Apparently, and this is an issue we’ve flagged before, social media platforms could stop scams, but they don’t because it hurts their revenue.
The Aldi meat box scam
This Facebook post immediately rattled my cage:
This promotion is not from Aldi and is not endorsed by the company. A random account, which may be compromised or completely fake, posts:
“My son works at Aldi and told me about something almost nobody knows. To be honest, I thought he was joking at first. If you’re over 40, you can get a meat box from Aldi for under $10. Sounds crazy, but it actually worked. They’re clearing out excess stock and, instead of throwing it away, they’re basically letting people have it for next to nothing. All I did was fill out a short form , I left the link in the comments in case it’s useful to anyone. I signed up for my husband (he’s 59 and loves a good steak), and when the box arrived, he opened it like it was his birthday. Everything looked fresh, neatly packed, and honestly there was more inside than we expected. It took me about a minute to fill out the form. If you’re over 40, definitely give it a go , worst case you lose a minute, best case you get a great box of meat almost for free.”
Unusual offer: Promises of high-value products (“meat box from Aldi for under $10”) for an extremely low price are classic signs of scams, especially when they leverage well-known brands.
Anecdotal story: The post uses a personal story (“My son works at Aldi…”) to appear trustworthy and relatable, a common technique in social engineering.
Age restriction: Arbitrarily targeting people over 40 is a psychological trick to make the offer feel exclusive and relevant.
External link: The most common tactic is to provide a link in the comments rather than in the main post to avoid automatic detection by the platform.
Urgency and simplicity: Encourages quick action with phrases like “took me about a minute,” downplaying any possible risk.
As it turns out, the possible risk, or “worst case” as the Facebook post calls it, is a lot worse than losing a minute of your time.
The first redirect sent me to a website where my device was fingerprinted using an embedded JavaScript before redirecting me to https://gifts-survey[.]life/click?key={identifier}, a site designed to mimic the Aldi website. I had my VPN set to the US.
The scam page immediately creates urgency with messages like “only 1 spot left” and “you only have 2 minutes to complete the survey,” trying to stop visitors from thinking things through.
The survey itself only asks basic questions, so there wasn’t much harm in clicking through it on my virtual machine.
As a reward, I got to pick three out of nine boxes to win a prize. I’m happy to report that I “aced” that test.
So, I was forwarded to the scammers’ real goal. On the domain hyperbargainsflow[.]shop, visitors are prompted to enter payment details for their discounted meat box, plus an optional upsell for faster delivery.
The final page asks victims to hand over personal details, including their full name, contact information, and home address, along with payment details for the fake “delivery” fee.
The site also uses tricks like more than 1,000 fake 5-star ratings and attempts to auto-complete and auto-submit the form if fields are detected as pre-populated. Saves you the trouble of submitting all your data yourself. Isn’t that nice of them?
If a post promises a box of premium meat for the price of a sandwich, assume it is a scam until you can prove otherwise.
The same simple checks will help you avoid this Aldi meat box scam and the next look‑alike campaign that pops up tomorrow.
Sometimes scrolling past the enthusiastic, fake comments will reveal what real users are saying:
You can also help slow these scams down by reporting them. On Facebook, click the three-dot menu on the post and choose Report post > Scam, fraud or false information.
If a deal claims to be “known only by insiders” or “almost nobody knows this,” treat it as a red flag, not a perk. Real retailers advertise widely and on their own accounts. They don’t hide genuine promotions in badly written Facebook posts from throwaway accounts.
Be wary of links posted in the comments. Scammers sometimes use that tactic to avoid automated scanning and reporting on the platform.
Check the browser address bar carefully. Scam pages can copy a brand’s logo and colors perfectly, but the domain name usually gives the game away.
Never enter card details, your full address, or your phone number into a site you reached via a random social post, especially if the offer feels too good to be true. If you already did, contact your bank or card issuer as soon as possible and monitor your statements.
Secure your devices. Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these.
Malwarebytes blocks gifts-survey[.]life
Pro tip: Malwarebytes Scam Guard recognized the Facebook post as a scam and could have saved somebody’s day.
Let’s face it, an incognito window can only do so much.
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.
Researchers found that cybercriminals are using sponsored search results and shared Claude chats to lure victims into a typical ClickFix attack to install malware on macOS devices.
ClickFix is a social engineering method that tricks users into infecting their own device with malware. Users are instructed to run specific commands that will download malware, usually an infostealer.
The researchers found that when users search for terms like “Claude Mac download,” they may see sponsored Google results that appear to go to the legitimate claude.ai domain.
In reality, the ads resolve to real Claude shared chats, set up to look like official “Claude Code on Mac” or Apple Support guides. Independent research by BleepingComputer found another chat serving the same purpose. The chat instructs victims to open Terminal and paste a base64‑encoded command, which pulls a loader shell script from attacker‑controlled infrastructure and runs it in memory.
The script then profiles the system, pulls down a second-stage payload and runs it through osascript, macOS’s built-in scripting engine. This gives the attacker remote code execution (RCE) without ever dropping a traditional application or binary.
This results in a MacSync‑style payload that harvests browser credentials, cookies, Keychain contents, and crypto wallet data, bundles it, and sends all that information over HTTP to attacker servers.
With ClickFix running rampant and inventing new methods all the time, it’s important to stay aware, cautious, and protected.
Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy and paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand what the action does.
Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
Limit copy and paste for commands. Manually typing commands instead of copy and paste can reduce the risk of unknowingly running malicious payloads hidden in copied text.
Secure your devices. Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these.
Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected places helps maintain vigilance. Keep reading our blog!
Stay away from sponsored ads in search results. Anyone can buy them and make them look legitimate.
Pro tip: The free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard.
Stop threats before they can do any harm.
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →
Researchers tracked a large AI‑themed investment scam campaign involving more than 15,000 domains. It uses cloaking and deepfakes to hide from security tools while targeting ordinary users.
Criminals abused the Keitaro ad-tracking platform as part of a cloaking system so real victims see scam content, while security scanners, ad reviewers, and some random visitors see harmless pages, making the operation hard to detect and shut down.
Keitaro is a commercial tracking platform originally meant for digital marketers to manage ad campaigns, test which ads work best, and route visitors to different landing pages.
Because it is feature rich, easy to spin up on regular hosting, and built to filter and route traffic, criminals found they can abuse those capabilities to run scams at scale.
Traffic starts in many places. The scammers used compromised websites, spam emails, social media posts, and online ads, all quietly routing through the same tracking infrastructure.
The scam sites typically promise “Smart AI Trading Technology” or “Intelligent Trading Solutions” and claim consistently high returns, often reinforced with deepfake images or fabricated media to look more credible.
Some parts of the campaign now use deepfake videos and fake interviews with well-known public figures, making it look like a celebrity, or finance expert personally endorses the platform.
Once you follow a link, the cloaking part of the operation kicks in. Cloaking is the trick that makes these scams so hard to see from the outside.
When you click an ad or link, your visit passes through a traffic distribution system (TDS), a kind of router for web visitors that decides which page you see. In these cases, the TDS is connected to the tracker.
The system checks things like:
Your country/region
Your device and browser
Where you came from (Facebook ad, Google ad, email link, etc.)
Sometimes your IP address reputation or other subtle fingerprints
You’re shown the real investment scam landing page only if you match the “ideal victim” profile (for example, a regular consumer in a target country coming from a social media ad).
Everyone else, like a security researcher, ad platform reviewer, or automated scanner, gets shown a benign page, like a generic blog or placeholder site.
How to stay safe
The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:
There is no such thing as a risk-free, consistently profitable investment. If you’re looking to invest, navigate directly to known, regulated financial institutions.
Deepfakes are very convincing nowadays, so you will hardly be able to tell the difference between the real celebrity and their deepfake persona.
Don’t act upon unsolicited investment advice, whether it reaches you by email, social media, or sponsored search results.
Researchers have uncovered a long-running phishing operation that abuses trusted Google services to hijack tens of thousands of Facebook accounts.
The compromised Facebook accounts are mainly business and advertiser profiles, which criminals can monetize after gaining access and control.
The attackers found a way to send phishing emails that come “through Google,” making them look legitimate at first glance. The emails are sent via Google’s AppSheet platform, so they pass the usual technical checks (SPF, DKIM, DMARC), and many email filters treat them as trusted.
Google AppSheet is a development platform that lets people build mobile and web apps without writing code. It can automate workflows and notifications, typically used to send app-driven alerts and internal updates.
And that’s where the phishers abused it. The sender name can be customized, and the sending address may look something like noreply@appsheet.com, delivered through appsheet.bounces.google.com. To the average user, it looks like a perfectly normal notification, in these cases often about Facebook policy violations, copyright complaints, or verification issues.
Researchers linked these emails to a Vietnamese‑linked operation that has already compromised around 30,000 Facebook accounts and is still active.
