-on (SSO) and federated access. It acts as a trust broker between an organization’s Active Directory and applications. An attacker who successfully exploited this vulnerability could gain administrator privileges. Reportedly, Microsoft discovered the vulnerability while investigating active attacks.

Last but not least is CVE-2026-56164, a Microsoft SharePoint Server elevation of privilege vulnerability. SharePoint Server is the on-premises version of Microsoft’s web-based collaboration and document management platform. A missing authentication check in Microsoft Office SharePoint could allow an attacker to elevate privileges over a network.

Both actively exploited vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog, which sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies. CISA has also urged organizations using SharePoint Server to implement hardening measures after the latest exploitations.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review

Categories: Malware Bytes

This fake Apple app can unlock your Mac’s password vault

Malware Bytes Security - 12 hours 57 min ago

CrashStealer is a new macOS infostealer that masquerades as Apple’s CrashReporter component, uses an Apple‑notarized installer to slip past Gatekeeper, tricks users into handing over their password, and then systematically loots browsers, password managers, crypto wallets, and Keychain secrets before exfiltrating them in AES‑encrypted bundles.

Researchers have been following the development of CrashStealer since May 2026. It impersonates Apple’s CrashReporter component by taking the name CrashReporter.app. It also creates a LaunchAgent named com.apple.crashreporter.helper and uses the legitimate tool’s icon and metadata to look as trustworthy as possible.

Gatekeeper, basically macOS’s bouncer at the door, checks whether an app looks safe before letting it run. By using a notarized installer—one that Apple has scanned and stamped as acceptable—Gatekeeper is more likely to let it through without raising alarms. Getting notarized doesn’t mean Apple intentionally approved the malware. It means the installer passed Apple’s automated checks, and the attackers abused that trust.

The notarized installer, called “Werkbit Setup” is distributed from a fake software site registered in late June and gated behind a meeting PIN (Personal Identification Number), suggesting a targeted, invitation‑only campaign.

When launched, the malware displays a fake macOS password prompt that users will expect to see when running a legitimate system operation requiring administrator privileges. In reality, the malware uses that password to unlock the user’s Keychain, which stores passwords and other sensitive data in macOS’s encrypted password vault.

Image courtesy of Jamf Labs

The malware then steals browser credentials and cookies, cryptocurrency wallet extensions, password manager data, and small files from common user directories. The stolen data is encrypted and sent to a command and control (C2) server.

CrashStealer is a reminder that macOS is firmly in the sights of credential‑stealing operations. Notarization and Gatekeeper reduce many classes of risk, but they do not remove the need for layered defenses, cautious user behavior, and ongoing threat monitoring.

How to stay safe

There are a few things you can do to protection yourself from CrashStealer and other infostealers.

  • Be skeptical of “CrashReporter” downloads. Apple’s crash‑reporting tools ship with macOS, so you should never need to download a separate CrashReporter app from a third‑party site.
  • Treat PIN‑gated installers with caution. If a meeting invite or collaboration tool requires you to download software from an unfamiliar domain and enter a private PIN to unlock the installer, verify the request with the organizer through a separate trusted channel.
  • Treat a password request that appears immediately after launching a new or unfamiliar app—especially one claiming to be a system component—as a red flag.
  • Use reputable security software that supports macOS. Keep it, and macOS itself, up to date.
  • Separate your risk. Avoid keeping high‑value crypto wallets, password vaults, and everyday browsing credentials on the same machine and user profile wherever possible.

Malwarebytes detects CrashStealer as MacOS.Stealer.Crash.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Categories: Malware Bytes

Warning: Scammers are using FaceTime to empty bank accounts

Malware Bytes Security - Tue, 07/14/2026 - 7:09am

Apple is urging users to treat any suspicious FaceTime call or message as untrusted, especially if it involves payments, refunds, password resets, or requests for personal information.

This warning appears in a broader Apple support article about scams that target iPhone and iPad users through social engineering. Apple says attackers may contact people by phone calls, FaceTime, text messages, or emails while pretending to represent a trusted organization.

The advice comes as many users still delay installing security updates, leaving them exposed even after Apple has released security patches.

Over recent months, we’ve seen a familiar pattern: attackers combine convincing Apple‑branded social engineering with known iOS vulnerabilities, then profit from the gap between “patch available” and “patch installed.”

Criminals have been reported making unsolicited FaceTime calls that look like they come from “Apple Support” or a bank, alongside messages disguised as urgent account alerts or refund offers. Once the victim answers or replies, the script is pretty much standard:

  • The caller claims there is fraudulent activity or a technical problem.
  • They pressure the user to “verify” card details, online banking credentials, or Apple ID information.
  • In some cases, they persuade the victim to install remote‑access software or share one‑time passcodes.

Nothing in this process requires malware on the device. The “exploit” is human trust, backed by familiar names, logos, and a real‑time call that feels inherently more legitimate than a text message. That makes FaceTime a useful delivery channel for social engineering, especially since users are used to seeing Apple notifications and support prompts elsewhere in their digital life.

From an attacker’s point of view, combining social engineering with vulnerabilities is attractive. Social engineering can steal your usernames and passwords, while a browser‑side exploit can silently execute malicious code when users visit a booby‑trapped site. Chain those attacks together and the attacker can move from app‑level compromise to full system control. That’s how campaigns like DarkSword operate.

How to stay safe

Apple’s advice is straightforward:

  • Don’t trust unexpected calls or texts.
  • Never share sensitive information over unsolicited contact.
  • Keep your iPhone updated to the latest iOS version.

We’d add:

  • Protect your devices with an up-to-date, real-time security solution.
  • Contact companies directly through trusted channels. Don’t use contact details provided in an email, text message, or call.
  • Use Malwarebytes Scam Guard to determine whether a message is likely to be a scam.
  • Be especially suspicious of unexpected FaceTime calls claiming to be from your bank or Apple. These organizations are unlikely to use FaceTime to contact you about serious account issues.

Apple also asks users to report suspicious FaceTime calls:

“If you receive a suspicious FaceTime call (for example, from what looks like a bank or financial institution), email a screenshot of the call information to reportfacetimefraud@apple.com.”

How to update your iPhone or iPad

To check whether you’re running the latest version of iOS or iPadOS:

  • Go to Settings > General > Software Update. If an update is available, you’ll be able to download and install it from there.
  • Turn on Automatic Updates if you haven’t already. You’ll find it on the same screen. That way, your device can install important security updates as soon as they’re available.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

Categories: Malware Bytes

The inside job that cost ransomware victims millions

Malware Bytes Security - Tue, 07/14/2026 - 5:26am

When a ransomware crew locks up your servers, the outside negotiator you hire has to know everything about you so that they can negotiate a smaller ransom payment. You tell them what your cyber-insurance covers and what your board is willing to pay. You have to. That’s the whole reason you hire one.

