The US Senate has approved a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the immensely popular app. Social video platform TikTok has experienced explosive growth since it first appeared in 2017, and is now said to have well over 1.5 billion users, with an estimated 170 million of them in the US. Essentially, the bill says that TikTok has to find a new owner that is not based in a foreign adversarial country within the next 180 days or face a ban until it does comply. President Biden has committed to sign it into law as ..read more

Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience. What is perhaps less known is how it is even possible to impersonate top brands and get away with it. We will try to respond to the ‘how they do it’ and the ‘why is Google allowing this’ questions. Such malvertising attacks are not new and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive t ..read more

UnitedHealth Group has given an update on the February cyberattack on Change Healthcare, one of its subsidiaries. In the update, the company revealed the scale of the breach, saying: “Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.” UnitedHealth also announced support for affected people. On Wednesday February 21, 2024, Change Healthcare experienced serious system outages due to the cyberattack. The incident ..read more

This week on the Lock and Code podcast… Our Lock and Code host, David Ruiz, has a bit of an apology to make: “Sorry for all the depressing episodes.” When the Lock and Code podcast explored online harassment and abuse this year, our guest provided several guidelines and tips for individuals to lock down their accounts and remove their sensitive information from the internet, but larger problems remained. Content moderation is failing nearly everywhere, and data protection laws are unequal across the world. When we told the true tale of a virtual kidnapping scam in Utah, though the teenaged v ..read more

Four billions public Discord messages are for sale on an internet scraping service called Spy.pet. At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard some laws: more on that later. To get this amount of data the platform gathered information from 14,201 servers about 627,914,396 users. The way in which Spy.pet organized the information could turn out to be problematic for certain users. It built a database based on user profiles which contains all ..read more

Last week on Malwarebytes Labs: Law enforcement reels in phishing-as-a-service whopper Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million Cannabis investment scam JuicyFields ends in 9 arrests Should you share your location with your partner? Giant Tiger breach sees 2.8 million records leaked Last week on ThreatDown: What makes some zero-day vulnerabilities more valuable than others? Turning back the clock on encryption: How to perform ransomware backups in one-click ThreatDown earns highest ratings across EDR and MDR categories in G2 Spring 2024 r ..read more

A major international law enforcement effort involving agencies from 19 countries has disrupted the notorious LabHost phishing-as-a-service platform. Europol reports that the organization’s infrastructure has been compromised, its website shut down, and 37 suspects arrested, including four people in the UK linked to the running of the site, which also allegedly included the original developer of the service. Europol’s announcement also hints that this isn’t the end of the story, and users of the platform should ready themselves for some uncomfortable encounters with law enforcement in the futu ..read more

The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data. Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive consumer data, as well as require it to provide consumers with a simple way to cancel services. After a data breach in 2023 Cerebral disclosed that it had been using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 2019. A track ..read more

Europol and its associates have arrested 9 people in conjunction with a cannabis investment scam known as “JuicyFields”. The suspects used social media to lure investors to their website. There they found information about a “golden opportunity” to invest in the cultivation, harvesting and distribution of cannabis plants to be used for medicinal purposes. Taken from the JuicyFields website: Grow cannabis. It’s profitable! Become a potpreneur and benefit from the booming cannabis industry. Be among the first to join the movement. The scheme looked like a crowdsourcing scheme with a minimal i ..read more

Every relationship has its disagreements. Who takes out the trash and washes the dishes? Who plans the meals and writes out the grocery list? And when is it okay to start tracking one another’s location?   Location sharing is becoming the norm between romantic partners—50% of people valued location sharing in their relationships, according to recent research from Malwarebytes—and plenty of couples have found ways to track one another’s location, with consent, in a respectful and transparent way. But, as a cybersecurity, privacy, and identity protection company, Malwarebytes is concerned w ..read more