The stolen accounts are mostly pages and business profiles that have financial value: advertising accounts, brand pages, and companies that rely on Facebook for marketing. Once inside, attackers run scams, place fraudulent ads, or sell access to others. In some cases, the same group offers “account recovery” services to fix the problems they created.
No matter the lure, the goal is the same: Facebook credentials, 2FA codes, and recovery data. The phishing sites are just the entry point. Behind them is a fairly industrial infrastructure built around Telegram bots and channels to collect and process stolen data.
How to stay safe
This campaign is not “just another phishing mail.” It is one more example of how attackers exploit the trust we place in major platforms.
Facebook does not send complaints, verification requests, security checks, job offers, and other urgent messages through Google infrastructure.
Any email that claims your Facebook or Instagram account is about to be disabled, locked, or punished deserves extra scrutiny, especially if it demands action within 24 hours.
If you get a worrying message about your account, go directly to facebook.com or the Facebook app. Don’t click links in the message.
If a form asks for password, multiple 2FA codes, date of birthm phone number, and ID photos in one go, then stop. That’s the “full recovery pack” these attackers need to take over your account.
The FIFA World Cup 2026 is scheduled to begin June 11 across the US, Canada, and Mexico. The web is filling with sites impersonating ticket vendors, telecoms, sticker publishers, toy manufacturers, immigration services, and crypto projects, all linked to the World Cup brand. Together, they map out four recurring patterns of fraud and risk targeting fans.
What World Cup fans need to know
If you’re planning anything around the 2026 World Cup, whether it’s buying a ticket or merchandise, booking a flight, applying for a US visa, or speculating on “World Cup” crypto, expect a surge in scams and other risky World Cup-related activity.
The good news is the patterns are obvious once you know what to look for:
Countdown timers that reset when you reload the page
Prices 80–90% below retail
The word “official” used without a clear link to the brand behind it
Crypto tokens claiming to be “official” World Cup products
Your headline rule for the next two months: If a site uses the World Cup or a known brand to get your money, stop and verify it from the official source before you do anything else.
How these World Cup scams work
The path to these scam sites is almost always the same: a fan searches for something on search engines or social media (for example, “World Cup 2026 jersey,” “buy Panini sticker album,” “visa to attend the World Cup,” “FIFA World Cup token”) and lands one of the hundreds of sites set up to exploit that demand.
Often the route there runs through an ad network. That might involve a sponsored search result, a banner on an unrelated site, or a redirect chain that sends the victim to a different domain than the one they clicked. (Note that tools like Malwarebytes Browser Guard can block malicious ads, scam domains, and redirect chains before the page loads.)
The branding on the destination site is consistent with the legitimate company. There are testimonials and satisfied-customer counts, so nothing looks immediately wrong. Urgency tricks like “Only a few items left” and the countdown timer are there to prevent you from looking too closely or investigating too deeply.
We’ve found these sites group naturally into four categories: crypto, travel, merchandise, and predictors. The sites in each category have their own tells, but they’re united by brand parasitism: borrowing authority from FIFA, the host nations, or a real licensee like LEGO or Panini.
Crypto
The most crowded category is crypto, and the biggest risk comes from sites that claim or imply official links to the World Cup.
One site marketed its token as “the official community token celebrating the FIFA World Cup 2026,” advertising a “Mega Airdrop,” a 7-billion-token total supply, and a participant counter pinned to the symbolic number 48 (the count of qualified national teams). Another shows FIFA’s official mascot, using tournament branding to sell an unlicensed token.
None of the sites we examined are connected to FIFA. FIFA does have a real digital-collectibles ecosystem—the FIFA Collect NFT marketplace, the Right-to-Buy ticket NFTs, and the FIFA Rivals game on the Mythos chain—all of which sit on FIFA-controlled infrastructure and are documented at FIFA’s own domains. None of the sites we examined sit inside that ecosystem. The real partners for 2026 are documented and easy to verify. “World Cup token” is not one of them.
We found multiple sites using FIFA branding to create a false sense of legitimacy. But there’s a real risk you’ll receive nothing, receive something you can’t sell, or sign a transaction that gives the operator access to your wallet.
Some sites don’t pretend to be official, but still carry risk to World Cup fans. One Solana-based token branded itself the “World Cup Rug Index,” with the tagline “Every match is a market. Every loss is a rug,” and a contract ending in “pump,” the signature of pump.fun launches.
In crypto, a “rug” is when early holders sell and the price collapses, leaving later buyers with losses. These projects are not scams in the sense of pretending to be something they’re not. They are openly speculative. The risk is in the structure: early buyers can sell into demand from later buyers, who are left holding the losses.
This is different from the fake “World Cup tokens” above. Those rely on FIFA branding to create a false sense of legitimacy. These rely on momentum, where most participants arrive late.
There is no official World Cup token
There is no official World Cup token
There is no official World Cup token
There is no official World Cup token
Travel
The most dangerous category is the “World Cup visa.” One site, WC2026 Visa, advertised a “Visa to the World Cup 2026 US” for $270 per person, with a “98% Success Rate,” a countdown to June 11, and the standard reassuring trio: “Secure Process,” “Fast Processing,” “18+ only.”
There is no such product. The US Department of State has stated this directly: there is no special tournament visa. Foreign visitors traveling to the United States for the World Cup must use the same B1/B2 visitor visa, or the Visa Waiver Program with an ESTA authorisation, that any other tourist would. The only tournament-specific visa programme is FIFA PASS (the Priority Appointment Scheduling System), a routing mechanism that gives ticket holders earlier interview slots at US consulates. It doesn’t bypass the interview, it doesn’t issue a visa, it doesn’t cost $270, and access to it begins with buying a ticket directly from FIFA.
A site advertising a dedicated “World Cup visa” tricks people into believing they’re going down an official immigration pathway. Any personal data harvested in the process, such as passport details, date of birth, travel plans, and in some flows a payment instrument, gives the operator all the data they need for identity theft. Fans should only apply through .gov sites in the US, .gc.ca in Canada, and .gob.mx in Mexico.
Travel portals aggregating tickets, flights, and hotels, and eSIM sites selling connectivity for the tournament are not inherently fraudulent and are often real businesses. But any site invoking the World Cup deserves the same scrutiny: who actually fulfils this product, what is the refund policy in writing, and is this domain legitimately connected to a known brand or partner?
Scam site selling World Cup tickets
Scam site offering Visas
Scam site selling World Cup tickets
Scam site selling eSIMs
Merchandise
The merchandise category is where the impersonation gets most aggressive, because there are real licensees to imitate. LEGO’s partnership with FIFA is genuine, announced in late 2025. It debuted with the LEGO Editions FIFA World Cup Official Trophy, joined in 2026 by player sets featuring Messi, Ronaldo, Mbappé, and Vinicius Jr. A whole cluster of LEGO-styled scam storefronts now prices the trophy set at €29.99, marked down from €299.99, an 83–90% discount. LEGO does not discount its premium licensed sets by 90%.
Related to those storefronts is the “LEGO FIFA World Cup 2026 Quiz Challenge” pattern, promising “exclusive edition rewards” for fans who complete a quiz. Quiz-funnel scams are a long-running affiliate-marketing genre, and the typical mechanic is to harvest contact information and push the user toward a subscription billing flow disguised as a shipping fee for the “prize.” LEGO does not run quiz funnels. Its real World Cup activity runs through LEGO.com and physical LEGO stores.
Counterfeit jersey storefronts have been a fixture of the open web for years, and the World Cup cycle multiplies them. Typical examples: a site branded simply “JERSEY 2026 World Cup” selling a Portugal home shirt with a “BUY 2, PAY FOR 1” overlay, a 30-day countdown, and a Trustpilot-shaped widget claiming over ten thousand satisfied customers; or a retro-jersey storefront offering Germany and Argentina shirts at $24.90 each. Search demand spikes during a World Cup year and counterfeit storefronts spin up to meet it; many will be offline shortly after the tournament ends.
Then there is the Panini-styled storefront pattern: pages advertising the official 2026 sticker album under headers like “ONE-TIME PURCHASE BY NIF” (NIF being the Portuguese personal tax identifier, a phrase that appears nowhere in legitimate Panini commerce). These pages combine sub-ten-minute countdowns, inventory counters (“There are still 127 Units”), and country-specific scarcity claims (“Only 5,000 units available for Portugal!”).
The high-pressure funnel and unusual NIF framing point to localised affiliate or look-alike storefronts, not Panini’s own commerce flow, which runs through paninistore.com and licensed retail. These are not Panini storefronts. They are look-alike commerce flows using Panini’s brand to sell through high-pressure funnels. Whether the product arrives or not, the user is not buying from the company they think they are.
Fake World Cup jersey site
Fake Panini site
Fake World Cup Lego site
Fake World Cup jersey site
Fake World Cup jersey site
Fake World Cup Lego site
Fake World Cup Lego site
Fake World Cup Lego site
Predictions and prize pools
“WorldCup Predictor” sites present a prize pool that supposedly grows with every prediction, and ask users to select a champion team from flag tiles. You are paying for entries into a pooled outcome tied to the tournament.