But what if your trusted negotiator is a crook?

Angelo Martino, a 41-year-old ransomware negotiator at Chicago-based incident response firm DigitalMint, spent seven months in 2023 handling all of that information. But instead of using it to help minimize damage for his company’s clients, he passed it straight to the BlackCat ransomware gang that was extorting them. In exchange, he got a cut of the criminal proceeds.

He was sentenced on July 3 to 70 months in federal prison for conspiracy to interfere with interstate commerce by extortion.

The private chat tab

Beginning in April 2023, Martino used an intermediary chat channel—one his employer couldn’t see—to relay clients’ confidential material to negotiators for the BlackCat/ALPHV ransomware gang. That enabled him to pass along valuable information about clients’ cyber-insurance policy limits and their internal discussions about negotiations. In short, he told the attackers what to ask for.

They asked for a lot. Five DigitalMint clients whose negotiations Martino handled paid ransoms of between $213,000 and $26.8 million between April and September 2023, totalling more than $75 million. The victims included a hospitality company, a nonprofit, a financial services company, a retail company, and a medical company. All of them had hired DigitalMint to help them.

In one case, Martino told DigitalMint that he was sending a client’s ransom offer to the attackers while secretly telling the ransomware gang the client would pay $2 million more. The client ultimately paid the extra money because of his actions.

Then it got worse

Feeding intelligence to BlackCat apparently wasn’t enough. In May 2023, Martino signed up as a BlackCat affiliate himself and shared that access with fellow DigitalMint negotiator Kevin Martin and Sygnia incident response manager Ryan Goldberg. The three had been conspiring since the previous year to run this operation, before DigitalMint even hired Martin.

The trio began deploying BlackCat directly against additional victims. Their takings included $1.2 million from a medical device company. Martin and Goldberg were each sentenced to four years in prison in April 2026. Authorities also seized roughly $10 million in assets from Martino, including cryptocurrency, vehicles, a food truck, and a luxury fishing boat. He didn’t exactly fly under the radar.

BlackCat was a particularly nasty ransomware operation. It targeted healthcare facilities and even published photos of victims’ breast cancer imaging. After law enforcement disrupted the gang’s infrastructure in December 2023, the FBI released a decryption tool to help victims recover their files.

Vetting and monitoring need improvement

DigitalMint says it didn’t know about the scheme and that Martino deliberately hid his actions from the company. Along with Sygnia, it fired the employees after the Department of Justice told them about the crimes.

We have no reason to dispute the companies’ claims of ignorance, and neither did the court. That’s arguably more worrying because it means whatever vetting and monitoring procedures the organizations had in place failed to uncover a seven-month criminal conspiracy involving three insiders across two different companies.

You could argue that Martino got off lightly. Federal sentencing guidelines recommended between six and 7.25 years in prison, and prosecutors had asked for a sentence somewhere in the middle of that range. Either way, he’ll spend much of the rest of the decade behind bars. A hearing to determine how much he’ll have to pay in restitution is scheduled for September 17.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Categories: Malware Bytes

Trusting your kids online isn’t enough (Lock and Code S07E14)

Malware Bytes Security - Mon, 07/13/2026 - 10:33am

This week on the Lock and Code podcast…

There is a lot going on right now regarding the safety of kids online.

In the United States, the majority of state legislatures have passed age verification laws requiring a variety of websites to more rigorously verify the age of their visitors. In the United Kingdom, Canada, Norway, Spain, and Germany, lawmakers are considering bans on social media access for anyone under the age of 16—Australia passed its ban in 2025. In schools across the world, smartphones have been removed from classrooms, hallways, and cafeterias. And online, some of the most popular apps and video games with children, such as Discord and Roblox, have implemented default restrictions on what young users can find and who they reach.

But all this activity comes after rising crises at home, as an increasing number of behavioral researchers connect increased social media use with increased rates of depression, isolation, and suicidal thoughts. So, until real, societal change takes place, what is a concerned parent to do?

That’s what we’re trying to answer today.

Today, on the Lock and Code podcast with host David Ruiz, we bring back Anna Brading, editor-in-chief of Malwarebytes Labs and director of content and, perhaps most importantly, mother of three. With a long career in cybersecurity—and an equally long time spent reading, writing, and assigning some of the cybersecurity world’s most pressing headlines—Brading has a unique perspective on what is most dangerous to her children online.

Brading’s list of priorities is long, and includes improper image use, “online nastiness,” and Roblox, but she has a few rules and guidelines to help. She sets a one-hour-a-day video game limit on the weekends, restricts YouTube to a communal and monitored activity, and requests that no one share photos of her children online without her express permission. Importantly, she also reminds parents to trust their guts.

“If the norm now is mental health issues or online grooming or non-consensual porn or constant comparison, then I’m okay without my kids fitting in. I would say be radical, buck the trend, don’t do what everybody else is doing. Say no to things you don’t feel comfortable with.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Categories: Malware Bytes

Ghostcommit attack hides malicious AI instructions in images

Malware Bytes Security - Mon, 07/13/2026 - 9:18am

Ghostcommit is a proof of concept that shows how AI assistants used to review software code can be tricked by hidden instructions embedded in images.

The academic ASSET Research Group showed that an attacker can place instructions inside an image file, point to it in an AGENTS.md file, and get an AI coding agent to follow those instructions during a later task.

A pull request is basically a formal “please review and add my changes” request that a developer sends before changes are added to the main version of a software project. Human reviewers and, increasingly, AI coding tools may review the changes before they’re accepted.

While AI-assisted code review is becoming part of everyday development, Ghostcommit exposes a weakness many teams have not considered. A human reviewer may read the code and skip an attached image. In the researchers’ proof of concept, the malicious instructions were hidden inside a PNG file referenced by repository policy files, while the visible pull request looked ordinary.

As the researchers demonstrated, this can turn routine developer workflows into a channel for stealing secrets. An AI coding agent reads those hidden instructions, even though a human reviewer is unlikely to inspect the image.

The attack is simple in concept but dangerous in practice. A pull request introduces a harmless-looking image and a configuration file that tells the agent to trust it. When the agent later works on a normal task, it follows the hidden instructions, reads sensitive files, and writes the secrets back into the code in an obfuscated form. That creates a path for secret theft that may slip past both human reviewers and automated scanners.