These sites are not pretending to be something they’re not. The risk is that they operate without clear oversight. There is no visible licensing, no clear jurisdiction, and no way to verify from the front end whether payouts are enforced or even guaranteed.
Licensed sportsbooks and regulated platforms typically do not present themselves this way. They identify their licensing authority, provide responsible gambling tools, and use verified payment processors. A “Login to play” button, a flag picker, and a floating prize pool are not the same thing.
“World Cup Predictor” sites are paid-entry pools, closer to unlicensed betting
“World Cup Predictor” sites are paid-entry pools, closer to unlicensed betting
What FIFA, the brands, and the platforms could be doing better
Many of these sites would not exist, or would be far shorter-lived, if a few things changed upstream. Brand owners with active 2026 partnerships—LEGO, Panini, the national federations, the kit manufacturers—could reduce confusion by publishing a single canonical page each, well before kickoff, listing authorized retailers and the exact SKUs and prices of their World Cup products. Someone trying to verify whether a €29.99 LEGO trophy is real should not have to triangulate between Brickset, LEGO’s newsroom, and a third-party blog.
FIFA’s own licensing communications have improved compared with past tournaments, and the LEGO and Panini announcements were clearly disclosed on inside.fifa.com. But the gap between “FIFA has announced a partnership” and “here are the only sites authorized to sell on FIFA’s behalf” remains wide. Closing it would make impersonation much harder.
Search engines and ad networks carry a large share of the structural responsibility. Visa-impersonation pages are precisely the kind of sites that surface through paid search ads against terms like “world cup visa,” and platforms have the data to detect and block them at scale.
What to do if you may have been caught
Every World Cup cycle generates its own scam economy. 2018 had fake ticket marketplaces; 2022 leaned on phishing around Qatar’s Hayya system; 2026 is building around meme coins and visa impersonation. What’s different this time is the speed: sites can be spun up, monetized, and abandoned within weeks, and AI-generated copy, mascot art, and product images have stripped away many of the visual cues people used to rely on.
This cycle’s scam economy moves fast, but the basics still work: treat unsolicited “World Cup” links with suspicion, type official domains yourself, and ignore pressure from countdown timers.
If you think you’ve been caught:
If you entered card details: Contact your card issuer immediately and request a refund for an unauthorized or non-delivered transaction.
If you submitted personal or passport data: Treat it as compromised. Monitor your credit, place a fraud alert if available, and watch for targeted phishing.
If you connected your crypto wallet or signed a transaction: Revoke permissions, move remaining assets to a new wallet, and stop using the old one for anything valuable.
If you bought goods that weren’t delivered: Keep your order confirmation, URL, and payment record. Report it to your national consumer protection body (FTC in the US, Action Fraud in the UK, or your local equivalent).
Always verify through official channels. That’s FIFA.com for tickets, paniniamerica.net or paninistore.com for stickers, LEGO.com for LEGO Editions sets, and official government sites for visas. Remember, legitimate sources do not rely on countdown timers.
Stop threats before they can do any harm.
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →
In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members.
Recently, ConsumerWorld.org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.
This is a screenshot of the example they sent us.
Screenshot email from PayPal scammers
As you can see, the email comes from service@paypal.com. It wasn’t spoofed, which means it passes standard security checks (DKIM, SPF, DMARC).
While the body of the email says that you received a payment of ¥1 JPY (a whopping $0.0063), the subject line tells a different story:
“Pending charge of USD 987.90 for account activation. Questions? Call-(888) 607-0685.”
As an extra bonus for the scammers, the email contains personalized details—the recipient’s actual name and a real transaction ID.
The number in the subject line is not PayPal’s. The legitimate contact number appears inside the email.
“The amount doesn’t match what I see in the email body—that’s weird and scary.”
“I need to call this number immediately to dispute this charge.”
They call the number in the subject line, only to reach tech support scammers.
These scammers pretend to be PayPal support and may try to:
Get you to “verify” payment methods
Collect banking details
Convince you to install remote access tools
Take control of accounts or devices
All of the above
How the subject line is altered is still unclear. Based on PayPal’s documented email behavior, subject lines are typically fixed and not meant to include arbitrary free text or phone numbers. Our findings indicate that the subject line was already weaponized at the point PayPal’s systems signed the email. If someone along the way had rewritten the subject, the dkim=pass header.d=paypal.com result would likely fail.
One possibility is that the scammer abused PayPal’s note or remittance field in a way that surfaces in certain payout templates, including the subject line and HTML <title>, even though normal merchant payment‑received emails don’t allow arbitrary subjects.
The title tag matches the subject line of the email
We have contacted PayPal for comment and will update this post if we hear back.
How to avoid PayPal scams
The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:
Use verified, official ways to contact companies. Don’t call numbers listed in suspicious emails or attachments.
Beware of someone wanting to connect to your computer remotely. One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders.
Report suspicious emails to PayPal.Send the email to phishing@paypal.com to support their investigations.
If you’ve fallen victim to a tech support scam:
Paid the scammer? Contact your bank or card provider and let them know what’s happened. You can also file a complaint with the FTC or your local law enforcement, depending on your region.
Shared a password? Change it anywhere it’s used. Consider using a password manager and enable 2FA for important accounts.
Gave access to your device?Run a full security scan. If scammers had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove these and other software left behind by scammers.
Watch your accounts: Keep an eye out for unexpected payments or suspicious charges on your credit cards and bank accounts.
Be wary of suspicious emails. If you’ve fallen for one scam, they may target you again.
Pro tip: Malwarebytes Scam Guard recognized this email as a call back scam. Upload any suspicious text, emails, attachments, and other files to ask for its opinion. It’s really very good at recognizing scams.
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
Unit 42 reveals how multi-agent AI systems can autonomously attack cloud environments. Learn critical insights and vital lessons for proactive security.
Scammers have found a way to abuse legitimate Apple account notification emails to trick targets into calling fake tech support numbers.
According to a report from BleepingComputer, scammers create an Apple account and insert a phishing message into the personal information fields, then modify the account so that Apple sends a genuine security alert about the change to the target.
BleepingComputer was able to replicate the attack.
The attacker creates an Apple ID they control, then stuffs the phishing message into the personal information fields (first name, last name, possibly address), splitting it across fields because they will not fit into just one.
To launch the phish, the attacker changes something benign on their specially created Apple account, such as shipping information, which causes Apple’s systems to send a “Your Apple account was updated” security email.
While the original alert is addressed to the attacker’s iCloud email, they are then able to redistribute it to a wider victim list, for example through a mailing list.
In the copy the targets receive, the email headers still show a legitimate Apple sender, and the presence of the attacker’s iCloud address can even make it look like “someone else” has gained access to the account.
Because Apple includes those user-supplied fields in the security email, the phishing text is delivered inside a legitimate message sent from Apple’s own infrastructure.
This method, called call-back phishing, filters out suspicious users, so the scammers can focus on the people who fell for the first part.
The emails come from a legitimate source, sail through every security filter because of that, and look convincing enough to scare the receiver into thinking someone spent $899 from their PayPal account.
But the structure of the email does not make sense.
“Dear User” is immediately followed by the scam message where your name should have been. The header says it’s about account information rather than a purchase. And the iCloud account does not belong to the recipient. So, once you know how it’s done, they’re not impossible to spot. Which is why we wrote this blog.
And when in doubt, you can always ask Malwarebytes Scam Guard.
Scam Guard identified the screenshot as a scam and guides users through the next steps.
Scams like these work, because many users still view phone calls as more trustworthy than email, especially if the email itself passed all the usual technical authenticity checks and they initiated the call themselves.
How to stay safe
Tech support scammers will try to convince callers to install some kind of remote desktop application to steal data from your computer, or ask for financial details so they can steal your money.
To stay safe from these scammers:
Be wary of unexpected alerts about high‑value purchases you do not recognize. They are suspicious even if they come from a real domain.
Never call a number sent to you by unsolicited means or even found in sponsored search results.
Carefully read emails and text messages, even if they come form trustworthy addresses. Does the email make sense from a structural and linguistic point of view?
If someone claiming to be support for a legitimate company asks for remote access or payment details during a call, hang up and contact the company through official channels.
Use Malwarebytes Scam Guard to analyze any kind of message that alarms you or urges you to take immediate action.
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
A dreadful thing happens far too often whenever an older adult falls for a scam: They get blamed for it. Not the scammers who lied and cheated their victim out of money. Not law enforcement for failing to recover funds. Not even the Big Tech companies that could have the most important role in protecting people online—and which, it turns out, knowingly bring in revenue every year from fraud.
Instead, it is the older adults themselves whose stories are often shirked aside because of a mix of ageism and denial. Allegedly left behind by technology, only an octogenarian would hand their password over in a phishing scheme, or open an email attachment from a stranger, or send money to a fake charity online. Everyone else, everyone else believes, is too savvy for the same.
The data disagrees.
When Malwarebytes studied this last year, it found that, depending on the type of scam—especially for things like “sextortion”—younger individuals were far more likely to report falling victim. Further, digging into data from the US Federal Trade Commission revealed entirely separate patterns. For example, while Americans between the ages of 80 and 89 reported the highest median loss due to fraud in 2024, they also made up the smallest share of their population to report a loss at all. And in 2025, that same group represented the smallest share of reported identity theft, a crime far more likely to be reported by people between 30 and 39.
Questions about who reports what crimes at what rate are valid to explore, but it’s important to see the big picture: Americans lost at least $15.9 billion to fraud last year. Protecting older adults is actually about protecting everyone, and that’s because modern scams don’t arrive only where people over 70 spend time. They arrive where we all are, which is online. They come through endless text messages, they slide into social media DMs, and they prey on things any of us can be—a widow, a divorcee, or simply a lonely person.
According to Marti DeLiema, Assistant Professor at the University of Minnesota’s School of Social Work, scams and fraud are now the most common form of organized crime globally, rivaling weapons trafficking, drug trafficking, human trafficking, and sex trafficking. In 2024 alone, she said, the FTC estimated that older adults in the US had as much as $81.5 billion stolen from them. And the tools meant to fight back—broad consumer awareness campaigns, embedded warning messages at the point of transaction, the training of bank tellers and retail clerks—are nowhere near keeping pace.
So what actually works? And who, if anyone, is doing the work?
Today, on the Lock and Code podcast with host David Ruiz, we speak with DeLiema about who is really susceptible to financial fraud, why victims often describe a scam as a form of betrayal trauma, and why the companies best positioned to stop scam messages from reaching consumers may be the ones least motivated to do so.
“This is not a technical capability problem at all. This is a conflict of incentives.”
When we read about this new malware tactic, or that novel social engineering approach, it’s easy to forget that there are scammers out there making a living from ancient methods.
Recently, one of our researchers received this variation on the good old Nigerian advance-fee scam.
From: Mrs.Inga-Britt Ahlenius. Internal Audit, Monitoring, Consulting and Investigations Division UNITED NATIONS SCAM VICTIMS COMPENSATIONS PAYMENTS.
Attn; Dear Scam victim/Beneficiary;
United Nations have Approved to pay 150 scam victims $5,000,000.00 (FIVE MILLION UNITED STATE DOLLAR) each.
You are listed as one of the scammed victims to be paid this amount, get back to me as soon as possible for the immediate payments of your $5,000,000.00 compensation funds.
You can contact the paying bank United Bank For Africa (UBA) on the below information
The scammers got a few details right. Anyone looking up the names in the email will find that they exist and are associated with the mentioned organizations.
Inga–Britt Monica Stigsdotter Ahlenius is a Swedish auditor, public servant and former Under-Secretary-General for the United Nations.
The name “Inga‑Britt Ahlenius” has been reused across many such 419‑style advance‑fee scams, sometimes claiming she is a UN fund monitoring agent or under‑secretary general distributing tens of millions in “compensation” or “unclaimed funds.”
Kingsley Obiora is a Nigerian economist who served as the Deputy Governor of Economic Policy at the Central Bank of Nigeria from 2020 to 2023. Which lends a degree of credibility to the Nigerian country code (+234) in the number they want us to contact by WhatsApp.
So, we decided to put our “friend” Tess to work once again. Loyal readers will remember how Tess almost fell for a task scammer. So maybe she’s eligible for that five-million-dollar compensation.
They came right to the point. We’d have to pay a courier fee to get our $5 million dollar ATM card. And I’m pretty sure that if we agreed to pay that, additional costs would swiftly follow. Once you’ve invested a bit of money, you’re likely to keep going since you don’t want to lose what you’ve already paid.
So, I offered to pick up the ATM card in person. Always wanted to see Nigeria.
For a while I thought they saw through my bluff. Maybe I shouldn’t have disclosed just yet that I work for Malwarebytes. But it quickly became clear they trusted me about as much as I trusted them.
I’ll play along as long as I can, but after giving me the physical address of the UBA bank in Lagos, Nigeria, they started to make it more difficult to pick up the ATM card in person.
A week is not a long time to arrange a trip to Nigeria, so I tried to get an idea of how much the “courier” would set me back before they gave up on me.
I didn’t expect it to be that much, to be honest. Maybe they thought they could raise the price since I contemplated to pick it up in person. Or they just wanted to get rid of me. You’d expect them to charge maybe €75 for the courier and then come up with €200 for stamp duty and €600 for insurance later on.
Consequences are real
It’s easy to laugh at talk of five‑million‑dollar ATM cards, but campaigns like this still make money. Behind every “Dear Scam victim/Beneficiary” is someone who is lonely, in debt, or simply overwhelmed by official‑sounding language. Once they’ve paid the first “courier fee,” the sunk‑cost effect kicks in, and it becomes harder and harder to walk away.
This is especially true for people who have already been victims of scams, who are clearly the target here.
How to stay safe
Tess’ efforts have helped us highlight the red flags in this type of scam:
Receiving news of a huge payout out of the blue should definitely trigger the “too good to be true” alarm bells.
For important communications, free webmail and WhatsApp are rarely the official contact channels.
Scammers apply pressure to act quickly and ask you to pay a fee before you receive anything.
They often use vague job titles and ask you to keep things quiet.
Odd language and capitalization can be a clue, although AI is making these less common.
Any one of these signs is a reason to stop and delete the email. Together, they spell out a classic advance‑fee scam.
For Tess this was a safe experiment: no money lost, just a few evenings spent sparring with a “UN compensation officer” on WhatsApp. For the people these criminals really want to reach, the stakes are much higher.
If you, or someone you care about, ever receives a message promising life‑changing money in exchange for a small courier fee or processing charge, treat it as a warning sign, not a windfall.
Close the tab, delete the message, and, if in doubt, ask a trusted friend or advisor before you act.
The easiest way to recognize a golden‑oldie scam is still the simplest: if it sounds too good to be true, it probably isn’t true.
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
The threat of losing your photos is a powerful lure, so scammers are now using it to steal personal and financial details.
The Guardian warns about an iCloud-themed campaign that start with a few “your iCloud storage is full’ messages, then escalates to threats. If you don’t respond or take action, the emails claim your data will be wiped on a specific date.
US Consumer Affairs has urged users not to click any links and to contact Apple directly if they receive such messages.
The deadline in the emails is never far away, usually just two days. No scammer ever wants you to think things through before you act, so there is always time pressure.
We’ve seen these emails in English and Spanish. Oddly, the monthly rate is set at 99 pence or 99 euro cents respectively.
The 0.99 seems to be the magic number. In reality, scammers don’t care about the payment. What they want is for you fill out the form on their phishing site.
Email saying you must upgrade to iCloud+ or lose your photos
The screenshot above is just one of many examples. There are plenty of variations, but they all follow the same them: make a small payment to stop the files in your iCloud storage from being deleted.
The websites these emails link to also vary, but they all ask for personal and payment details to complete that payment.
How to stay safe
It’s worth remembering that Apple does notify users when their iCloud storage is nearing capacity, but those alerts appear within your device settings or as official system notifications. They don’t come through unsolicited text messages or emails with external links. If you need to check your storage, go directly to Settings on your device and review your iCloud usage.
So, to stay safe:
Always access your account through our official website.
Never share your password with anyone.
Never click on links in unsolicited emails without verifying with a trusted source.
Travel companies love telling you your data is safe. Booking.com just reminded everyone why that’s a hard promise to keep.
The Amsterdam-based booking giant began notifying customers on April 13 that “unauthorized third parties” had accessed guest reservation data. The compromised information includes booking details, names, email addresses, physical addresses, and phone numbers—essentially everything you’d need to convincingly impersonate a hotel contacting a guest.
The criminals appear to have accessed the data by compromising Booking.com’s hotel partners. A Microsoft report blames the ClickFix phishing technique, which gets victims (in this case, hotel employees) to install malware disguised a computer “fix.”
Microsoft blames a criminal group called Storm-1865 for the caper, and caught it running exactly this kind of campaign against hotel workers across across North America, Oceania, South and Southeast Asia, and Europe, deploying nasty malware like XWorm and VenomRAT through fake CAPTCHA pages.
Booking.com’s customer notification warned that the exposed data could be used for phishing and said it would never ask for sensitive information or bank transfers.
But scammers have a proven playbook for turning stolen booking data into cash. They can hijack a reservation by impersonating a hotel, message guests demanding a further payment, or credit card details for “payment verification.” The stolen data gives them everything they need to convince the hotel customer they’re legit.
This has happened to Booking.com partners and customers before. In 2018, criminals phished hotel employees and accessed data belonging to Booking.com customers. Scammers also conducted a voice phishing campaign later that year that targeted 40 hotels in the UAE. Over 4,000 customers’ data was stolen, including credit card data from 300 people. Booking.com was late reporting the breach to the Dutch privacy regulator, which imposed a €475,000 fine (around $560,000) in 2021.