The researchers found that the harness—the wrapper around the AI model—had a bigger impact on whether secrets were leaked than the underlying model itself. In practice, the harness (Cursor, Antigravity, Claude Code) decides which files to load, which conventions to trust, what guardrails to apply, and whether to follow instructions buried in an image. As a result, the same model can behave very differently depending on the coding tool that uses it. The model then carries out whatever task the tool presents.

For example, the same model (Claude Sonnet) behaved very differently in different tools. Under Cursor and Antigravity, Sonnet read the PNG, followed the convention, and dutifully recorded the secrets in the source code. But under Anthropic’s Claude Code harness, the same Sonnet model read the same convention and refused, explicitly stating that exfiltrating secrets was inappropriate. Claude Code refused under every model the researchers tested.

How to stay safe

The lesson is that prompt injection is no longer just a text problem. Multimodal inputs like images can also carry instructions that AI agents may obey if the toolchain allows it. Teams should assume that anything a coding agent can read—including images, documents, and other multimodal inputs—could contain attacker-controlled content.

Organizations using AI coding tools should treat this as both a software supply chain and AI agent security issue. The most important defenses are to restrict access to secrets, inspect non-text attachments, and monitor AI agents for unusual attempts to read credentials or config files.

The research also highlights that the coding tool and its permissions are ultimately what make this attack possible, rather than the AI model in isolation.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Categories: Malware Bytes

Fake crypto gift card sites are getting harder to spot

Malware Bytes Security - Mon, 07/13/2026 - 7:05am

You want to turn some crypto into a gift card. You search, click a promising result, and land on a site that looks polished and legitimate: a dark theme, trust badges, and promises of instant delivery and no ID checks. You wouldn’t think to question it.

But a professional-looking website isn’t proof that it’s legitimate.

What’s going on

Crypto gift card sites are an easy category to fake.

Several legitimate platforms let people convert Bitcoin, Ethereum, and other cryptocurrencies into gift cards for major brands. They also tend to look similar: a dark theme, a bold “Pay with crypto” message, trust badges, and a grid of popular gift card deals.

That makes them easy to imitate.

Scammers build lookalike sites that copy the same design language and sometimes even use a name that’s only one or two letters different from a legitimate platform. They’re designed to be mistaken for the real thing by anyone scrolling quickly or clicking through from an ad or search result.

The pricing is part of the deception, too. A $100 Amazon gift card for $95. A $25 Steam Wallet code for $24. A $100 Netflix gift card for $92. Those discounts don’t look unrealistic, so the scam looks very convincing.

What’s the scam?

The simplest scam is non-delivery. You pay, and nothing arrives because there was never any gift card to send. The website exists solely to collect crypto payments.

Crypto payments generally can’t be reversed. There’s no bank to call and no chargeback if the gift card never arrives. Once your Bitcoin or Ethereum leaves your wallet, it’s usually gone.
Some scams go a step further and send you a code. It just isn’t a legitimate one.

Stolen gift card numbers are bought and sold on cybercriminal marketplaces, often for a fraction of their face value because they’re likely to be drained or reported before they’re redeemed. A scam site can buy those codes cheaply, resell them at what looks like a reasonable discount, and leave you with a code that never works or stops working shortly after purchase.

Even if a stolen code works at first, buying it helps create demand for more stolen gift cards.

There’s another reason these sites attract criminals. Crypto gift cards are commonly used to launder stolen cryptocurrency. Converting crypto into gift cards, and gift cards into goods or account balances, makes transactions harder to trace. A fake storefront doesn’t just be steal from buyers, organized crime gangs also use it to move funds.

None of this requires advanced technical skills. A convincing storefront, irreversible crypto payments, and search or social media ads are often enough to lure victims.

How to protect yourself
  • Go directly to the platform’s official site by typing the address yourself, rather than clicking a link from an ad, a search result, or a message.
  • Check the spelling of the domain character by character. Scam sites often use domains that differ from a legitimate one by just one or two letters.
  • Don’t assume “No ID required” means a site is trustworthy. It’s a genuine feature on some platforms, but scammers use it too.
  • Think twice before clicking Connect Wallet. Depending on the permissions you approve, it can expose more than a single payment.
  • Be skeptical of discounted gift cards, even modest discounts. Small discounts are designed to look believable.
  • Search for the platform’s name plus “scam” or “reviews” before you pay, especially if you found the site through an ad.
  • Use a browser extension that blocks scam and phishing sites, such as Malwarebytes Browser Guard. It can flag a fake storefront before you land on it, even ones it hasn’t seen before.
If you’ve already sent crypto to a suspicious site

Treat the funds as unrecoverable, but act quickly anyway.

  • If you have the transaction ID, check a blockchain explorer to see whether the funds were sent to a known exchange. If they were, contact the exchange’s fraud team immediately.
  • If you connected your wallet rather than sending a payment, review and revoke any token approvals you granted.
  • Report the site to Google Safe Browsing and Microsoft SmartScreen to help warn other people.
Remember

A crypto gift card site can look completely legitimate and still not be. Before you send anything, check its reputation first.

Safer. Cleaner. Ad-free browsing.

INSTALL BROWSER GUARD

Categories: Malware Bytes

This new Windows malware can take over your PC and wipe it clean

Malware Bytes Security - Fri, 07/10/2026 - 9:25am

Microsoft published new research on GigaWiper, a modular Golang backdoor for Windows that combines robust remote access with multiple ways to permanently destroy systems and data.

GigaWiper is a Windows backdoor that Microsoft has observed in intrusions since October 2025. Rather than being a single-purpose wiper, it’s an operational platform that blends command‑and‑control (C2), data destruction, and remote access options in a single piece of malware.

What’s remarkable is that GigaWiper seems to be built using previously separate tools like the Crucio ransomware and the FlockWiper disk wiper, wrapped into a consolidated framework.

Based on the characteristics of the malware, which include espionage features (screen capture, VNC‑like remote control, system inventory) and multiple ways to irreversibly destroy data, it fits the pattern of an attacker that wants long‑term access but also reserves the option to wipe systems if they choose.