The travel industry’s recurring breach problem
Breaches like these are a pattern in the travel business. In January 2026, Eurail disclosed a breach that spilled passport numbers, addresses, and, for some travelers, photocopies of IDs and health data. KLM and Air France had customer data swiped in August 2025. Hertz, Dollar, and Thrifty were all caught in the Cl0p gang’s exploitation of Cleo file transfer software, with criminals pilfering drivers’ licenses and credit card data.
What’s interesting about all of these incidents is that like the Booking.com data heist, all involve compromise of third parties rather than the travel operations themselves. The travel industry sits on enormous troves of passport numbers, payment cards, and itineraries. And its security posture of sprawling supply chains, franchised operations, and third-party platforms makes it a soft target.
What you can do
How many customers were affected? Booking.com isn’t saying. For a platform with over 100 million active mobile app users and 500 million monthly website visits, that silence is concerning.
If you’ve used Booking.com recently, here’s the practical guide to protection. Don’t trust messages asking you to “verify” payment details, even if they arrive through the platform itself.
Here is Booking.com’s own advice about these scams, issued before this latest incident:
“If there is no pre-payment policy or deposit requirement outlined, but you’re asked to pay in advance to secure your booking, it is likely a scam.”
Check your booking confirmation email for what you actually owe and when. If anything seems off, contact the property directly, rather than through a link someone sends you. And watch your bank statements. The scammers who exploit this kind of data don’t always strike immediately.
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
Pushpaganda is the name researchers have given to an AI-assisted ad fraud, social engineering, and scareware operation targeting mobile users.
For most people, Pushpaganda starts as something that looks completely normal. For example, a recommended article in your Google Discover feed (the personalized news stream on your phone) or one of the suggested stories you see when you open a new Chrome tab. The operators behind this campaign use AI‑generated articles and images, plus aggressive SEO or paid placement, to get their content surfaced in those feeds so it feels like any other story about money, tech, or politics.
The topics are classic clickbait. You might see a card about a new tax refund, a government payout, a bank deposit, or some too‑good‑to‑be‑true gadget like a $100 phone with a “300MP camera.” On a small mobile screen, with a matching thumbnail and a headline tailored to your region, that’s exactly the kind of thing many people would reasonably tap.
Having tapped, you land on an attacker-controlled site that looks like a regular article page but wastes no time throwing up a browser prompt asking to send you notifications. Many users have been trained by years of pop-ups to click “Allow” just to get it out of the way, especially if the page claims you need to click “Allow” to continue reading or see the offer.
Some pages will falsely claim you have to click Allow to continue reading
Unfortunately, with that single tap, the site now has permission to push messages straight to your Android or desktop, where they sit alongside emails, chats, and real alerts from banks or government apps. Because the notifications don’t behave like traditional pop‑ups and can bypass normal ad‑blocking, many people don’t realize they’ve effectively subscribed to a scam channel.
The result is a stream of alarming notifications that seem to come out of nowhere and have little to do with the original site you visited, so the link between the site and the notifications is usually lost on the victims. Clicking those notifications rarely leads to what they promise. Instead, you’re pushed to another domain in the same network, which may ask for even more permissions, personal data, or try to funnel you into financial scams. Over time, this can expose you to fake investment schemes, fraudulent “tech support” numbers, or pages pushing questionable subscriptions.
All of this costs you time and attention, and sometimes money. At best, you end up with a polluted notification tray full of fake alerts that make it harder to spot something genuinely important. At worst, you follow one scare message too far, hand over personal details or payment information, and become the victim of fraud, identity theft, or aggressive subscription traps. And even if you never click again, your browser is still quietly loading pages and ads you never asked for.
How to stay safe from Pushpaganda
Treat “Allow notifications” prompts as potential traps, especially on sites you’ve never heard of that you reached via a feed or a search result. And even more so if they come with additional, misleading, instructions.
Besides that you should:
Be skeptical of sensational cards in your Discover feed that promise sudden cash, miracle devices, or dramatic political revelations.
Don’t trust buttons that scream “Apply now,” “Claim now,” or “Join WhatsApp” on pages that already feel pushy or poorly written.
Keep your browser, operating system (OS), and other important software up to date.
Use a security app that can block malicious websites and scam pages before they load.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
A convincing phishing campaign is going after YouTube creators, and if it works, attackers don’t just steal your Google login. They can take over your entire Google account, including Gmail, your files, and payments, then hijack your YouTube channel and use your audience to run scams.
The lure is a fake copyright strike notification that’s so convincing even security-aware users could fall for it. The attack site pulls in your real channel data, such as your profile picture, subscriber count, and latest video, to build a personalized scare page. It funnels you toward a sign-in page designed to steal your Google account.
The operation runs like a franchise: multiple attackers share the same platform, each running their own campaigns against different creators.
Why your YouTube channel is worth more than you think
For full-time creators, a YouTube channel isn’t just a hobby, it’s a business. It generates revenue through ads, sponsorships, and merchandise. And it all sits behind a single Google login that also controls your Gmail, Google Drive, and payment details.
That’s what makes creators such attractive targets. Attackers who hijack a channel often rebrand it within minutes, typically to impersonate a cryptocurrency company, and use the existing audience to livestream scams. The original creator gets locked out and watches their years of work being used to defraud their own subscribers.
A copyright strike is the perfect bait because it exploits the one thing creators fear most: losing their channel overnight.
“Check your Youtube copyright status instantly”
The campaign runs from a site called dmca-notification[.]info. The browser tab reads “Youtube | Copyright strikes,” and the page itself looks clean and professional, complete with YouTube logo, search bar, and helpful instructions.
It invites you to enter your channel name, @handle, or video link to check your copyright status. Nothing about it stands out as immediately suspicious.
Each phishing link includes the target’s channel handle directly in the URL, so the page already knows who you are before you type anything.
The source code contains a tracking flag called suppressTelegramVisit, which changes how visits are logged depending on whether an affiliate parameter is present. This suggests the operators may be coordinating traffic through Telegram, although the kit could be distributed through any platform.
Your own videos, used against you
Once the page has your channel name, it fetches real data from YouTube: your avatar, subscriber count, video count, and your most recent upload (including its title, thumbnail, and view count). That information is then used to build a fake copyright complaint.
You see your own branding alongside a claim that a specific segment of your latest video has been flagged for copyright infringement. The timestamps are dynamically generated for each victim based on the video’s length, making each notice look unique and legitimate. It’s similar to receiving a fake legal notice that includes your real home address. The personal details make it harder to dismiss as spam.
“Respond within three days or face enforcement actions”
The page piles on the pressure. A warning tells you that deleting the video won’t remove the strike. A red notice threatens that if you don’t respond within three days, your channel will face enforcement actions. The proposed fix is simple: sign in with Google to verify you’re the channel owner, and the claim will be resolved within 24 hours.
Every element on the page is designed to push you toward the “Login via Google” button before you stop to think.
The sign-in page that steals your account
When you click that button, the site contacts its own backend server to fetch the address of an external phishing page, one that the attacker can swap out to a new domain at any time.
In observed traffic, the request to /api/get-active-domain returned the domain blacklivesmattergood4[.]com, which was then loaded inside a full-screen overlay on top of the copyright notice page.
What appears next is a classic Browser-in-the-Browser attack: a fake Chrome pop-up rendered entirely in HTML and CSS. It includes a title bar reading “Sign in – Google Accounts – Google Chrome,” a padlock icon, and a URL that looks like accounts.google.com. None of it is real. They’re all just graphics. The only real address bar is the one at the top of your actual browser, which still shows dmca-notification[.]info.
Inside the fake window sits a convincing replica of Google’s sign-in page. It looks exactly like the real thing, but every keystroke goes to the attacker.
Traffic capture also showed attempts to contact additional domains—dopozj[.]net, ec40pr[.]net, and xddlov[.]net—which returned 502 errors at the time of capture. These may be backup infrastructure or credential relay servers that were offline.
The rotating-domain approach is what makes this campaign resilient. The phishing domain is fetched in real time with no caching, allowing attackers to rotate infrastructure quickly. If one domain is taken down, the next victim is sent to a new one.
Once credentials are entered, the overlay closes and the victim is returned to the copyright notice page with no confirmation or error . It gives the attacker time to use the stolen credentials before the victim realizes anything happened.
Big channels get a free pass (on purpose)
One interesting detail: the kit checks whether the target channel has more than three million subscribers. If it does, the entire phishing flow is skipped. Instead of the copyright strike warning and login button, the page shows a benign message: “Your channel is in good standing. No further action is needed.”
This is almost certainly an evasion tactic. Very large channels are more likely to have dedicated security teams, relationships with YouTube’s trust and safety staff, or the visibility to trigger a rapid takedown if they publicly report the scam. By automatically exempting them, the kit reduces the risk of drawing attention from exactly the people most capable of getting the operation shut down.