GigaWiper implements about 20 commands, falling broadly into three categories: destruction, remote access/monitoring, and system management. Some examples include:

  • Raw disk wiper that overwrites raw disk content in large chunks before forcing an immediate reboot.
  • Fake ransomware (Crucio‑based) wiper that masquerades as ransomware. Instead of demanding payment, it encrypts files and then throws away the encryption key, making recovery impossible.
  • Windows drive secure wiper that targets the Windows installation drive and performs multi‑pass overwrites using different byte patterns.
  • Screen capture and recording, including one‑shot screenshots of each monitor and continuous recording while the user is active.
  • Remote control via a TCP (Transmission Control Protocol) server that streams the desktop and allows keyboard and mouse input after creating its own Windows Firewall exceptions.

GigaWiper also sets up a scheduled task called “OneDrive Update” that runs every minute and at startup to maintain persistence.

Command-and-control servers were found at 185.182.193[.]21 and 212.8.248[.]104.

Malwarebytes blocks the C2 connections

Its management utilities include process, service, and registry managers that can create, list, or kill processes, manage Windows services, and navigate and mutate registry keys. It also collects system information, including hardware, operating system, network, firmware, user, and antivirus details.

How to stay safe

Because GigaWiper is deployed after attackers have already compromised a system, the best defence is preventing the initial intrusion and detecting malicious activity before destructive commands can be executed.

Malwarebytes detects GigaWiper components with the detection names Trojan.FlockWiper and Backdoor.GigaWiper.

  • If GigaWiper is detected, disconnect the affected machine from the network immediately to prevent attackers from initiating destructive commands.
  • Enable tamper protection (or the equivalent feature in your security software) so local admins and malware cannot silently disable anti-malware or other security tools.
  • Monitor for connections to the known C2 servers, the creation of the “OneDrive Update” scheduled task, and unauthorized attempts to disable Windows recovery.
  • Finally, rotate credentials, particularly for any accounts that may have been compromised, and review logs for privilege escalations or lateral movement to determine if other systems have also been affected.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Categories: Malware Bytes

How mule betting scams recruit ordinary people

Malware Bytes Security - Fri, 07/10/2026 - 7:02am

Mule betting or third-party betting account scams are a form of money mule scam where criminals recruit or coerce people into opening gambling accounts in their own name. The criminals then use those accounts to place bets to help launder money and obscure the source or ownership of funds.

The UK Gambling Commission describes “mule” betting accounts as online betting accounts created using another person’s personal details, with or without that person’s knowledge. It says criminals can control large numbers of these accounts to disguise who is betting and where the money came from. The Commission also warns that criminals may move illicit funds through third-party bank accounts to break the audit trail, often targeting vulnerable people and university students.

A common pattern is that the scammer offers easy money, “helps” the victim open an account, or claims they can’t use their own identity. That matches broader money mule recruitment tactics, where criminals approach people online, promise quick cash, and use the victim’s account to move or launder funds.

Barclays defines a money mule as:

“A money mule is someone who lets criminals use their bank account to move money. Often the mule doesn’t know what’s really happening, and has been manipulated into believing a cover story, or lured by an offer of payment.”

A UK study published in 2025 found that 21% of adults had been asked to receive money into their bank account, apply for a loan on someone else’s behalf, or open a new account—all in exchange for cash.

Mule betting is a specialized form of money mule scam. As well as helping to hide the source and destination of criminal funds, these accounts can also end up being involved in betting-related crime, including match fixing.

It is important to realize that by acting as a money mule, you’re getting involved with organized crime. In the US, money mules can face criminal prosecution, and authorities warn that claiming “you didn’t know” is not always a defense.

The FBI says common targets include students, job seekers, and people using dating sites. The “mule herder” usually promises easy money, then quickly asks the victim to open a bank or betting account or receive and transfer money on their behalf. Money gets deposited into that account from a fraud victim, a stolen source, or another mule who is a link in the chain.

The criminal then uses the account to place bets, move funds, or cash out in ways that make the money appear to be gambling winnings rather than the proceeds of fraud.

The key gain for the criminals is layering: each extra account, bet, transfer, or cash-out step makes the money harder to trace. On paper, the account holder appears to be the person carrying out the transactions, even though someone else is controlling the account.

From the victim’s perspective, it can look like a legit side hustle at first: easy money, simple tasks, and a promise they can keep a percentage. After that, the requests usually escalate into more frequent transfers, identity verification, sending card details, or handing over full control of the account.

How to stay safe

Like many scams, money mule schemes often start with small, seemingly harmless requests before escalating. The safest approach is simple: if someone asks you to move money in exchange for an easy reward, assume it’s a scam unless you can independently prove otherwise.

  • Never use your own bank account to move money for someone else. Legitimate employers or businesses do not ask you to receive and forward funds through your personal account. This is a common follow-up tactic in romance, friendship, and job scams.
  • Be skeptical of easy-money offers, especially “work-from-home” jobs that promise quick pay for simple transfers. If it sounds too good to be true, it usually is.
  • Research any company or person making the offer before you respond. Check that the business is real, registered, and traceable, and be extra cautious with overseas or hard-to-verify contacts.
  • Never share banking details, passwords, PINs, or one-time passcodes with anyone you do not fully trust. Protecting access to your accounts helps block both coercion and takeover attempts.
  • Monitor your accounts regularly and act fast on unexpected deposits or suspicious requests. If money appears out of nowhere, do not touch it; contact your bank immediately.

Pro tip: If someone contacts you out of the blue, Malwarebytes Scam Guard can help you determine whether it’s a scam.

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Categories: Malware Bytes

Two Chrome updates in two days fix critical vulnerabilities

Malware Bytes Security - Fri, 07/10/2026 - 6:32am

Updating Chrome is becoming an almost daily task lately. But it’s too important to ignore.

On Wednesday, July 8, Google released another Chrome update, just one day later after the previous one.

Between them, the two updates fixed 27 security vulnerabilities, including two critical flaws that could be exploited to compromise Chrome. Google says both are “use-after-free” memory vulnerabilities, which can sometimes allow attackers to run malicious code. Google has not reported any of these vulnerabilities as being actively exploited.

The Stable channel has been updated to 150.0.7871.114/.115 for Windows and macOS, and 150.0.7871.114 for Linux. The updates will roll out over the coming days and weeks.

How to update Chrome

If you don’t want to wait for the rollout to reach you, manually updating is easy.

The easiest option is to allow Chrome to update automatically. But you can end up lagging behind on updates if you rarely close your browser or if something goes wrong, such as an extension preventing the update.

To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it automatically. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

Chrome 150.0.7871.115 is up to date

You can find an explanation of the version numbering system and step-by-step instructions in our guide to how to update Chrome on every operating system.

The version numbering system

With updates arriving within days of each other, it’s helpful to understand Chrome’s version numbering system so you can quickly tell whether you’re running the latest release.