Not just one scammer
The source code reveals that this isn’t a single phishing page run by one person. The kit includes an affiliate tracking system where each attacker gets their own ID embedded in the phishing links they send out. A central backend tracks which operator delivered which victim and how far each target got through the funnel. Our traffic capture confirms this: the phishing link included a referral ID (ref=huyznaetdmca), the default affiliate tag, which appears to be a transliteration of a Russian phrase. Brand names like Google and YouTube are also written with lookalike Cyrillic characters in the source code to evade automated security scanners.
In short, this is phishing-as-a-service: a shared platform that multiple attackers can use to run campaigns against YouTube creators at scale.
How to protect yourself
This campaign is a reminder that phishing has moved far beyond badly spelled emails from a Nigerian prince. Today’s phishing kits are professionally engineered platforms with rotating infrastructure, real-time personalization, and franchise-style distribution.
For YouTube creators, the key rule is simple: copyright strikes only appear in YouTube Studio.
If you get a warning anywhere else, treat it as suspicious.
Be wary of urgency. Real copyright processes don’t rush you into action
Go directly to studio.youtube.com or through trusted channels to check your status
Never sign in through a link in an email or message
Spot a fake browser window
Try dragging it: A real window moves freely. A fake one is stuck inside the page
Minimize your browser: A real pop-up stays open. A fake one disappears
Check the URL: If you can’t interact with it, it’s just an image
Even if everything looks right, always check the actual address bar before entering your username and password.
If you’ve already entered your details, act quickly:
Change your Google password immediately
Revoke active sessions in your account security settings
Check your YouTube channel for unauthorized changes
Indicators of Compromise (IOCs)
Domain
dmca-notification[.]info (primary phishing site)
blacklivesmattergood4[.]com (credential harvesting domain — active at time of capture)
dopozj[.]net (associated infrastructure — 502 at time of capture)
ec40pr[.]net (associated infrastructure — 502 at time of capture)
xddlov[.]net (associated infrastructure — 502 at time of capture)
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
The percentage of ICS computers on which malicious objects were blocked has been decreasing since the beginning of 2024. In Q4 2025, it was 19.7%. Over the past three years, the percentage has decreased by 1.36 times, and by 1.25 times since Q4 2023.
Percentage of ICS computers on which malicious objects were blocked, Q1 2023–Q4 2025
Regionally, in Q4 2025, the percentage of ICS computers on which malicious objects were blocked ranged from 8.5% in Northern Europe to 27.3% in Africa.
Regions ranked by percentage of ICS computers on which malicious objects were blocked
Four regions saw an increase in the percentage of ICS computers on which malicious objects were blocked. The most notable increases occurred in Southern Europe and South Asia. In Q3 2025, East Asia experienced a sharp increase triggered by the local spread of malicious scripts, but the figure has since returned to normal.
Changes in percentage of ICS computers on which malicious objects were blocked, Q4 2025
Feature of the quarter: worms in email
In Q4 2025, the percentage of ICS computers on which wormsinemailattachments were blocked increasedinallregions of the world.
Many of the blocked threats were related to the worm Backdoor.MSIL.XWorm. This malware is designed to persist on the system and then remotely control it.
Interestingly, this threat was not detected on ICS computers in the previous quarter, yet it appeared in all regions in Q4 2025.
A study found that the active spread of Backdoor.MSIL.XWorm via phishing emails was likely linked to the use by hackers of another malware obfuscation technique that was actively used during massive phishing campaigns in Q4 2025. These campaigns have been known since 2024 as “Curriculum-vitae-catalina”.
The attackers distributed phishing emails to HR managers, recruiters, and employees responsible for hiring. The messages were disguised as responses from job applicants with subjects such as “Resume” or “Attached Resume” and contained a malicious executable file under the guise of a curriculum vitae. Typically, the file was named Curriculum Vitae-Catalina.exe. When executed, it infected the system.
In Q4 2025, the threat spread across regions in two waves — one in October and another in November. Russia, Western Europe, South America, and North America (Canada) were attacked in October. A spike in Backdoor.MSIL.XWorm blocking was observed in other regions in November. The attack subsided in all regions in December.
The highest percentage of ICS computers on which Backdoor.MSIL.XWorm was blocked was observed in regions where threats from email clients had been historically blocked at high rates on ICS computers: Southern Europe, South America, and the Middle East.
At the same time, in Africa, where USB storage media are still actively used, the threat was also detected when removable devices were connected to ICS computers.
Selected industries
The biometrics sector has historically led the rankings of industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.
These systems are characterized by accessibility to and from the internet, as well as minimal cybersecurity controls by the consumer organization.
Rankings of industries and OT infrastructure by percentage of ICS computers on which malicious objects were blocked
In Q4 2025, the percentage of ICS computers on which malicious objects were blocked increased only in one sector: oil and gas. The corresponding figures increased in two regions: Russia, and Central Asia and the South Caucasus.
However, if we look at a broader time span, there is a downward trend in all the surveyed industries.
Percentage of ICS computers on which malicious objects were blocked in selected industries
Diversity of detected malicious objects
In Q4 2025, Kaspersky protection solutions blocked malware from 10,142 different malware families of various categories on industrial automation systems.
Percentage of ICS computers on which the activity of malicious objects from various categories was blocked
In Q4 2025, there was an increase in the percentage of ICS computers on which worms, and miners in the form of executable files for Windows were blocked. These were the only categories that exhibited an increase.
Main threat sources
Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).
The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.
In Q4 2025, the percentage of ICS computers on which malicious objects from various sources were blocked decreased. All sources except email clients saw their lowest levels in three years.
Percentage of ICS computers on which malicious objects from various sources were blocked
The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked can exceed the percentage of computers affected by the source itself.
In Q4 2025, the percentage of ICS computers on which threats from the internet were blocked decreased to 7.67% and reached its lowest level since the beginning of 2023. The main categories of internet threats are malicious scripts and phishing pages, and denylisted internet resources. The percentage ranged from 3.96% in Northern Europe to 11.33% in South Asia.
The main categories of threats from email clients blocked on ICS computers were malicious scripts and phishing pages, spyware, and malicious documents. Most of the spyware detected in phishing emails was delivered as a password archive or a multi-layered script embedded in office document files. The percentage of ICS computers on which threats from email clients were blocked ranged from 0.64% in Northern Europe to 6.34% in Southern Europe.
The main categories of threats that were blocked when removable media was connected to ICS computers were worms, viruses, and spyware. The percentage of ICS computers on which threats from removable media were blocked ranged from 0.05% in Australia and New Zealand to 1.41% in Africa.
The main categories of threats that spread through network folders in Q4 2025 were viruses, AutoCAD malware, worms, and spyware. The percentage of ICS computers on which threats from network folders were blocked ranged from 0.01% in Northern Europe to 0.18% in East Asia.
Threat categories
Typical attacks blocked within an OT network are multi-step sequences of malicious activities, where each subsequent step of the attackers is aimed at increasing privileges and/or gaining access to other systems by exploiting the security problems of industrial enterprises, including OT infrastructures.
Malicious objects used for initial infection
In Q4 2025, the percentage of ICS computers on which denylisted internet resources were blocked decreased to 3.26%. This is the lowest quarterly figure since the beginning of 2022, and it has decreased by 1.8 times since Q2 2025.
Percentage of ICS computers on which denylisted internet resources were blocked, Q1 2023–Q4 2025
Regionally, the percentage of ICS computers on which denylisted internet resources were blocked ranged from 1.74% in Northern Europe to 3.93% in Southeast Asia, which displaced Africa from first place. Russia rounded out the top three regions for this indicator.
The percentage of ICS computers on which malicious documents were blocked increased for three consecutive quarters. However, in Q4 2025 it decreased by 0.22 pp to 1.76%.
Percentage of ICS computers on which malicious documents were blocked, Q1 2023–Q4 2025
Regionally, the percentage ranged from 0.46% in Northern Europe to 3.82% in Southern Europe. In Q4 2025, the indicator increased in Eastern Europe, Russia, and Western Europe.
The percentage of ICS computers on which malicious scripts and phishing pages were blocked decreased to 6.58%. Despite the decline, this category led the rankings of threat categories in terms of the percentage of ICS computers on which they were blocked.
Percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q1 2023–Q4 2025
Regionally, the percentage ranged from 2.52% in Northern Europe to 10.50% in South Asia. The indicator increased in South Asia, South America, Southern Europe, and Africa. South Asia saw the most notable increase, at 3.47 pp.
Next-stage malware
Malicious objects used to initially infect computers deliver next-stage malware — spyware, ransomware, and miners — to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.
In Q4 2025, the percentage of ICS computers on which spyware, ransomware and web miners were blocked decreased. The rates were:
Spyware: 3.80% (down 0.24 pp). For the second quarter in a row, spyware took second place in the rankings of threat categories in terms of the percentage of ICS computers on which it was blocked.