The Chrome version number consists of four parts separated by dots, like this:

MAJOR.MINOR.BUILD.PATCH

Each part has a specific meaning. In order of relevance they are:

  • MAJOR: This number increases with each major Chrome release, which may include new features or changes.
  • MINOR: This number is typically zero and rarely changes. It mainly supports the versioning scheme but doesn’t usually affect how users track updates.
  • BUILD: This number increases steadily and identifies a specific build of Chrome’s source code. When comparing versions, it is the first number to check after the major version.
  • PATCH: This number increases as Google releases smaller fixes and security updates for a particular build. It resets with each new build and helps identify minor updates within the same build.

For example, a version like 137.0.7151.56 means:

  • Major version 137 (the milestone release)
  • Minor version 0 (almost always 0)
  • Build number 7151 (the code snapshot)
  • Patch number 56 (the latest fix for that build)
Why does the version number matter?

The BUILD and PATCH numbers together identify the exact version of Chrome you’re running. Even if two versions share the same major number, higher build or patch numbers means you have a newer, more up-to-date Chrome version.

Sometimes you might see slightly different patch numbers on the same major build, for example, 118.0.5993.117 vs. 118.0.5993.118. This usually happens because Google released a quick fix or minor patch shortly after the initial release. Both are part of the same major update, but the higher patch number is newer.

How to check if you have the latest version

To verify your Chrome version:

  1. Open Chrome.
  2. Click the three-dot menu () in the top-right corner.
  3. Go to Help > About Google Chrome.

Chrome will display your current version and automatically check for updates. If an update is available, it will download automatically and prompt you to restart your browser.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Categories: Malware Bytes

How World Cup crypto prediction sites take your money

Malware Bytes Security - Thu, 07/09/2026 - 11:12am

Crypto prediction and betting sites are appearing around the World Cup, and researchers have already tracked scams aimed at fans, including fake ticketing, fixed-match betting, prediction scams, and fan-branded meme coins.

We investigated one prediction site ourselves. While we aren’t claiming every site works the same way, it matched several well-known scam patterns. Whether it’s a worthless token, a fake betting platform, or a disappearing website, the result is often the same: you lose money.

What you need to know
  • This isn’t a single scam. Different sites use different tactics, but many follow the same playbooks.
  • Even if a site pays out exactly what it promises, you could receive a token that’s difficult or impossible to sell.
  • Some sites simply keep your deposit and stop responding.
  • Crypto transactions generally can’t be reversed. Once you’ve sent the money, recovering it may be impossible.
A World Cup-themed crypto prediction site How you lose money

The last three examples below are based on a token we investigated directly. The first two are common scam patterns seen across this category.

  • Pump-and-dump: A token is promoted through the game, early participants receive genuine payouts that build trust, then the creators sell their holdings and the price collapses. Later buyers are left with a token few people want.
  • Take the money and vanish: You deposit crypto to unlock betting or enter the game. The site keeps the money and disappears.
  • Fake free-to-play: The game is advertised as free, but you have to buy or hold a token before you can participate. The game attracts users; the token sale generates revenue.
  • Copycat naming: A new token uses a name similar to an established cryptocurrency, making it easier for people to mistake it for a legitimate project.
  • Manufactured activity: The same tokens move repeatedly through a central wallet, creating the appearance of trading activity. On charts, it can look like an active market when little genuine trading is taking place.
Traditional crypto advice doesn’t help much here

You’ve probably heard advice like “never share your seed phrase.” That’s still important, but it isn’t what’s happening here.

These sites don’t need access to your wallet or seed phrase. They persuade you to send money voluntarily. Once you’ve done that, there may be nothing to recover.

How to check a token
  • Look at how many people actually hold the token. A token with very few holders, despite lots of apparent trading, deserves extra scrutiny.
Just four holders, which is a major red flag for a supposedly active token
  • Check the transfer history, not just the trading volume. On one token we examined, identical amounts repeatedly moved into and back out of the same central wallet. We confirmed this pattern across more than a dozen addresses. Genuine market activity rarely produces repeated matching round trips like this.
Repeated transfers create the appearance of trading
  • Search the token name alongside “price.” If a similarly named cryptocurrency already exists, you may be looking at a copycat.
A copycat token on Pump.fun
  • Before sending money, ask yourself what happens if you never see it again. If you aren’t comfortable with that answer, don’t send it.
If you’ve already sent money
  • Don’t send more to unlock a refund or payout. That’s often part of the scam.
  • Assume the money may be gone. Waiting for the site to make things right rarely works.
  • Disconnect unfamiliar apps, then revoke any spending permissions you granted. Disconnecting a wallet from a site doesn’t necessarily revoke any spending approvals you’ve already granted. Check your wallet’s support pages for instructions on reviewing and revoking those permissions.
  • Report the scam to help protect others:
    • Report the website to your country’s cybercrime reporting service or consumer protection agency.
    • Report the wallet address if the wallet or exchange you use provides an abuse reporting option.
    • If you found the site through social media or a search engine, report the post or advert so it can be reviewed.

Whether the site pays you in a token that quickly becomes worthless or simply disappears with your deposit, the outcome can be much the same.

If a crypto prediction game asks you to buy or hold a token before you can play, stop and ask why. The game may be there to encourage token sales rather than reward successful predictions.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Categories: Malware Bytes

6.9 million driver’s license numbers stolen from AssuranceAmerica

Malware Bytes Security - Thu, 07/09/2026 - 11:06am

Insurance provider AssuranceAmerica has confirmed a data breach affecting the personal information and driver’s license numbers of up to 6.9 million people.

AssuranceAmerica provides car and rental insurance to customers across 14 US states through a network of over 9,500 independent agents.

TechCrunch reports:
“AssuranceAmerica said it discovered hackers in its computer systems on March 17. The company concluded its investigation on June 15, finding that the hackers had stolen customers’ names, contact information, and driver’s license numbers.“

The breach notice letter also mentions information about customers’ auto insurance policies and accounts, their drivers and vehicles, and details about customer claims. 

AssuranceAmerica has not yet released a public statement about the data breach. However, public breach notices and independent reporting indicate that the incident began with a targeted phishing attack against a single employee. An unauthorized third party accessed parts of the insurer’s IT systems and copied files containing customer policy information and driver’s license numbers. So far, no law‑enforcement or vendor report has publicly linked this activity to a specific threat group, ransomware operation, or nation‑state actor.