Ransomware: 0.16% (down 0.01 pp).
Web miners: 0.24% (down 0.01 pp), this is the lowest level observed thus far in the period under review.
The percentage of ICS computers on which miners in the form of executable files for Windows were blocked increased to 0.60% (up 0.03 pp).
Self-propagating malware
Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.
To spread across ICS networks, viruses and worms rely on removable media and network folders and are distributed in the form of infected files, such as archives with backups, office documents, pirated games and hacked applications. In rarer and more dangerous cases, web pages with network equipment settings, as well as files stored in internal document management systems, product lifecycle management (PLM) systems, resource management (ERP) systems and other web services are infected.
In Q4 2025, the percentage of ICS computers on which worms were blocked increased by 1.6 times to 1.60%. As mentioned above, this increase is related to a global phishing attack that spread the Backdoor.MSIL.XWorm backdoor worm across all regions of the world. The percentage increased in all regions. The biggest increase (up by 2.16 times) was in Southern Europe. The malware was primary distributed through email clients, and Southern Europe led the way in terms of the percentage of ICS computers on which threats from email clients were blocked.
The percentage of ICS computers on which viruses were blocked decreased to 1.33%.
AutoCAD malware
This category of malware can spread in a variety of ways, so it does not belong to a specific group.
After an increase in the previous quarter, the percentage of ICS computers on which AutoCAD malware was blocked decreased to 0.29% in Q4 2025.
In a Public Service Announcement (PSA) the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn the public about ongoing Russian-linked phishing campaigns that aim to gain access to messaging accounts.
Earlier this month we wrote about a large‑scale phishing campaign aimed at hijacking Signal and WhatsApp accounts belonging to senior officials, military personnel, civil servants, and journalists.
Now the FBI and CISA have joined European intelligence services in warning that the same tactics are being used in a broader campaign targeting these commercial messaging apps. The goal is not to break end‑to‑end encryption, but to walk straight around it by stealing access to individual accounts.
In our previous article, we focused on warnings from the Dutch intelligence services AIVD and MIVD, which described how Russian state‑backed actors approached high‑value targets via Signal and WhatsApp, posing as “Signal Support”, “Signal Security Bot”, or similar. The PSA demonstrates how the same groups are now running global phishing campaigns against messaging app accounts, with evidence suggesting thousands of compromised accounts worldwide.
It’s important to reiterate that the attackers have not managed to break the apps’ end-to-end encryption. Instead, they are relying on social engineering to get a device added so they can eavesdrop on accounts.
The current targets include current and former US government officials, military staff, political figures, and journalists, but there is nothing to stop the same techniques being reused against businesses and everyday users.
So, while it’s tempting to dismiss this as a problem for diplomats and generals (and the agencies issuing these alerts do mention high‑profile targets first), the techniques scale very easily. Once playbooks like these are public, they tend to be copied by cybercriminals looking for new ways to steal money or accounts.
How to protect your accounts
As the PSA puts it:
“Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant”
This calls asks for basic security measures:
Treat unsolicited messages from “Support” inside apps as suspicious by default. Legitimate support for apps like Signal and WhatsApp does not ask you, in a chat message, to send back verification codes, PINs, or passwords. If you receive a warning about account problems, do not follow links in the message. Open the app’s settings directly or visit the official website through other means.
Never share SMS verification codes or app PINs. SMS codes are there to prove that you control a phone number. Anyone who has the code can pretend to be you. App‑specific PINs or passcodes are there to protect account changes. Giving them away is like handing over the keys to your account. Consider anyone asking for them to be a scammer.
Be careful what you discuss and with whom. Both the Dutch and US advisories remind us that even with end‑to‑end encryption, some conversations are too sensitive for commercial chat apps.
Use the extra security features these apps offer. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.
Another useful feature is disappearing messages. Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.
What to do if you think your account was hijacked
If you suspect an attacker has taken over your messaging account:
Try to re‑register your number in the app immediately to kick out other devices.
Revoke all linked devices and change any app‑specific PINs or lock codes.
Warn your contacts that someone may have impersonated you and ask them to treat recent messages with caution.
Review recent conversations for signs of data theft (for example, shared IDs, documents, or passwords that should now be considered exposed).
Report the incident to the app provider and, where appropriate, to national reporting centers such as the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov or the relevant authority in your country.
The sooner you act, the smaller the window in which attackers can exploit your account.
We don’t just report on phone security—we provide it
Scam compounds in Southeast Asia have already become modern slave farms, trapping victims and forcing many of them to become scammers for them. Now they’ve added another type of worker to the mix: so-called AI models.
These professional scammers conduct video calls with their targets, charming them into handing over their cash. As reported in WIRED this week, recruitment ads describe roles handling around a hundred live video calls per day, promoting romance scams and crypto hustles in industrial-scale scam operations across Cambodia, Myanmar, and Laos.
These scam farms already rely on chat operators to ensnare scam victims via messaging apps. Many of these operators are themselves victims of trafficking, forced to work long shifts under threats of violence. They develop relationships with victims over time, exploiting loneliness or financial worries. While they work to make a victim feel special, they’re actually juggling similar text sessions with dozens of people at once. Eventually, a victim may want a video call, either to meet their imagined sweetheart or to confirm an investment opportunity is legitimate (or both).
Chat operators might not have the ability to charm victims on video, especially when they’re victims themselves, being made to work long shifts and are physically beaten. So when a victim asks for a video call, the scam bosses call in a specialist “AI model” with strong interpersonal skills to charm the victim. Despite the name, they’re real people hired to appear on video calls. The AI deepfake software adjusts their looks to match the fictionalized person that the victim is hoping to see.
Scam operations run recruitment ads for these models, and many seem willing to apply for these jobs. Humanity Research Consultancy, an investigative research group that tracks trafficking supply chains, identified a pitch from a 24-year-old Uzbekistani calling herself Angel. She claimed to speak four languages and to have a year’s experience as an AI model. She demanded $7,000 monthly for her services.
The growth of scam compounds
How do these scam compounds even exist? According to the Australian Strategic Policy Institute, Myanmar’s 2021 military coup helped fuel a fraud boom. Scam centers along the Thai border have more than doubled as crime syndicates move into that region, along with Myanmar, Cambodia and Laos.
These scam centers are often tolerated because they line the coffers of local militia. But there have been some countermeasures. Raids and cross-border crackdowns have led to arrests and the movement of large numbers of suspects between countries, including operations targeting compounds such as KK Park in Myawaddy. Cambodia and Myanmar have also signalled increased efforts to tackle scam operations, although the networks remain highly resilient.
This kind of activity becomes easier as technology improves. Real-time face-swapping and deepfake tools are now good enough to support live video, not just pre-recorded clips. We’ve already seen real-time deepfakes used for everything from job interviews through to impersonating banking executives to scam millions. What’s new here is the scale: people handling dozens or even hundreds of calls a day for romance scams and crypto investment fraud shows that this is now a mass exploit.
How to stay safe
Here’s the problem with deepfake video: the common “tells” that let you spot it are evaporating. At one time a sure sign of an AI deepfake was someone with the wrong number of fingers or oddities in hairlines. You can up the ante in live calls by asking someone to turn sideways. Have them touch their nose, and wave their fingers in front of their face. It’s more difficult for deepfake software to handle that extra noise.
But beware: the algorithms that produce deepfakes are getting better all the time, and more easily able to handle such tests. We’re at the point where this deepfake researcher says many more of us will be fooled by them this year.
If you can’t fully trust what you see, fall back on what you know. Be wary of unsolicited contact, especially when someone quickly builds emotional rapport or introduces an investment opportunity. Even if a profile looks well-established or a website appears legitimate, take time to dig a little deeper.
Avoid sharing personal or financial information with someone you’ve only met online, and be wary of anyone who pushes you toward quick decisions or asks to move conversations off established platforms. The FBI has some sound advice on their website.
The most dangerous part of this deepfake AI model trend is that it helps scam operations cross the final frontier. A live human can close a scam that a simple chat interaction can’t. That’s why people like Angel from Uzbekistan have a job, and why you need to be more on your guard than ever.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
We’ve identified a huge social-engineering campaign designed to steer people into online gambling sites under the impression they’re installing a legitimate app.
We’re calling it FriendlyDealer. It’s been observed across at least 1,500 domains, each hosting a website that impersonates the Google Play or Apple App Store. Users think they’re downloading a gambling app from a trusted source, with all the checks, reviews, and safeguards that implies. But they’re actually still on a website, installing a web app that then redirects them to casino offers through affiliate links.
The campaign doesn’t steal passwords or install traditional malware. Instead, it makes money through commissions every time someone signs up or deposits money at one of these sites.
That might sound less serious than a banking Trojan, but the end result is people being funneled into unregulated gambling sites with no age verification, no deposit limits, and no consumer protections. And it comes at a time when gambling addiction is being called the fastest explosion of gambling the country has ever seen.