No public source has reported a ransom demand, negotiations, or payment, and AssuranceAmerica’s public filings are quiet about any contact with the attackers.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose and store one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for impersonation scams. Criminals may contact you pretending to be the company. Check the company’s website to see how it is contacting affected customers, and verify anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and create a false sense of urgency with messages about missed deliveries, suspended accounts, or security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover if your identity is stolen.
Check your personal data exposure

You can check whether any of your personal information has been exposed using our Digital Footprint portal. Enter the email address you use most often and we’ll generate a free Digital Footprint report.

Scan Please enter a valid email address

Categories: Malware Bytes

Microsoft fixes RoguePlanet zero-day in Defender

Malware Bytes Security - Thu, 07/09/2026 - 7:38am

Microsoft issued a security update that fixes the zero-day vulnerability known as RoguePlanet in Microsoft Defender.

RoguePlanet is tracked as CVE-2026-50656, a Microsoft Defender elevation of privilege (EoP) vulnerability. As we reported last month, if successfully exploited, RoguePlanet can allow an attacker to elevate privileges from a standard user account to NT AUTHORITY\SYSTEM, the highest privilege level on Windows.

This means an attacker who gains access to a standard user account on your computer could use the vulnerability to take complete control of the system. They don’t need advanced hacking skills or administrator permissions to do this.

Microsoft fixed the vulnerability by releasing Microsoft Malware Protection Engine version 1.1.26060.3008, an update to the core scanning engine that powers Microsoft Defender and other Microsoft security products.

How to protect your system

If Windows Security shows that another antivirus, such as Malwarebytes, is protecting your PC and Microsoft Defender Antivirus is turned off (as shown below), this particular vulnerability does not affect your system. Defender’s scanning engine isn’t running, so it can’t be exploited through this flaw.

If you’re running another antivirus and Defender is turned off, there’s nothing to worry about Most users are already protected

By default, Microsoft Defender automatically updates both its malware definitions and the Microsoft Malware Protection Engine.

But if you’re in any doubt, you can check the version of the Malware Protection Engine on your system. Here’s how:

  1. Click the Start button, type Security, and choose Windows Security from the results.
  2. Select Virus & threat protection, then under Virus & threat protection updates, click Check for updates.
  3. Click Settings (the cog icon) then select About.
  4. Look for a line called Engine Version. That number is the version of the Malware Protection Engine used by Microsoft Defender.
    • If your Engine Version is 1.1.26060.3008 or higher, your system has the patched (or newer) engine.
    • If your Engine Version is 1.1.26050.11 or lower, your system is still running a vulnerable engine. Run Windows Update and check for Defender updates again, or wait for the automatic update to complete.

Note: Version numbers are compared from left to right. For example, 1.1.26060.3008 is newer than 1.1.26050.11 because 26060 is higher than 26050.

If you use Windows Defender, leave automatic updates turned on. The Malware Protection Engine normally updates automatically, so most home users will receive the fix without doing anything. These steps are simply a way to double-check your system has the updated engine.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Categories: Malware Bytes

Turn off this Meta setting before someone generates AI images of you

Malware Bytes Security - Thu, 07/09/2026 - 5:30am

Every consumer app has a settings menu that lets you make decisions about things like notifications or dark mode. Meta has just decided that anyone can generate AI images of you from your public Instagram account by typing your Instagram handle into a prompt.

On July 7, Meta launched its AI image generation model, Muse Image. It integrates with public Instagram accounts. Now, all someone has to do is tag your account in a prompt, and they can use Meta AI to generate an image using your likeness. According to Meta’s own policy, you won’t be notified if someone does this, making it difficult to know when or how your likeness has been used.

Meta says Muse Image is meant to make AI image generation more personal by letting people reference public Instagram accounts in their prompts. That may sound fun when you’re creating images of yourself. It’s less appealing when anyone else can do the same with your account.

Meta lets you opt out, although finding the setting is its own adventure. On Instagram, go to Settings and activity > Sharing and reuse, then turn off the setting that allows others to create AI images featuring you. Depending on your app version, the wording may vary, and the feature is still rolling out, starting in the US, so you may not see the setting yet.

You’d hope that Meta would tell you up front with a big, bold “Turn this off if you don’t want it” message when you open Instagram, but no such luck. You’d also hope that the company would retroactively remove any images that someone made of you before you opted out, but that’s not happening either.

Opting out only prevents future image generation. Any AI images that someone created before you switched the setting off still remain in circulation.

The only mechanism that comes close to comprehensive protection is switching your account to private.

What’s the risk?

There are privacy and security implications here. Anyone can now generate AI images based on your public Instagram profile without your knowledge, and Meta won’t notify you when it happens. Public Instagram photos were already being harvested by attackers to create deepfakes for identity verification fraud. Giving people an official way to generate AI images based on public profiles lowers the barrier to creating synthetic images that could be used for impersonation, scams, or other abuse.

Cybercriminals are already combining generative AI with automated tools to scale phishing and fraud. Muse Image makes it even easier to generate convincing images based on public identities.

Meta’s AI has introduced other security issues, too. Earlier this year, researchers disclosed a “confused deputy” flaw in Meta’s AI support chatbot that let it make account changes—including changing email addresses and resetting passwords—without adequately verifying who it was talking to. Enabling multi-factor authentication (MFA) appeared to mitigate that issue.

Meta also uses an opt-out approach when training its AI on European user data. The company relies on GDPR’s “legitimate interests” legal basis to process European users’ data for AI purposes, a position that privacy group NOYB has challenged.

Protect yourself
  • If your Instagram is public, open Settings and activity > Sharing and reuse and turn off the AI-generation toggle now. Remember, it only stops future image generation.
  • Turn on MFA for all your Meta accounts. It’s one of the simplest ways to protect your account if your password is compromised.
  • If you want the strongest protection Meta currently offers, switch your Instagram account to private. It’s a blunt solution, but it prevents strangers from using your public profile as source material.

Meta’s own Oversight Board has already said the company needs stronger detection tools and better labeling of AI-generated content. When Meta’s own governance body says the defenses aren’t enough, consumers should take notice.

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

Categories: Malware Bytes

Your next car could be watching your face

Malware Bytes Security - Wed, 07/08/2026 - 8:13am

To reduce traffic incidents, all new cars sold in the EU must now include driver-monitoring technology, including Driver Drowsiness and Attention Warning (DDAW) systems and, on newer vehicles, Advanced Driver Distraction Warning (ADDW) systems.

Similar requirements are expected in the US, where the National Highway Traffic Safety Administration (NHTSA) has been directed to develop rules requiring advanced impaired driving prevention technology in new passenger vehicles.