One kit, dozens of apps, built to mimic real app stores
FriendlyDealer is built as a single, reusable kit that can generate many different fake app listings.
The kit detects what device you’re using and shows you a different fake store accordingly. Android users see a fake Google Play Store. iPhone users see a fake Apple App Store. The kit even loads the correct system fonts for each platform (Google Sans on Android, San Francisco on iOS) so the typography matches what you’d expect on your own phone.
Fake Apple App Store page: BEAST GAMES: ICE FISHING by Mr. Beast
Fake Apple App Store page: Euro Win
Under the hood, it’s a single web application that reads all of its content from one configuration file embedded in the page. Change that file, and you get a completely different app listing running on the same code.
The operators have used this to spin up at least twenty casino brands, from “Tower Rush” (189 deployments) to “Chicken Road” (97) to “BEAST GAMES: ICE FISHING” (43), which impersonates YouTube creator MrBeast. (It’s worth noting that some skins reuse the names of some legitimate gambling brands but none of these are affiliated with the operation.)
The reviews are fake. Different apps reuse identical usernames, profile photos, text, and developer replies, and they’re repeated across multiple brands. Before showing the fake store, the kit can also display a simple casino mini-game to build engagement.
The fake “Install” button on Android relies on a Chrome feature that only works on mobile. It captures Chrome’s install prompt and triggers it when tapped, so a real installation dialog appears. The usual warning about installing apps from unknown sources does not appear. Previous research has shown that apps installed this way can even display “Installed from Google Play Store” in your phone’s settings.
The code goes to extraordinary lengths to get you into the right browser. If you arrive through a Facebook or Instagram ad, you’re inside those apps’ built-in browser, which can’t trigger the install. On Android, the kit generates a special link that forces the page to reopen in Chrome. On iOS, it does the same thing but for Safari. If Chrome isn’t installed, the fallback sends you to the real Play Store to download it. There’s even a separate handler for Samsung’s browser. The browser-specific engineering is unusually detailed.
The page disables zooming, making close inspection harder. The kit assigns a per-user tracking ID and reuses it across analytics, event, push-registration, and offer-routing flows.
Fake Google Play page: BEAST GAMES: ICE FISHING by Mr. Beast
Fake Google Play page: Chicken road by Valor Casino
Fake Google Play page: Gates of Olympus by Casino
Fake Google Play page: Tower Rush by ELK Studios
Fake Google Play page: Tower Rush by Galaxsys
Fake Google Play page: Morospin by Morospin Inc.
Fake Google Play page: Casino Mexico by Casino Mexico LLC
Fake Google Play page: Revolut Slots by RevGameDev
The kit is wired for paid advertising. The configuration includes empty slots for tracking pixels from four ad platforms: Google, Yandex, Facebook, and TikTok. The app and background script can forward Facebook-style ad identifiers (_fbc / _fbp) when those values are available. The code references Yandex telemetry fields and ships with Russian-language comments and debug strings, which is consistent with a Russian-speaking development context, though those artefacts could also have been inherited from a reused or purchased kit.
The flow is straightforward: buy ad traffic, detect the device, show a fake app store, trigger a real-looking install, and redirect to a casino through an affiliate link.
You’re not installing an app
When a user taps Install, the page doesn’t actually download an app. Instead, the browser creates what’s called a Progressive Web App (PWA). It’s essentially a website that behaves like an app, with its own icon on your home screen and its own splash screen. To most people it’s indistinguishable from a real app.
Once installed, the app can keep running in the background using browser features called service workers (keeping a persistent connection to your device). The samples include the main PWA worker and code to register a separate push worker (to send you notifications) when enabled.
The kit also knows when you’ve already installed it. It checks your device for its own PWA, and if it finds it, it skips the fake store entirely and sends you straight to the casino.
One domain ties it all together
Every FriendlyDealer deployment phones home to the same domain: ihavefriendseverywhere[.]xyz. This is the campaign’s data-collection server, and the name that inspired our tracking name for the operation.
The background script and app code send telemetry to this domain including browser language, timezone, user-agent data, optional user-agent client hints, campaign identifiers, and ad identifiers when those values are available. Much of this is sent via custom request headers.
Some requests use the HEAD method to stay lightweight.
The application code also sends something the background script doesn’t: JavaScript error reports. Every crash, every failed resource load, every unhandled exception that occurs on the victim’s device is caught, packaged into a structured error object with a timestamp and context, and posted to ihavefriendseverywhere[.]xyz/api/log_standard_err. In effect, the operators are collecting both user data and production error telemetry from real devices.
If a request fails (for example, due to poor signal), the background script stores it locally and retries later. Once the connection returns, the data is sent automatically.
The fake app also asks for notification permission. If the user grants it, the kit can register a push subscription and create a direct channel for future notifications. These appear like normal app notifications, giving the operators a direct line back to the user even after the app is closed.
Follow the money: affiliate commissions, not malware
FriendlyDealer doesn’t spread viruses or take over devices. The entire operation runs on affiliate commissions. Each fake app store page contains a hidden redirect to an affiliate tracking network. When a user signs up or deposits money, the operator gets paid.
We found multiple affiliate tracking networks in the code. A per-user ID appears across the kit’s analytics, event, push, and offer-routing logic, allowing activity to be correlated across multiple stages of the funnel.
This model explains the campaign’s enormous scale. Each domain is disposable. The kit is a template; change one configuration file and you have a new casino brand on a new domain in minutes. With gambling affiliate payouts reportedly ranging from $50 to $400 per depositing user, even a small conversion rate across a thousand domains adds up fast.
Who’s behind this?
We can’t attribute the campaign to a specific group, but there are clues. The source code contains Russian-language comments (for example, “Создаем таймер для измерения времени загрузки Vue “). One of the builds shipped with unstripped Russian debug strings that were scrubbed from the production version. The code integrates with Yandex Metrica, which is popular in Russia and the former Soviet states.
These point to a Russian-speaking development context, although the code could have been reused or purchased.
The code also contains affiliate marketing tags—preland-alias and preland-final-action—where a “pre-lander” is the page a visitor sees before the actual offer. The application code shows this tag controls the kit’s behavior: a value of 0 triggers a PWA install, while 1 redirects to an app store. Combined with plug-and-play ad pixel slots, per-deployment configuration, and staging/production logic, this strongly suggests a reusable kit built for multiple campaigns or operators, not a one-off project.
We found multiple builds of the same kit. The production version has debug messages removed, but other builds include full Russian-language error messages and support for Arabic numerals across the interface—download counts, ratings, review dates, and more. This does not look like a kit built for a single market; it appears designed to support regional variants at build time.
A familiar trick with a different payoff
Fake app store pages are a known technique, often used to steal banking credentials or deliver spyware. FriendlyDealer uses the same playbook, a convincing fake store and a real-looking install flow, but with a different goal. It doesn’t take over your phone or steal your passwords. It steers you toward gambling platforms and earns a commission when you spend money.
The harm is financial rather than technical: victims are funneled toward gambling offers through deceptive install and redirect flows, and may end up depositing money at sites they did not intentionally choose.
It’s also s a reminder that not every scam is after your passwords. Affiliate fraud, especially in online gambling, can fund enormous operations without ever touching a single credential. The people behind this built a factory: one template, twenty brands, more than 1,500 domains. Paid ads bring the traffic. The fake app stores seal the deal. The affiliate network pays the bills.
What makes this effective is that it abuses things that are supposed to be trustworthy. Chrome’s app installation flow on Android and Safari’s “Add to Home Screen” on iPhone are both legitimate features, doing what they were designed to do. The problem is that the page triggering the install is a lie. The kit is carefully engineered so only the right users, on the right devices, coming from the right ads, ever see it.
What to do if you installed one of these apps
On Android:
Remove the app: Long-press the icon and tap Uninstall, or go to Settings > Apps and remove anything you don’t recognize.
Clear the site data in Chrome: The app may leave data behind in your browser. Open Chrome > Settings > Site settings > All sites, find the site, and tap Clear & reset.
Check notification permissions: Go to Chrome > Settings > Notifications and remove any sites you don’t recognize. Uninstalling the app does not remove notification access.
Check other browsers: If you use Edge, Brave, or another Chromium-based browser, repeat the same steps there.
On iPhone:
Remove the app: Long-press the app icon on your home screen and tap Remove App. On iOS, PWAs don’t install a background script the way they do on Android, so removing the icon also removes the cached site data.
Clear the site data in Safari: Go to Settings > Safari > Advanced > Website Data, and search for the domain. Swipe to delete it. This clears any remaining cookies and stored data.
Check notification permissions: Go to Settings > Apps > Safari. Scroll to the Settings for Websites section and tap Notifications. Find the site and remove or deny access.
If you deposited money after being routed through one of these pages and believe you were deceived, contact your bank or payment provider promptly.
Indicators of Compromise (IOCs)
Domains
ihavefriendseverywhere[.]xyz—Data exfiltration and error-logging server