The EU requirement took effect on July 7, 2026. In the US, Section 24220 of the 2021 Infrastructure Investment and Jobs Act requires NHTSA to finalize regulations for “advanced impaired driving prevention technology.”

While camera-based systems are widely expected, the law does not specify exactly how manufacturers must implement the technology. Many current systems use infrared cameras to monitor the driver’s face and eyes for signs of drowsiness, distraction, or possible impairment.

Privacy experts raised alarms and they are not alone. Mandated driver‑monitoring tech in new cars raises a set of privacy, security, and civil‑liberties objections.

Reported concerns include:

  • Always‑on biometric surveillance in private space. Infrared cameras and other sensors can continuously track eye movement, pupil dilation and drowsiness patterns, effectively turning your car into a space where biometric assessment is constantly being assessed.
  • Unclear data flows and potential sharing with insurers. While the law does not explicitly mandate external data sharing, manufacturers could potentially upload biometric data to corporate servers. Critics have also raised concerns that it could eventually be shared with insurance companies to adjust premiums based on driving behavior. It’s not like that hasn’t happened before.
  • Higher vehicle costs. The added cost of $100 to $500 per vehicle is likely to be passed on to consumers already dealing with inflated car prices, not the insurance companies that could benefit from fewer accidents and lower pay-outs.
  • Reliability and false positives. Automakers are concerned about technical readiness and false positives that could strand drivers if the system incorrectly decides they’re impaired. Experts worry that poorly tuned models could misclassify fatigue, disability‑related eye/face patterns, or even momentary distraction as impairment, leading to denial or limitation of vehicle operation.
  • Scope changes through software updates. These systems will be integrated into broader automotive software stacks and may be receive over-the-air updates, potentially expanding their monitoring capabilities after purchase.

Other experts have questioned whether the technology was was ready for widespread deployment, including in NHTSA’s 2023 report to congress.

Even Mothers Against Drunk Driving (MADD) warns that:

“The vehicle technology standard must protect driver privacy and should not make consumers vulnerable to privacy invasions or allow the collection, storage or use of their data for commercial or malicious purposes.”

What you can do

Besides adjusting when you buy a new car, there are some things consumers can do:

  • When shopping, look for manufacturer privacy documentation specifying that driver‑monitoring data is processed locally, not stored long‑term, and not shared with third parties except where strictly necessary for safety.
  • Ask the dealer how long biometric data is retained, whether it leaves the car, and whether you can disable cloud connectivity for these features while keeping basic safety functions.
  • Where possible, disable optional driver-scoring, eco‑driving, or usage‑based insurance features that piggyback on the same sensor data.
  • When given the choice, choose the strictest privacy settings you can legally use.
  • In some countries and states, privacy laws give you the right to know what data is collected, request its deletion, and opt out of certain types of data sharing.
  • Be cautious about opt‑in programs that promise discounts or perks in exchange for sharing detailed driver‑monitoring data with insurers or employers.

Browse like no one’s watching. 

Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free → 

Categories: Malware Bytes

How the Reddit and Discord false report scam steals accounts

Malware Bytes Security - Tue, 07/07/2026 - 1:45pm

A stranger messages you on Reddit. They say someone reported them, and the reporting account looks a lot like yours. Was it you?

It wasn’t. That’s not really the point of the message.

This version relies entirely on social engineering. There is no malware and no malicious links. It starts with a conversation, but the goal is to trick you into handing over a login or verification code so the scammer can access your Reddit account.

How this scam works

There are two common variants of this scam:

  • “Someone reported me, and it looks like it was you.”
  • I accidentally reported your account.”

Someone claims there was a mistake involving a report. In one version, they say someone reported them and it looks like it was you. In another, they claim they accidentally reported your account and need your help to fix it. Either way, there’s no report. It’s the opening to a social engineering scam that has become common on Discord, Reddit, and other platforms.

The end goal varies. Some versions try to trick you into sharing a login or verification code so the scammer can sign in to your account, change your password, and lock you out. Others persuade you to change the email address linked to your account to one they control. They then demand a gift card or other payment to “fix” the problem, threatening to delete your account or use it to scam other people if you don’t pay.

If you’re still talking to them, stop and don’t share any codes or change your account details. If you’ve already done either and lost access to your account, skip ahead to How to protect yourself below.

How it plays out

The conversation usually starts with one of two claims. Either the person says someone reported their account and it looks like it was you, or they claim they accidentally reported your account by mistake.

If you deny it, the scammer doesn’t argue. They say it was probably an honest mistake and keep the conversation going. They might ask if you know who reported them or suggest you can help clear things up. The goal is simply to keep you engaged.

Then they send “proof”: a screenshot of an email made to look as though it’s from Reddit. It has a formal tone, a ticket number, a claim that a “formal investigation” is underway, and a countdown, usually 12 hours, before “suspension, limited features, or a ban.” Some versions tell you to contact someone on Discord who claims to be a Reddit employee or moderator. Others include a fake legal warning that cites laws or regulations unrelated to the situation. None of it is real.

Why this isn’t how Reddit works

Reddit doesn’t ask people involved in a report to contact each other, and it doesn’t ask you to verify your account through a stranger in a direct message. It doesn’t handle appeals through Discord or direct you to a staff member’s personal Discord account. Reports, moderation, and appeals all happen through Reddit itself.

The countdown is there to create urgency. Combined with vague threats of suspension, restricted features, or a ban, it’s designed to make you act before you have time to question what’s happening.

What they’re actually after

The report and the fake email are just the setup. The scammer tells you that a Reddit employee or “supervisor” needs to verify your account to prove you weren’t involved. To do that, they say, you need to read back the code Reddit is about to send you.

While you’re in the conversation, the scammer tries to sign in to your real account or trigger an account recovery. Reddit responds by sending a genuine login or verification code to you.

The timing isn’t a coincidence. The code arrives just after you’ve been told to expect it. If you read it back, the scammer can use it to sign in to your account, change your password, and lock you out. The code itself is real. The story around it is the scam.

Why people fall for it

Whether you’ve been accused of reporting someone or told your account was reported by mistake, the scam puts you in a position where you want to fix the problem. So when you’re asked to “verify” your account, it can feel like part of resolving the issue rather than a security risk.

The fake email makes the story seem more believable, especially if you don’t stop to question whether the contact method or process matches how Reddit actually works. The countdown adds a sense of urgency, encouraging you to act before you’ve had time to think it through.

This isn’t about being gullible. It’s a well-rehearsed social engineering script designed to make a reasonable request seem legitimate.

It’s not just direct messages

While the false-report scam usually starts in a direct message, scammers also impersonate Reddit in phishing emails claiming your account has been locked or needs attention. If you receive an unexpected security email, don’t click the links inside it. Instead, sign in to Reddit directly through the official website or app.

If your account is compromised, you may notice posts, comments, or messages you didn’t create. That’s a sign someone else has access to your account. If that happens, change your password, enable two-factor authentication if you haven’t already, and follow Reddit’s account recovery process.

How to protect yourself
  • Never share a Reddit login or verification code with anyone, even someone claiming to be Reddit staff or support.
  • Never change the email address linked to your account at a stranger’s request, even to “fix” a reported issue.
  • If someone asks you to buy a gift card or send money to resolve a report, it’s a scam.
  • Reddit won’t ask users involved in a report to contact each other, verify their accounts through direct messages, or handle appeals through Discord.
  • If you receive an unexpected Reddit security email, don’t use the links inside it. Sign in to your account directly through reddit.com or the official app instead.
  • Turn on two-factor authentication using an authenticator app, and treat any unexpected login or verification code as a sign someone may be trying to access your account.
  • If you notice posts, comments, or messages you didn’t create, secure your account immediately by changing your password. If you’ve lost access, use Reddit’s official account recovery process at reddit.com.
  • Report the scammer and their messages using Reddit’s built-in reporting tools.
Remember

If someone asks you to share a login or verification code, stop there. That’s the scam. Everything before it is just the setup.

Categories: Malware Bytes

Fake Netflix, Coca-Cola, and FIFA job scams target marketers

Malware Bytes Security - Tue, 07/07/2026 - 9:43am

Attackers are impersonating major companies and recruiters to target marketing professionals, using trusted services and browser tricks to make the scam look legitimate.

A BleepingComputer article detailing the campaign found at least 34 domains impersonating high-value companies, including Netflix, Coca-Cola, Adidas, and FIFA.

The lure is a fake job interview or scheduling request from a “recruiter” representing one of these major companies. The impersonating website then shows the victim a fake Google sign-in pop-up built inside the page, rather than a real browser window.

To avoid detection, the attackers route victims through a chain of legitimate services before they reach the phishing site. So, instead of going straight from A to D, you go A → B → C → D. In phishing, attackers use this to make the final malicious site look less suspicious, because the victim passes through legitimate-looking services first.

“The operation is abusing the legitimate cloud-based PeopleForce human resources platform and a domain associated with the Salesforce Marketing Cloud service before redirecting the recipient to a malicious landing page.”

BleepingComputer noted that the campaign has been running for at least five months and primarily targets people in marketing roles. We know from our own investigations that job-themed phishing is extremely common and is likely especially effective while entry-level positions remain highly competitive and AI continues to shape the job market.

How to stay safe

Campaigns like these show how AI-enabled scams reshape scams, identity theft, and the ways attackers exploit trust.

As Stefan Dasic wrote in a post about a similar campaign that phished for Facebook credentials:

“The best protection isn’t spotting the fake—it’s knowing that no legitimate hiring process will ever require you to authenticate through an unfamiliar page, whether it’s dressed up as Google, Facebook, or anything else. When in doubt, close the tab, go to the company’s website yourself, and apply the old-fashioned way.”

Other useful tips include:

  • Don’t click links or open attachments in unsolicited job offers.
  • Use a password manager. It won’t autofill your Google username and password on a fake website.
  • Use an up-to-date, real-time anti-malware solution with web protection.

Pro tip: Malwarebytes Scam Guard would have helped identify this attack as a scam.

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Categories: Malware Bytes

Claude Code’s hidden tracker was an “experiment,” says Anthropic

Malware Bytes Security - Tue, 07/07/2026 - 7:20am

As a developer, you want to use tools you can trust and rely on. One researcher took that idea seriously enough to scrutinize their local Claude Code (2.1.196) installation. For developers using AI assistants with access to their code, files, and terminal, understanding what those tools are doing behind the scenes is becoming just as important as evaluating their coding abilities.

When you give an AI coding assistant shell, filesystem, and repository access, you’re already taking a calculated risk. You expect bugs, maybe even some telemetry, but not a hidden channel that quietly encodes where your traffic is going and who might be watching on the other end.

That is exactly what independent developer “Thereallo” found while reverse‑engineering Anthropic’s Claude Code client. Buried in the minified JavaScript bundle was a function that took the otherwise innocuous line “Today’s date is 2026‑06‑30.” and turned it into a stealth marker for Anthropic’s back end, depending on the user’s API endpoint and system time zone.

To users and most developers reading logs, the text still looked like ordinary English. Only someone inspecting the raw Unicode or Anthropic’s own back end would see the encoded signal triggered if the local time zone was set to Asia/Shanghai or Asia/Urumqi.

Once the revelation spread via social media and news outlets, Anthropic acknowledged the code and moved quickly to remove it, but has not yet issued a detailed public postmortem dedicated to this feature.

Reportedly, an Anthropic engineer confirmed on X that the marker was “an experiment we launched in March” intended to prevent account abuse by unauthorized resellers and to protect against distillation. This may have been triggered by the US government’s decision on June 12 to suspend access to the models for foreign nationals, citing national security ‌concerns. These export controls were lifted on June 30.

Another possible reason might be to learn more about reported Chinese distillation attacks, which pose a serious threat to US national security and undermine AI safety standards.

Who needs to worry

Anthropic has been locked in a very public dispute over “distillation attacks.” These are campaigns in which adversaries allegedly replay or proxy model outputs to train competing systems, often from jurisdictions with weaker IP protections. Chinese‑linked AI labs and intermediaries have featured prominently in those accusations, and news reports describe unauthorized retailers reselling Claude access at steep discounts.

Alibaba has already banned Claude Code over this matter. Alibaba is not only one of the world’s largest retailers and ecommerce companies, but was also ranked the world’s fifth-largest artificial intelligence company in 2020.

Developers who are concerned they could be targeted can:

  • Record hashes and versions of AI clients used in sensitive environments, and avoid auto‑updates without at least a cursory review.
  • Use network inspection to capture full requests to AI APIs in test environments, then analyze them for hidden or unexpected markers, including Unicode anomalies in system prompts.

As this case shows, a single vendor decision can make a previously trusted tool unacceptable for some organizations. Maintain optionality and avoid hard dependencies on one AI assistant.

Browse like no one’s watching. 

Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free → 

Categories: Malware Bytes

Pages